ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    offline, air-gapped backups / backup rotation (looking for hardware & ideas)

    Scheduled Pinned Locked Moved IT Discussion
    37 Posts 11 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      To do basically the same thing, what you want is a NAS with local storage (with or without RAID, in this case you are without RAID even though you are using RAID, so no need to have RAID at all) and having a hot swap drive in a mechanism meant to handle this, like a USB style drive, and a script that does a file copy of just the backup, not a block mirror of the drives, to copy the backup to the second drive.

      dave247D 1 Reply Last reply Reply Quote 1
      • dave247D
        dave247 @scottalanmiller
        last edited by

        @scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

        To do basically the same thing, what you want is a NAS with local storage (with or without RAID, in this case you are without RAID even though you are using RAID, so no need to have RAID at all) and having a hot swap drive in a mechanism meant to handle this, like a USB style drive, and a script that does a file copy of just the backup, not a block mirror of the drives, to copy the backup to the second drive.

        Actually, I just remembered that with the Highly Reliable system, they had Windows software RAID 1 which did a good job in this kind of setup. Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.

        scottalanmillerS travisdh1T 3 Replies Last reply Reply Quote 0
        • dave247D
          dave247 @Dashrender
          last edited by

          @dashrender said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

          @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

          @scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

          @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

          I would even think an SSD setup would be more stable in this situation since write time and life time would be a lot better. I only mention spindle drives since its a big blob of data.

          SSD is faster, and that helps, for sure. But the real issue is the physical connections and the RAID mechanism, not the drives themselves. Physical drives are a perfectly valid media for your use case. It's RAID being used as an archival mechanism rather than as a disaster avoidance mechanism that causes the problems both in software and in hardware.

          Maybe I will just have to set up a network repository and simply plug the network cable in to let backup file copy to sync, then disconnect. That would probably be the easiest way to be honest.

          I just wanted some mechanism that forced us to always have a full backup of data sitting offline/air-gapped... but F it lol

          Yeah, it’s called tape. And it’s $8k price tag.

          Yeah I'm not doing tape and I think the alternate mechanism I proposed is roughly fine, depending on how its approached.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @dave247
            last edited by

            @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

            Actually, I just remembered that with the Highly Reliable system, they had Windows software RAID 1 which did a good job in this kind of setup.

            RAID 1 has to do a block copy of a disk in use and track changes. It works, but isn't an efficient way to do this kind of workload. And most RAID has to mirror the entire drive, not just the portions with data. So in some cases it can be pretty dramatically slower than alternative methods.

            ANd it's not like you want a mirror in the end. You just want a file copy. So the overhead of the RAID system doesn't provide benefits.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @dave247
              last edited by

              @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

              Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.

              The biggest issue is the hardware. How do you plan to connect and reconnect drives because no business class system that does RAID is meant for this to happen. So you either use business class devices that get abused and aren't expected to remain reliable. Or you use consumer gear to get the hotswap portion but don't have overall good hardware.

              It can be done, everyone suggests doing it, and there is a reason that it's considered a horrible idea that should never be done. Trust me, there are simple, better ways to do something similar, rule this out and never think about it again. RAID is close to, but not the actual correct tool. The idea of copying the data to another drive is good, but RAID isn't a file copy and that's the underlying problem... this is triggering a disaster recovery mechanism designed for something totally different.

              jt1001001J dave247D 2 Replies Last reply Reply Quote 0
              • jt1001001J
                jt1001001 @scottalanmiller
                last edited by

                Don't know if still viable but Dell used to have and RDX drive that took hard drive medium instead of tape. Was OEM from either Quantum or Tandberg can't remember who and Google Fu isn't working for me

                jt1001001J 1 Reply Last reply Reply Quote 0
                • jt1001001J
                  jt1001001 @jt1001001
                  last edited by

                  @jt1001001 here it is https://www.tandbergdata.com/us/index.cfm/products/removable-disk/

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                    @dashrender said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                    One of my clients does what the OP wants.
                    They bought 5 single drive NAS boxes... the backup software writes to the designated drive each night.
                    In the morning, they unplug it and take it home...

                    Not great but it is cheap, In comparison

                    That's a little different, right? Not using the RAID, but abusing the hot swap bays.

                    no, no hotswap anything... these are off the shelf WD self contained NASs.

                    1 Reply Last reply Reply Quote 0
                    • dave247D
                      dave247 @scottalanmiller
                      last edited by

                      @scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                      @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                      Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.

                      The biggest issue is the hardware. How do you plan to connect and reconnect drives because no business class system that does RAID is meant for this to happen. So you either use business class devices that get abused and aren't expected to remain reliable. Or you use consumer gear to get the hotswap portion but don't have overall good hardware.

                      It can be done, everyone suggests doing it, and there is a reason that it's considered a horrible idea that should never be done. Trust me, there are simple, better ways to do something similar, rule this out and never think about it again. RAID is close to, but not the actual correct tool. The idea of copying the data to another drive is good, but RAID isn't a file copy and that's the underlying problem... this is triggering a disaster recovery mechanism designed for something totally different.

                      yeah good points.. I just wanted to entertain the idea by posting here and have you guys sway me... a more attractive idea that I had been mulling around was basically a Veeam copy job to a repository with a scripted on/off network connectivity switch on a schedule. That or I just manually plug and unplug the network cable as I mentioned above. LMAO hey it would technically work.

                      1 Reply Last reply Reply Quote 0
                      • JaredBuschJ
                        JaredBusch
                        last edited by

                        What is the point of all of this? Crypto does not affect backups. That is why they are backups. They are static.

                        If you are worried about your backup being encrypted, then don't use a common access. Only give the the Veeam credentials with write access to the backup storage location.

                        Use Veeam to write to B2 or something similar.

                        dave247D 1 Reply Last reply Reply Quote -1
                        • notverypunnyN
                          notverypunny
                          last edited by

                          The possible solutions are of course going to depend on what the initial backup repository is that you're looking to copy off to this air-gapped system. Jared mentions Veeam but I couldn't spot the OP indicating that he's using Veeam, and if yes, is it B&R for hypervisors or the agent individually installed on endpoints or are we only looking to backup a single server? I only raise the point because the veeam windows agent provides a mechanism to automatically mount and unmount the backup target between runs.

                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @notverypunny
                            last edited by JaredBusch

                            @notverypunny he did in the post right before mine.

                            But that is besides the point. It doesn’t matter what tool you are using. Only the toilet cell backup application should have the credentials for the back up repository. Not a fucking mapped drive in windows or something like that

                            notverypunnyN 1 Reply Last reply Reply Quote 0
                            • travisdh1T
                              travisdh1 @dave247
                              last edited by

                              @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                              @scottalanmiller said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                              To do basically the same thing, what you want is a NAS with local storage (with or without RAID, in this case you are without RAID even though you are using RAID, so no need to have RAID at all) and having a hot swap drive in a mechanism meant to handle this, like a USB style drive, and a script that does a file copy of just the backup, not a block mirror of the drives, to copy the backup to the second drive.

                              Actually, I just remembered that with the Highly Reliable system, they had Windows software RAID 1 which did a good job in this kind of setup. Yes, its not perfect or ideal, but given that I have stated that I already have thorough backups and am only seeking to add offline/air-gapped copies as an added precaution, I don't think its that big an issue.

                              Someone called something Highly Reliable and used Windows software RAID with it? That's the best joke I've heard this year!

                              1 Reply Last reply Reply Quote 0
                              • notverypunnyN
                                notverypunny @JaredBusch
                                last edited by

                                @jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                @notverypunny he did in the post right before mine.

                                But that is besides the point. It doesn’t matter what tool you are using. Only the toilet cell should you have the credentials for the back up repository. Not a fucking mapped drive in windows or something like that

                                Damn, you're right, missed that.

                                Not entirely sure what you mean about the toilet cell though. Bad speech to text or a reference that just can't get this morning?

                                What I had setup at a previous gig was a veeam copy job off to a USB3 HDD. There were 3 on rotation so that there was always 1 physically off-site.

                                JaredBuschJ 1 Reply Last reply Reply Quote 0
                                • dave247D
                                  dave247 @JaredBusch
                                  last edited by dave247

                                  @jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                  What is the point of all of this? Crypto does not affect backups. That is why they are backups. They are static.

                                  If you are worried about your backup being encrypted, then don't use a common access. Only give the the Veeam credentials with write access to the backup storage location.

                                  Use Veeam to write to B2 or something similar.

                                  Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.

                                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @dave247
                                    last edited by

                                    @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                    Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.

                                    FFS, think a little.
                                    They cannot be encrypted if the datastore is not accessible to anything except the application making the backup.

                                    dave247D 1 Reply Last reply Reply Quote -1
                                    • JaredBuschJ
                                      JaredBusch @notverypunny
                                      last edited by

                                      @notverypunny said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                      Not entirely sure what you mean about the toilet cell though. Bad speech to text or a reference that just can't get this morning?

                                      Hah yes. missed that. I was driving.

                                      1 Reply Last reply Reply Quote 0
                                      • dave247D
                                        dave247 @JaredBusch
                                        last edited by dave247

                                        @jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                        @dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

                                        Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.

                                        FFS, think a little.
                                        They cannot be encrypted if the datastore is not accessible to anything except the application making the backup.

                                        Thanks for your rudeness, Jared, it is so helpful.

                                        Yes, I do understand what you are saying, however if a system is connected to a network and other systems, it is not air-gapped / truly segregated from the environment and therefore not 100% safe in a total ransomware situation. All applications have vulnerabilities and a skilled hacker (or insider) or well-made ransomware could still potentially get at it.

                                        Additionally, I am not looking at this as any kind of main backup method - I am just trying to mull over ideas for a very last-ditch, fail-safe, "shit hits the fan but we have offline backups though" setup.

                                        1 Reply Last reply Reply Quote 0
                                        • 1
                                        • 2
                                        • 1 / 2
                                        • First post
                                          Last post