Re: tarsnap-keygen script usage

[Colin Percival <cperciva@tarsnap.com>]

On 06/02/11 08:23, Kevin Gilpin wrote:
> "Backups are supposed to be a tool for mitigating damage — not a
> potential vulnerability to worry about! "
> 
> Which is great. Except that I have an S3 bucket that contains keys that
> can be used to access all the data.
> 
> As you point out, passphrase doesn't seem like the answer. I was
> imagining that I could keep the passphrase somewhere else and I'd only
> have to use it to retrieve an archive. But I guess the passphrase is
> also required to make archives, which means they have to be on the
> server with the key, which as you point out, does not suit my purpose.

Correct.  You could have an unpassphrased key on each server and then
use tarsnap-keymgmt to create a passphrased version of the key file
for uploading to S3, but at that point you're probably better off using
GPG.

> So I think your suggestion is to encrypt the keys before uploading them
> to S3. The cloud server will only need a public key to do this. Data
> recovery will require a private key.

Correct.  And you might also want to use tarsnap-keymgmt to create a
write-only key file to be kept on each server so that if someone breaks
into a server they can't delete said server's backups.

Another attack vector to consider, while I'm writing: If someone breaks
into one of your servers, can they abuse the S3 credentials you used for
uploading the encrypted tarsnap keys?  e.g., to delete or overwrite the
key files?

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid