On 18 Nov 2011, at 18:06, Mark Smith wrote: The goal was to make it so that if the production environment is penetrated and someone wipes everything out -- even with the tarsnap keys, they can't then go and wipe out our backups. It can't be a total loss situation (assuming that the off-site server is secure, of course).... Am I missing anything here? Has anybody implemented something like this with tarsnap? I have, although to make it work I have added one potentially exploitable security hole that you may not wish to replicate. In my case the off-site VM has passphrase-less SSH access to a restricted account on the production server. This allows the script that runs on the VM to copy the tarsnap cache dir across from the production box before doing the management tasks (deleting old backups) and then copy the cache dir back when it has finished. I implement a simple lock using mkdir in my wrapper scripts to ensure that tarsnap is never invoked on both machines at the same time. If you are willing to allow the SSH access then this solves both issues - you don't need to run fsck on the off-site box, and you can keep the cache dirs in sync. -- Sean Legassick sean_legassick@gmail.com |