I run a small modest CentOS server at my house for misc backups, etc. My friend on the other side of town also runs a small modest server at his house for similar purposes. We have been toying with the idea of using eachothers servers to do remote/offsite backups.
Basically, we'd each buy an external hdd to store at eachothers homes, hooked up to eachothers servers. Then, we'd each setup scheduled rsync's to push the appropriate data from one server to the external hdd on the other server. Pretty straightforward for the most part.
However, one thing that is important (at least for me) is data encrpytion. I want to store my data on the external hdd on my friends server. But I don't want my friend (or anyone who accesses my friend's server) to be able to read whats on the external hdd.
What is the best approach to this? Can you use rsync to send data to an encrypted hdd drive and somehow pass a passphrase along with the data that it uses to write it once it reaches the server?
Warning There are some security concerns regarding encfs raised by this security review. Cryfs or ecryptfs should be considered instead ## sync local unencrypted data to remote encrypted backups via rsync ..
I would take a look at Duplicity. It is free and easy to use.
Duplicity will do full and incremental backups and transfer them using rsync, FTP, SFTP, etc.
Duplicity uses GPG to encrypt the backups and uses signature files and what not.
I use it to backup my email servers and it is fantastic, one simple batch file.
rsyncrypto has been written exactly for this purpose. It allows you to leverage rsync's delta-copy algorithm while encrypting your data locally and storing the encrypted blobs remotely.
However, keep in mind that rsyncrypto makes a tradeoff between security and performance.
Here is my backup script based on Thor's answer (still valid several years later!). It adds copying of file .encfs6.xml as needed for later decryption (not needed on 2011?), creation of temporary folder for encrypted mount and reading of encryption password from file (for automated scripting):
In my case, I am setting up a daily backup of my laptop and small servers to a external USB drive connected locally. I want to encrypt the backup just in case the drive disappears one day, together with some sensitive data.
A solution like the one you describe above requires sending your encryption key to your friend's machine. If we consider your friend an "untrusted site" you've just blown your security (he can capture the key and read your data).
If you want to be sure your friend can't read your backups you must encrypt the files before you send them (e.g. make a tarball, encrypt it with
gpgor similar, then rsync it over), and never give him the key (or enough plaintext to reverse-engineer the key).Note that doing this negates the delta benefits (bandwidth savings) of using rsync: The encrypted file will change substantially each time you make a backup, so you'll probably be copying the whole thing every time.