Ideas for backups where you cannot read what you have just written
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ideas for backups where you cannot read what you have just written
Kinda like emails where you send them but cannot delete them, it is up to the receiver to decide what to do with them. Backups like that would be safe if a hacker subsequently takes over your system and wipes its drives or attempts to store malware in all your old backups but they cannot. Then you'd ask the email receiver for a copy of your data before the disaster.
How can such a thing be done with an external USB drive?
Look into your encryption options. That's your read.
Alternatively, mega.nz does encrypted cloud storage. It's owned by Kim Dot Com,who you may have heard of in the days of Megaupload. Anyhow, he doesn't keep your decryption key, so if you lose it, tough. Your data is also lost.
Can't a malicious hacker discover the encryption key, open all backups in the cloud and put their malware in all backups so any restore will not get rid of his malware no matter what version you restore to? Or I memorise 50 passphrases, one for each backup version in the cloud. Not practical.
Does such a thing as "write once but cannot read immediately" exist with an external USB drive? Like when you drop a coin into a piggy bank and cannot get the coin back without breaking the piggy?
Hacker can then put mangled coins in the piggy bank but cannot change the good coins you put in it yourself before you got hacked.
If you run your backups as an unprivileged user, you can create a root cron job that goes through and moves the backup to a secure location, removes all permissions from the files/dirs, etc., so your user can no longer access it. If you're afraid the hacker might have root access on the machine on which the backups are stored, there's not much you can do beyond using an external drive that you physically unplug from the machine when your backups are finished.
Can't a malicious hacker discover the encryption key, open all backups in the cloud and put their malware in all backups so any restore will not get rid of his malware no matter what version you restore to? Or I memorise 50 passphrases, one for each backup version in the cloud. Not practical.
Actually, no.
With mega.nz (I only mention them on merit, no connection), and they bellyache if you don't make the password/encryption key extremely long. Hackers won't guess that unless you give it to them. I don't think I'm compromising my security to say I ended up with a line from an obscure and forgettable song. If you write it down neatly labelled where a hacker can find it, you're a fool. Then your cloud drive is decrypted for you to see like google drive. I believe transfers of files come encrypted and you decrypt them, making network transfers slow but secure. Read more on their site.
If you want to encrypt encrypted stuff and that sort of thing, I back out. Where I live only highly illegal stuff is worth that bother. About the only thing that illegal here is child pornography. Of course in other areas (e.g. North Korea, China) restrictions limit normal activities (e.g. religion) and you would need to consult locally. My friend in China pays for a VPN to access his religious stuff, and doesn't hoard backups, but that solution doesn't work everywhere, or everywhere in China. It would strike me as the course of wisdom not to keep backups of backups, gigabytes of data you cannot afford to let anyone see.
There are also keyloggers that can steal the passphrase when you type it.
When a folder owned by root has the read flag set to Off for root but On for the group and the write flag for the group is On, can root still read what a user of this group adds to the folder?
When a folder owned by root has the read flag set to Off for root but On for the group and the write flag for the group is On, can root still read what a user of this group adds to the folder?
root can do whatever it wants, whenever it wants. File permissions are no more than a polite suggestion for root. The only thing it can't access is an encrypted volume (unless it has the passphrase), but despite not being able to read it, it can still wipe it out.
See my earlier post:
Quote:
Originally Posted by suicidaleggroll
If you're afraid the hacker might have root access on the machine on which the backups are stored, there's not much you can do beyond using an external drive that you physically unplug from the machine when your backups are finished.
Note that "physically unplug" is from the perspective of the OS. If that OS is on a virtual machine, then "physically unplug" could mean using your virtualization software on the host to remove access to a drive or shared folder from the guest.
Last edited by suicidaleggroll; 10-11-2017 at 02:28 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.