Re: tarsnap-keygen script usage

[Colin Percival <cperciva@tarsnap.com>]

On 06/02/11 07:53, Kevin Gilpin wrote:
> I have a cloud-based system. Each server in the cloud is having tarsnap
> set up and generating its own key. The keys are then written to my own
> S3 bucket so that I can use them to recover the data.
> 
> But in the case that someone gets hold of the keys, I would also like
> the passphrase protection.

How do you anticipate someone getting access to the keys without also
having access to your passphrase?  If your cloud instances have both
their individual keys and the associated passphrase, an attacker who
gains access to said servers will have both and the passphrase won't
help you at all.

If your concern is about someone stealing the keys from S3 -- why not
use something like GPG?  That way you would be able to access the keys
but you wouldn't run the risk that someone with access to one of your
servers would be able to steal the passphrase.

(If you haven't already looked at it, you should probably consider
tarsnap-keymgmt -- I get the feeling that restricted key files might be
useful for what you're doing.)

> An alternative would be to have one master key that is copied out to
> each server, instead of having each server generate its own.
> 
> However, in that case it seems like the archives will all go into one
> master namespace (tarsnap --list-archives will show archives across all
> systems in the cloud). I would rather have the archives associated with
> the key that created them.

You absolutely don't want to use a single key across all the systems --
in addition to the problem you mentioned, you'd be spending all your time
running --fsck since you can only create archives if you have an up-to-date
local cache directory.

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid