Bacula backup on Qubes OS?

Hi,

I have been using Bacula for many years, backing up all machines in the LAN to LTO tape and HDD storage. This has worked excellently as Bacula is so very configurable and flexible.

I am trying to find out if and (if yes) how Bacula can backup data from a Qubes OS machine, added to that same LAN, without introducing unwanted security implications. I am looking into this because Qubes Backup is not as efficient and flexible as Bacula.

What is your experience with Bacula on Qubes OS?
If you are using it, how do you approach its configuration?

If you intend to only backup user data it will work, but it won’t restore system configuration (/etc /usr …) info because that is read only via the template. All the Qubes VM configuration metadata will be absent in your backup and will have to be reconfigured by hand if you find yourself needing to restore a VM.

So I would say it’s good for a quick backup of your daily work but don’t count on it being able to restore your AppVM’s to its current condition.

I use backintime in my appVMs with a NFS share on NAS, and just run the backup once or twice a day using the standard scheduler. I assume you would be able to do something similar with Bacula.

In dom0 I have 2 drives with raid1 softraid, and I use a cron job to do daily backups of all appVMs and I do a weekly full backup with everything including all templates. Without the dom0 backup you are going to have a hard time doing disaster recovery, and I don’t know if you can use Bacula in dom0. Even if you can install Bacula, you don’t have any networking, you would need some type of DAS to save to backups.

The challenges I am thinking about:

  1. Backing up of an extra secure qube which has no networking.

With a network backup utility like Bacula it will obviously be impossible to backup to another network node. So, the only option would be to run Bacula director, file daemon and storage daemon in the same qube. That is surely possible - the storage daemon has to write either within the qube (not a really safe or meaningful way to back up) or a storage device has to be connected to the qube. In my case (a mini PC with single non-removable NVME storage and no SAS controller), the only available other storage would be one connected via USB.

  1. Connecting external USB storage.

This has all the USB security implications. I have read the Qubes OS documentation about USB devices. I don’t know how Qubes OS’ USBGuard works and how it could do anything about a potential USB threat. The documentation of Qubes OS doesn’t seem to mention how to white/black-list device classes. So, connecting a USB device and leaving it that way for a long time, so a backup schedule can do automatic backups, is probably not a bright idea. That seems to apply even more in a scenario of an extra secure qube with no networking (even if that is not dom0).

  1. Bacula itself

Having a Bacula file daemon running in a qube can be considered itself a potential increase of attack surface (software bugs, possible exploits) contradicting a minimalist security approach. Of course, that is not Qubes OS specific but perhaps worth mentioning, considering the extra security of the OS itself and the reason one chooses to use that particular OS.

That’s why I wonder A. how relevant Bacula is at all, and B. how it would need to be configured, considering these specifics.

Connecting external USB to an offline disp qube (or as @Sven would to directly to sys-usb disp qube based on deb-11-min-usb-dvm template) is not that bad idea at all…

In general, the less software installed, the better. So, for me no reason not to use Qubes backup tool. I armed my self with patience prior to start using Qubes…

I have SATA drives directly attached to dom0 I use for backup, but I use a desktop PC so attaching two extra drives isn’t an issue for me.

It’s only in VMs where I want extra file level backups I run backintime, I don’t run it in valuts. In secure VMs I just use the daily dom0 backups if I need to restore a file.

Connecting external USB to an offline disp qube (or as @Sven would to directly to sys-usb disp qube based on deb-11-min-usb-dvm template) is not that bad idea at all…

Is a disp qube more protected against USB attacks?
How?

In general, the less software installed, the better. So, for me no reason not to use Qubes backup tool. I armed my self with patience prior to start using Qubes…

Suppose the total data that Qubes Backup saves for a qube is (say) 100 GiB. Now, suppose that in one day one modifies data about 50-200 MiB. Saving 100 GiB every day just to have a backup of avg. 100 MiB is 1000 times less efficient than incremental backup. Personally, I don’t know how to overcome this with patience, neither I have unlimited storage. How do you do it?

In secure VMs I just use the daily dom0 backups if I need to restore a file.

How do you restore a single file?

I just restore the vm as xyz-1 and copy the file I need to xyz.

Not quite what I am looking for.

No, it’s not. It’s not about USB attacks, but about persistence of a qube compromised by USB attack. What USB attack? From your external backup USB drive? If so, why would you backup to it at all?

What (qubes) exactly do you want to backup and where is that 50-200MB? In all qubes? What is, for example those 50-200MB?

It’s not about USB attacks, but about persistence of a qube compromised by USB attack.

I understand but data in a disposable qube is equally vulnerable to data in a non-disposable one. So, even if (for some peculiar reason) one backs up the disposable data, it can still be compromised just as much. Also, if a USB device is malicious, it will most probably be persistently malicious, i.e. next time a disposable is connected to it, the situation with the qube and the data on it is the same. IOW the only protected part of the qube remains the operating system of the qube which seems of limited importance if the malware persists.

What USB attack?

One which modifies/transmits data in an unpredictable and unexpected ways, or represents itself as a different device (BadUSB) with its after effects (including the possibility to type ‘su -’ and flash the firmware of the host with an infected or dysfunctional version). I still can’t find docs explaining how exactly Qubes OS can prevent such an attack, once a device is attached to a qube.

From your external backup USB drive?

From the USB interface through which it connects.

If so, why would you backup to it at all?

Because, as I explained, the computer I am running Qubes OS on has limited connectivity options. If you have any better idea how to backup a mini PC with only USB and Ethernet ports, I would be glad to know about it.

What (qubes) exactly do you want to backup and where is that 50-200MB? In all qubes? What is, for example those 50-200MB?

qubes storing my own work - documents, images, scripts, personal data, etc. I still have not configured everything but perhaps a good set up may be:

  • personal data: offline (no network) qube with minimum amount of software
  • work files: other offline qube(s) with software necessary for processing those work files

The idea is not to expose data to anything which is not necessary.