Menu
▾
▴
Re: [Astlinux-users] Storing OpenVPN certs
|
From: Lonnie A. <li...@lo...> - 2018-07-31 16:09:03
|
Hi Michael, The only other tarsnap-like solution I'm aware of is "duplicity", but that requires a lot of packages/libraries we don't have in AstLinux. ** perform you own due diligence with the untested code below ** You could create a tar archive of /mnt/kd/openvpn/ and encrypt it using openssl using a password, something like ... First generate a persistent local random password: -- openssl rand -base64 33 > /mnt/kd/openssl-backup.key -- Don't lose this password !!! Back it up elsewhere. Generate a tar.gz file, encrypt and copy, then remove: -- cd /tmp tar czf openvpn.tar.gz -C /mnt/kd/ openvpn openssl enc -aes-256-cbc -salt -in openvpn.tar.gz -out openvpn.tar.gz.aes -pass file:/mnt/kd/openssl-backup.key scp openvpn.tar.gz.aes us...@ex...:/backup/dir/ rm openvpn.tar.gz openvpn.tar.gz.aes -- To decrypt: (Use /mnt/kd/openssl-backup.key contents as password) -- mkdir restore openssl enc -aes-256-cbc -d -in openvpn.tar.gz.aes -out restore/openvpn.tar.gz enter aes-256-cbc decryption password: -- ** perform you own due diligence with the untested code above ** Lonnie > On Jul 30, 2018, at 5:01 PM, Michael Knill <mic...@ip...> wrote: > > Hi thanks Lonnie and Michael. > > Sorry I should have mentioned that I actually already have a backup solution which uses SSH and SCP. > I am just concerned about storing these files securely on the backup host? > > Regards > Michael Knill > > On 31/7/18, 12:15 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > >> On Jul 30, 2018, at 3:46 AM, Michael Keuter <li...@mk...> wrote: >> >> >>> Am 30.07.2018 um 02:17 schrieb Michael Knill <mic...@ip...>: >>> >>> Hi Group >>> >>> I have a number of sites that have phones connected via OpenVPN and I would like to back up the cert files on the Astlinux OpenVPN server e.g. /mnt/kd/openvpn/webinterface/keys. Is there anything else I should be backing up if I need to completely rebuild the Astlinux server? >>> I am also concerned about the security of doing so in case my backup server is compromised. >>> Any recommendations on what I should do? >>> >>> Regards >>> Michael Knill >> >> Hi Michael, >> >> one easy solution would be our included tarsnap-backup. You can backup multiple systems with a single tarsnap-account: >> >> https://doc.astlinux.org/userdoc:tt_tarsnap_online_backup >> >> We have already pre-configured the most important files. >> >> Michael > > +1 for Tarsnap > > It has been almost one year since I started Tarsnap backups on 7 boxes nightly (mostly default settings, prune at 30 days), started my Tarsnap account with $5.00, my account is now $4.83 . > > I trust Tarsnap's crypto, perform your own due diligence. > > Any "backup service" can discontinue a product at any time, you only hope you have time to migrate elsewhere. Colin and his brother Graham seem to have a good, low-overhead business model with Tarsnap, fortunately not all their users are like myself. :-) > > > Michael (AU), to your first question, you should backup all of /mnt/kd/openvpn/ in a secure end-to-end method. > > Lonnie > > PS, these are the standard tarsnap-backup /mnt/kd/ directories (recursively) and files automatically backed up ... > -- > dirs="rc.conf.d crontabs arno-iptables-firewall avahi monit keepalived openvpn ipsec wireguard snmp ssl ssh ssh_keys ssh_root_keys ups" > if [ "$ASTERISK_DAHDI_DISABLE" != "yes" ]; then > dirs="$dirs asterisk dahdi fop2 custom-agi phoneprov/templates" > fi > files="*.conf *.script rc.elocal rc.local rc.local.stop blocked-hosts dnsmasq.static webgui-prefs.txt" > -- > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
