[Discuss] Revisiting VMWare ESX backup options

[richb at pioneer.ci.net (Rich Braun)]

One word on modern backup strategy: encryption. Cloud services like CrashPlan
take care of this automatically; traditional tape-backup solutions usually
didn't, in the past.

I don't know anything about VMware-specific utilities (for VMs I just back up
the instance like any other system, and make sure that I've got O/S
configuration-management tools that allow me to regenerate an instance
readily).  But whatever utility you use, you should encrypt all backups. AES
encryption no longer adds meaningful overhead to your operations; it's
built-in to current-generation CPUs.  Look for it in whatever utility you
choose, and don't ignore it.

Encryption-key management then becomes a separate backup issue, one that I
haven't fully figured out.  The keys need to be stored separately from the
backups, and encryption-key backups need to be kept current so you don't wind
up with an unrecoverable backup volume (whether it was stored in the cloud, on
tape, or on local disks/USB/whatever).  But as part of my figuring-out
process, I'm leaning toward rotating the keys reasonably often so they're not
out-of-sight/out-of-mind. They can be kept under git within a LUKS or
TrueCrypt volume, to preserve history; or there might be other tools for doing
this that I haven't yet discovered.  My current solution is simple
git-under-LUKS, on USB flash drives that can be stored in a vault, on your
keychain, or wherever.

-rich