![[Google]]( http://blog.trollgod.org.uk/wp-content/plugins/easy-adsenser/google-light.gif)
Over the past couple of days I’ve been setting up a secure offsite backup for my home machines. Dreamhost started offering 50GB of space for backups for free to their customers, this is vastly superior to the “send an archive to gmail every now and then” method I was using before.
I decided to use duplicity as it will use scp as the transfer (among manu others), encrypts all the data and automatically does incremental backups transferring only the changed files. Newer versions even support gmail and amazon s3 as backends, which is really cool but not something I need.
I had one problem setting it up, which was the obscure and unhelpful error reporting.
Traceback (most recent call last): File "/usr/bin/duplicity", line 463, inwith_tempdir(main) File "/usr/bin/duplicity", line 458, in with_tempdir fn() File "/usr/bin/duplicity", line 451, in main incremental_backup(sig_chain) File "/usr/bin/duplicity", line 186, in incremental_backup bytes_written = write_multivol("inc", tarblock_iter, globals.backend) File "/usr/bin/duplicity", line 87, in write_multivol globals.gpg_profile,globals.volsize) File "/usr/lib/python2.5/site-packages/duplicity/gpg.py", line 217, in GPGWriteFile file.write(data) File "/usr/lib/python2.5/site-packages/duplicity/gpg.py", line 125, in write return self.gpg_input.write(buf) IOError: [Errno 32] Broken pipe close failed: [Errno 32] Broken pipe
That is not a useful error message (and I’ve programmed in python), the actual error turned out to be a typo in the GPG key id I had entered. Once I’d worked that out everything went fine.
The real problem is the catch-22 between security and recoverability. In order for the data to be secure it needs to be encrypted, for that you need either a key or a password (or both for an encrypted key). Therefore in order to restore the data you need a copy of that key/password, but the situations in which you are going to be restoring from the offsite backup are ones in which all your data and local backups have gone poof. In which case the key will have gone poof too.
Okay, if you used just a password and memorized it then you’d be fine. But a password you can memorize is probably too weak to be secure, certainly for me it is with my terrible memory.
So, in order to make the data recoverable the key used for encryption needs to be backed up offsite too, but then your security goes out the window. So the key itself needs to be encrypted before sending it offsite, and there we have the catch-22.
Data needs to be encrypted to be secure, but we need to save the key to make the data recoverable, which makes the data insecure.