offline, air-gapped backups / backup rotation (looking for hardware & ideas)
-
@scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
@dashrender said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
One of my clients does what the OP wants.
They bought 5 single drive NAS boxes... the backup software writes to the designated drive each night.
In the morning, they unplug it and take it home...Not great but it is cheap, In comparison
That's a little different, right? Not using the RAID, but abusing the hot swap bays.
no, no hotswap anything... these are off the shelf WD self contained NASs.
-
@scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
@dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.
The biggest issue is the hardware. How do you plan to connect and reconnect drives because no business class system that does RAID is meant for this to happen. So you either use business class devices that get abused and aren't expected to remain reliable. Or you use consumer gear to get the hotswap portion but don't have overall good hardware.
It can be done, everyone suggests doing it, and there is a reason that it's considered a horrible idea that should never be done. Trust me, there are simple, better ways to do something similar, rule this out and never think about it again. RAID is close to, but not the actual correct tool. The idea of copying the data to another drive is good, but RAID isn't a file copy and that's the underlying problem... this is triggering a disaster recovery mechanism designed for something totally different.
yeah good points.. I just wanted to entertain the idea by posting here and have you guys sway me... a more attractive idea that I had been mulling around was basically a Veeam copy job to a repository with a scripted on/off network connectivity switch on a schedule. That or I just manually plug and unplug the network cable as I mentioned above. LMAO hey it would technically work.
-
What is the point of all of this? Crypto does not affect backups. That is why they are backups. They are static.
If you are worried about your backup being encrypted, then don't use a common access. Only give the the Veeam credentials with write access to the backup storage location.
Use Veeam to write to B2 or something similar.
-
The possible solutions are of course going to depend on what the initial backup repository is that you're looking to copy off to this air-gapped system. Jared mentions Veeam but I couldn't spot the OP indicating that he's using Veeam, and if yes, is it B&R for hypervisors or the agent individually installed on endpoints or are we only looking to backup a single server? I only raise the point because the veeam windows agent provides a mechanism to automatically mount and unmount the backup target between runs.
-
@notverypunny he did in the post right before mine.
But that is besides the point. It doesn’t matter what tool you are using. Only the
toilet cellbackup application should have the credentials for the back up repository. Not a fucking mapped drive in windows or something like that -
@dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
@scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
To do basically the same thing, what you want is a NAS with local storage (with or without RAID, in this case you are without RAID even though you are using RAID, so no need to have RAID at all) and having a hot swap drive in a mechanism meant to handle this, like a USB style drive, and a script that does a file copy of just the backup, not a block mirror of the drives, to copy the backup to the second drive.
Actually, I just remembered that with the Highly Reliable system, they had Windows software RAID 1 which did a good job in this kind of setup. Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.
Someone called something Highly Reliable and used Windows software RAID with it? That's the best joke I've heard this year!
-
@jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
@notverypunny he did in the post right before mine.
But that is besides the point. It doesn’t matter what tool you are using. Only the toilet cell should you have the credentials for the back up repository. Not a fucking mapped drive in windows or something like that
Damn, you're right, missed that.
Not entirely sure what you mean about the toilet cell though. Bad speech to text or a reference that just can't get this morning?
What I had setup at a previous gig was a veeam copy job off to a USB3 HDD. There were 3 on rotation so that there was always 1 physically off-site.
-
@jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
What is the point of all of this? Crypto does not affect backups. That is why they are backups. They are static.
If you are worried about your backup being encrypted, then don't use a common access. Only give the the Veeam credentials with write access to the backup storage location.
Use Veeam to write to B2 or something similar.
Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.
-
@dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.
FFS, think a little.
They cannot be encrypted if the datastore is not accessible to anything except the application making the backup. -
@notverypunny said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
Not entirely sure what you mean about the toilet cell though. Bad speech to text or a reference that just can't get this morning?
Hah yes. missed that. I was driving.
-
@jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
@dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):
Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.
FFS, think a little.
They cannot be encrypted if the datastore is not accessible to anything except the application making the backup.Thanks for your rudeness, Jared, it is so helpful.
Yes, I do understand what you are saying, however if a system is connected to a network and other systems, it is not air-gapped / truly segregated from the environment and therefore not 100% safe in a total ransomware situation. All applications have vulnerabilities and a skilled hacker (or insider) or well-made ransomware could still potentially get at it.
Additionally, I am not looking at this as any kind of main backup method - I am just trying to mull over ideas for a very last-ditch, fail-safe, "shit hits the fan but we have offline backups though" setup.
