Best way to make encrypted backups while preserving permissions to a windows file system

backupencryptionpermissions

For my home network I wanted to buy a NAS which supports disk encryption and NFS since it is important for me that the backup is encrypted but also that it preserves owner, groups and permissions (therefore NFS). This way I thought I could use something like rsnapshot or rBackup to backup my data and get multiple snapshots. Unfortunately I didn't find any NAS which supports NFS and encryption at the same time. So I was wondering if there is any possibility to get this using an NAS which without NFS (using for example CIFS instead of NFS). So I am looking for a backup solution which meets the following requirements:

backup to a NAS in my local network (i.e. I don't want to use a local usb drive)
it should preserve owner, groups and permissions and symbolic links
it should be encrypted
there should be multiple snapshots available like in rsnapshot or rBackup
it should be easy to access the files of a snapshot
it should be not too slow

Any ideas how to do this in detail?

Edit:
I just try to sum up the answers so far and want to ask some additional question to clarify some points. It seems to be the most flexible option to use a container, FUSE or otherwise "faked" filesystem which doesn't depend on the target device. In this approach I can use any backup script I like and the encryption is done by the client CPU. The possibilities are:

EncFS
Truecrypt
dmcrypt/luks
S3QL

I am not sure if it is possible to read and write on the NAS via S3QL from two clients simultanously. Is it correct that this is no problem for the other approaches? Concerning the permissions, in any case I have just to make sure to make it work with NFS. For example I could just make my backup script to preserve numerical uid/gid and setup no users on the NAS at all.

EncFS seems to be the easiest solution so far. In Truecrypt and dmcrypt/luks I have to choose the containersize in advance which seems to be not so flexible as EncFS or Truecrypt. However are there any significant differences between those solutions concerning read/write performance and stability?

Another interesting approach mentioned so far is to use duplicity as a backup script which does the encryption via gpg by itself.

Best Answer

You can use EncFS on top of NFS

encfs /encrypted_place_at_nfs /mnt/place_to_access_it_unencrypted

Related Solutions

Linux – How to set up an encrypted directory to be mounted only during samba access

I'm seeing a sketch of a solution using Samba "logon scripts" - client-side code that runs after a samba login - but a complete solution needs to complete the sketch with details. Also related are "preexec scripts" - server-side code that runs during a samba login.

Referencing the smb.conf man page

logon script (G)

This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.

The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
/usr/local/samba/netlogon/STARTUP.BAT
The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE U: \SERVER\UTILS for commonly used utilities, or
NET USE Q: \\SERVER\ISO9001_QA
for example.

Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

and also

preexec (S)

This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:
preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

In your case, though, you really want logon scripts (unencrypted form is mounted on the client), so a solution sketch might involve:

ensure that each computer has a EncFS equivalent installed
write a logon script (.bat format) that calls encfs on the client and prompts the user for logon. The encfs command thus mounts the unencrypted form locally, with the remote store remaining encrypted.
configure smb.conf so that the relevant users run the logon script. e.g. something like

logon script = runencfs.bat
For bonus points, your logon script might automate / prompt installation of Encfs (from the samba share) and only run the mount if it's installed!

Client-side scripts, though, are bound to give you headaches because of the cmd language, ensuring installation of encfs, and working around windows gotchas, like Windows 8.1 and up not running the logon scripts till five minutes later unless otherwise configured.

Best way to benchmark different encryption solutions on the system

How about the built-in cryptsetup benchmark?

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       633198 iterations per second
PBKDF2-sha256     329326 iterations per second
PBKDF2-sha512     216647 iterations per second
PBKDF2-ripemd160  474039 iterations per second
PBKDF2-whirlpool  248713 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   707.0 MiB/s  3120.9 MiB/s
 serpent-cbc   128b    98.3 MiB/s   307.2 MiB/s
 twofish-cbc   128b   195.0 MiB/s   381.7 MiB/s
     aes-cbc   256b   513.8 MiB/s  2373.9 MiB/s
 serpent-cbc   256b    97.4 MiB/s   315.1 MiB/s
 twofish-cbc   256b   198.8 MiB/s   383.9 MiB/s
     aes-xts   256b  2706.1 MiB/s  2634.1 MiB/s
 serpent-xts   256b   318.0 MiB/s   310.4 MiB/s
 twofish-xts   256b   370.5 MiB/s   380.1 MiB/s
     aes-xts   512b  2083.2 MiB/s  2073.8 MiB/s
 serpent-xts   512b   323.0 MiB/s   311.4 MiB/s
 twofish-xts   512b   375.9 MiB/s   380.2 MiB/s

Usually you'll want to use one of the AES ciphers. Even if your system does not support AES-NI today, your next box may...

Best Answer

Related Solutions

Linux – How to set up an encrypted directory to be mounted only during samba access

Best way to benchmark different encryption solutions on the system

Related Question