Hello,

im making backups of sensitive data to my VPS, i cant trust owner of the VPS node fully.
So i got an idea on which i need Your comments.

I can zip file with password, but i just discovered zip may not pack files larger 2gb, got some error like
"zip warning: name not matched: /backup/incremental/accounts/yzbuutpo/homedir/public_html/wp-content/themes/twentytwelve/bomba1/dovecot"

so i got idea renaming my backups to something uninteresting and without tar.gz extension.
and another level of protection - can i anyhow edit the archive easilly so non professional dont recognize what file type it is and also make it corrupted for extraction by editting somehow easilly archive content? If anyone point to a guide, im linux amateur? Thank you

PS i assume i can also use openssl to encrypt archive, but i think it would eat alot of resources to encrypt like 15gb file..

there is a simple command, named file which will identify the file. Renaming it will not have any effect, it will not protect you at all. Corrupting the archive may work, but you will need to know how to restore it (and that may cause problems). I would rather suggest you another approach, try to protect your data with a password, create encrypted archive: http://how-to.linuxcareer.com/using-...ages-and-files

you can also use luks loopback encryption, but you have to set disk size (then you have a space limit)

http://wiki.centos.org/HowTos/EncryptedFilesystem

The ZIP file format handles files larger than 2Gb just fine (and has done since 2001), as long as you are using a zip application that supports ZIP64. Anything that handles the zip specification 4.5 or higher should be fine. Unfortunately many applications that claim zip support only support version 2.0 of the zip specification.

If you do go with zip, make sure your zip application can do AES encryption (part of the zip file specification since 5.1). The traditional, zip password-based symmetric encryption is flawed and easily broken.

If you do not care about retaining all Linux file meta data (e.g. ownership) you could use 7zip, which can also do AES encryption in addition to compression.

Alternatively you could also use 7zip to create a zip archive, rather than an 7z archive. Using the zip file format, rather than 7z format means you have more extraction options in the future.

7zip's zip support does not include InfoZIP's latest UID/GID support extensions but will store some file meta data (i.e. permissions), whilst taking advantage of ZIP64 features, LZMA compression and AES encryption. If all the files are owned by a single user, this might be good enough for you.

Here is an example of command line to create such an archive:

- files are not owned by one user. Its a backup of 50+ accounts of hosting clicents. each client directory contains files and folders with like clientname:cleintname

- openssl: good, but i doubt if i encrypt 15gb file would it take long time? IM NOT IDIOT to GZIP daily half million files and then also ENCRYPTING IT by some slow method.

I NEED SUPER FAST CREATING OF ONE FILE OUT OF AROUND HALF MILLION FILES. At same time some kind of protection so no simple stealer can extract any data out of it. Please advice command kindly. Thank you

Anyway you look at it compressing and encrypting that much data will take a while. You can use a super fast compressor like lzop (or drop compression altogether) to gain some speed up.

I take it you are set on a single archive container? If so, I would go with internal compression and encryption, i.e. on a per file basis rather than spanning he entire archive. That way you need only decompresses or decrypt the files as you require them. It is also safer this way as any corruption to the archive is more likely to be recoverable.

I would look at afio or dar. Afio is a tool with 24 years of heritage, Dar is a more modern tool. I prefer Afio personally as its syntax is similar to cpio and allows for arbitary selection of compressor and encryptor. Dar has fairly complex command line options and is limited to the compression and encryption methods that are built in.

P.S. To expand on the safety aspect, compressing files in a one by one basis as they are added to an archive (internal compression) as is the case with zip, 7z, afio or dar is safer for critical backups than external compression (wrapping gzip, bzip2, lzop, etc. around an entire tar archive).

Consider that if a gzipped archive has a single bit corrupted near its start the tar file stored within is effectively lost. This is because common compression algorithms depend on the coherency over a long sections of a file to achieve their results. If the file cannot be decompressed none of the archive's contents can be extracted. Indeed, should you ever need to attempt recovery an important gzipped file, read this to see exactly what is involved.

What about compressing with tar.gz or txz on an ecryptfs directory? You simply mount one folder to another, mounting with ecryptfs, and anything written to that folder will be encrypted.

example:
While mounted, anything under user-data will appear normal, while anything under .private will be encrypted. You can then copy the data from .private to your VPS. If you need to decrypt the data, just mount the same (or another) directory with the same passphrase and options used during mount to encrypt it.

Sounds like a plan. I still think a compressed tar is risky for important backups (as explained in my previous post). But the OP could forgo compression or use a format that supports internal compression (afio, dar, xar, etc.). Alternatively they could drop the container archive altogether and just recursively copy the files over, compressing them as needed.

you ought to make incremental backup, there is no need to store the same 15 GB again and again.

+1 to that.

Dar has built in support for differential backup. For afio you would need to construct a find command that only found newer files and you would still have the issue of how best to deal with file deletions.

just google, you will find a lot of different solution. here is a tip with rsync: http://www.maketecheasier.com/make-i...ps-with-rsync/

i dont know the best way to integrate low load causing encryption to the command