Using Tor Hidden Services and GPG to Create Difficult to Attack Offsite Backups :: Networks Are Made Of String

Backups are very useful and in the event of fire or theft it is very useful to have them offsite, however offsite backups leave your data at risk of compromise if the offsite storage is attacked.

To prevent an attacker from locating your offsite backup (e.g. if you were backing up your laptop whilst in a hotel) and preventing theft of the data in the event the location is discovered one can use Tor and GPG.

As the data is encrypted at rest it is safe to use any number of VPS providers because even if they accidently attach your volume to someone elses instance the data is still unreadable.

Configuring Tor:

Installing Tor for your server is explained on the Tor project website with that done you can check the Hidden Service manual for general advice on configuring a Hidden Service but it basically boils down to;

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

It is not advisable to run your Tor instance as a relay as whilst this will help the Tor network and could also provide a certain amount of traffic to/from the offsite server which may help mask its origin and frustrate correlation attacks if the relay goes down at the same time as your hidden service this would be a different form of correlation attack.

You could elect to run it as a private bridge for your own use too;

BridgeRelay 1
PublishServerDescriptor 0

##Configuring The Source: The following bash script is relatively well commented;

#!/bin/bash

NOW=$(date +"%a")
FILE="backup-$NOW.tar.gz"

echo $FILE

echo "Backup up directory 1"
tar cf /backup/dir1.tar /directory1
echo "Backup high io"
tar cf /backup/dir2.tar /directory2


echo "Backup up DBs;"
for DB in mysql db1 db2 db3 db4
do
        echo $DB
        mysqldump $DB > /backup/$DB.sql
done

echo "Taring DBs"
tar cf /backup/dbs.tar /backup/*.sql

echo "Creating compressed tgz of all tars"
tar czf /backup/$FILE /backup/*.tar

echo "Encrypting"
time gpg --encrypt --recipient your@email.com /backup/$FILE
echo "Done"


echo "Deleting unencrypted backups"
rm /backup/*.tar /backup/*.sql
echo "Done"

echo "SCPing to Hidden Service"
scp -i /root/backup.key -o ProxyCommand='nc --proxy 127.0.0.1:9150 \
 --proxy-type socks5 %h %p' /backup/$FILE.gpg backup@xxxxxxxxxxxxxxxxxx.onion:
echo "Done"

echo "RM'ing local GPG backup"
rm /backup/$FILE.gpg
echo "Done"