Hi everybody,
I’m trying to safely sync my repository to a secondary location without knowing the password.
I have a home server on my local network, where all my backups currently live. For obvious reasons, I’d like to synchronize the data off-site. However, sometimes I get a large data increment to the backed up data and the off-site backup would take a long time. Because of this, I would like to save all my backups on the home server (where the uplink does not limit the backup speed) and then, possibly overnight when the backed up computers are off, sync my data off-site.
The thing I struggle with is the off-site synchronization. I don’t want to keep the repository password on the home server, which prevents the use of sync-to and with rsync, I would possibly clone corrupted data off-site.
Is there some nice way to achieve this?
I was thinking about generating a separate manifest file signed/encrypted by some other key. That manifest could describe the repository - list of files and hashes (possibly obtained from kopia content list -l) and my sync script would only sync the repo if the files match. But this just feels too hacky.
Don’t try to be smart about this and use Kopia’s native tools. Sure, you could perform a file-based sync - as long as your remote storage is of the same type (file system vs. S3 bucket), but that won’t help against copying “corrupted data off-site”.
You also don’t need the repo password on the remote host at all… where did you get that notion from? sync-to connects to the repo on the other end with the credentials you provide to it locally - no need to keep the repo password at the remote location at all.
Sorry, I was not precise enough. I can run sync-to but that does not check the consistency, right? What I can’t run on the remote without the password is some sort of verification such as snapshot verify.
Since sync-to creates a clone of your local repository, you would have to have that one in order. You can also connect your local copy of Kopia to the remote repository - in the end, this is what kopia repo sync-to does anyway, and have kopia perform maintenance tasks.
However, as long as the remote repo is not actively for backing up client directly, there is actually no need to run maintenance tasks on it.
As I said - you won’t need to perform any maintenance on the remote repo because your local repo will be completely synchronized over. Keeping your local repo in shape should be enough.
I haven’t checked about having different retention policies on both repos, however.