![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Background:
I'm moving away from optical storage for long-term archives. I define "archives" as offline data which is irreplaceable. In my case this is photos (~50 DVDs worth), family video, financial data, email archives and various other things. This is specifically not short-term "backups".
I have chosen to adopt a method where I have my archive staged on my main workstation PC and use robocopy to sync to two removable 2.5" SATA caddies. One drive lives in my firebox at home, the other in my safety deposit box at my bank. When content needs to be changed in the archive I make the changes to the staging area, sync to the "A" caddy from my firebox, swap with unit B at the bank, sync B with the staging area, stash "B" in my firebox. In the meantime the archive master can be used for routine access to that data - like my photo archive. My DAM (digital asset management) can even catalog my entire photo library directly from the archive master instead of telling me which DVD to pull from the archive.
The question:
My system has an SSD boot/apps drive and a data HDD. I've upgraded my HDD from 750GB to 1.5TB to ensure that I have room for the archive staging area. I am looking for a way to make the staged archives read only, just like an optical filesystem or read-only mounted filesystem under UNIX. I obviously don't want accidental deletions of content, but I also don't want virus/trojan damage, routine updating of thumbnail files etc... I want the directory structure locked down and unchanging except when I have the archive master "unlocked". The external caddies must be plain jane NTFS, but the master could do something more creative if needed.
1/ I do not want to use the security/cacls interface because I believe it will have to apply to "all files, folders and subfolders" toggling read only or some other perms flags. This is extremely time consuming to turn on and off in the areas of interest and ends up "touching" all the files in the archive, resetting some of the datestamps etc... If I fully understand the ramifications I do not want to do this - at least not in the most common ways that most people think of.
2/ I thought about making a partition for the archive master which was the same size as the 2.5" disks and I could hopefully figure out a way to mount a volume read-only in Win7 (google didn't find any good hits) - or perhaps not mount it at all by default unless needed which would half-solve the problem. I haven't gone this route as I don't wish for the archive master to occupy it's maximum size at all times, nor do I wish to futz around with even more drive letters (yes I know I could mount to a directory). I like that keeping the master in a directory tree let's it occupy exactly the space it needs at any time.
3/ I've thought about loop-mounted or encapsulated file systems, such as Truecrypt in a sparse container. Truecrypt allows read-only mounts, at least. The archive master won't always be read by computer-savvy users and I didn't want to add that level of complexity if I didn't have to and I did not intend to encrypt this content at the moment. It has the drive letter disadvantages but as long as sparse filesystem containers could be used I would save my disk space until actually needed.
4/ permanently set the ACLs on the master directory tree so that a user ID other than my main user ID is the only one allowed to write. When I want to maintain the archives I have to log in as that user? I don't really like this one - it introduces awkwardness. Also, if robocopy extends those perms to the externals then they'll have the same limitation on their disk structure and that could get in the way down the road. Remember that if I'm killed someone less computer-savvy will be attempting to gain access to these family archives.
I must have overlooked some other techniques out there for doing this kind of thing. I've had trouble coming up with google search terms which actually describe the problem I'm trying to solve properly so it's been tough to find info on what other people have done to solve their problems of this type.
Ideas?
I'm moving away from optical storage for long-term archives. I define "archives" as offline data which is irreplaceable. In my case this is photos (~50 DVDs worth), family video, financial data, email archives and various other things. This is specifically not short-term "backups".
I have chosen to adopt a method where I have my archive staged on my main workstation PC and use robocopy to sync to two removable 2.5" SATA caddies. One drive lives in my firebox at home, the other in my safety deposit box at my bank. When content needs to be changed in the archive I make the changes to the staging area, sync to the "A" caddy from my firebox, swap with unit B at the bank, sync B with the staging area, stash "B" in my firebox. In the meantime the archive master can be used for routine access to that data - like my photo archive. My DAM (digital asset management) can even catalog my entire photo library directly from the archive master instead of telling me which DVD to pull from the archive.
The question:
My system has an SSD boot/apps drive and a data HDD. I've upgraded my HDD from 750GB to 1.5TB to ensure that I have room for the archive staging area. I am looking for a way to make the staged archives read only, just like an optical filesystem or read-only mounted filesystem under UNIX. I obviously don't want accidental deletions of content, but I also don't want virus/trojan damage, routine updating of thumbnail files etc... I want the directory structure locked down and unchanging except when I have the archive master "unlocked". The external caddies must be plain jane NTFS, but the master could do something more creative if needed.
1/ I do not want to use the security/cacls interface because I believe it will have to apply to "all files, folders and subfolders" toggling read only or some other perms flags. This is extremely time consuming to turn on and off in the areas of interest and ends up "touching" all the files in the archive, resetting some of the datestamps etc... If I fully understand the ramifications I do not want to do this - at least not in the most common ways that most people think of.
2/ I thought about making a partition for the archive master which was the same size as the 2.5" disks and I could hopefully figure out a way to mount a volume read-only in Win7 (google didn't find any good hits) - or perhaps not mount it at all by default unless needed which would half-solve the problem. I haven't gone this route as I don't wish for the archive master to occupy it's maximum size at all times, nor do I wish to futz around with even more drive letters (yes I know I could mount to a directory). I like that keeping the master in a directory tree let's it occupy exactly the space it needs at any time.
3/ I've thought about loop-mounted or encapsulated file systems, such as Truecrypt in a sparse container. Truecrypt allows read-only mounts, at least. The archive master won't always be read by computer-savvy users and I didn't want to add that level of complexity if I didn't have to and I did not intend to encrypt this content at the moment. It has the drive letter disadvantages but as long as sparse filesystem containers could be used I would save my disk space until actually needed.
4/ permanently set the ACLs on the master directory tree so that a user ID other than my main user ID is the only one allowed to write. When I want to maintain the archives I have to log in as that user? I don't really like this one - it introduces awkwardness. Also, if robocopy extends those perms to the externals then they'll have the same limitation on their disk structure and that could get in the way down the road. Remember that if I'm killed someone less computer-savvy will be attempting to gain access to these family archives.
I must have overlooked some other techniques out there for doing this kind of thing. I've had trouble coming up with google search terms which actually describe the problem I'm trying to solve properly so it's been tough to find info on what other people have done to solve their problems of this type.
Ideas?