Hey everyone! I'm working at a company with some servers and VPS, and we've set up a backup server that uses a custom rsync wrapper in Python to back up data onto a ZFS pool. This backup solution is based on snapshotting, but it isn't using ZFS or LVM snapshots—instead, it uses hardlinks and catalogs to manage the backups. We're thinking about adding an offsite backup for data that can't be easily reproduced, and the plan includes sending a backup replica to a new remote server. However, we face a challenge: the data needs to be encrypted before it leaves the backup server and remain encrypted on the offsite server. Unfortunately, rsync alone doesn't provide encryption.
One option I'm considering is using GoCryptfs, which I've been testing and seems to work really well since it supports hardlinks, is simple to set up, and fast. Has anyone here used GoCryptfs in a production environment? Is it considered production-ready?
Another, albeit less elegant, option might involve using Luks on a file. I've read it can work similarly to Luks on devices, but I imagine the process would look something like this: "1. Mount the Luks file, 2. Sync the data, 3. Unmount the Luks file." What do you think about this method?
I'd like to note that changing our backup tool isn't an option; we've tried other solutions like Bacula and BorgBackup. Bacula feels overly complex for our needs, and while Borg backup works well for pushing, it doesn't pull backups, which is essential for us. So, any suggestions would be greatly appreciated! Thanks in advance!
5 Answers
Since you have a custom solution, consider adding encryption directly into your backup stream before using rsync. It's not a complete solution, but it might be a good route to explore further!
ZFS snapshot send/receive works really well if you want to integrate it into your backup strategy. I've been using napp-it for managing it and have had good experiences.
Regarding BorgBackup, technically, pull mode is possible, but I can't guarantee how effective it would be. If you're interested, you can check their documentation for more details on pull-backup functionality.
We've been using IBM TSMC for our backups. It doesn’t do offsite backups by itself, but you could definitely set things up such that it can run that way. However, I don't have detailed insights into the storage server setup.
Restic might be a great option for you! It manages hardlinks, provides encryption, and can connect to various storage solutions. I switched to it from Borg and I've been really happy with the results. Plus, it fits your need for easy offsite backups.
+1 for restic! Really solid choice.