[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cache dir security
On 11/15/11 18:35, Mark Smith wrote:
> We're using tarsnap here at Bump and I'm working on setting up a
> secure location for doing backup management. I.e., deleting old
> nightlies that we are done with so that we don't grow forever.
If you google for "tarsnap script" you'll find many good examples.
> I'm using an encrypted filesystem on this server as one of the steps
> for protecting our master keys (the ones that can issue deletes).
>
> Should I/do I need to put the cache directory in this encrypted space?
> I suppose more directly my question is: if someone gets their hands on
> the contents of my cache directory -- but nothing else -- what is my
> risk exposure? What can be done with that data?
The cache directory contains:
1. Raw data from small files and sometimes the ends of large files. (This is
used to make tarsnap faster -- if you've got N files of 1 kB scattered around,
it's much faster to read a single N kB block once than to seek around for each
file.)
2. The hashes of blocks stored on the server.
3. Reference counts to those blocks.
If someone can read the cache directory, they can obtain some of your data. If
they can *tamper* with the cache directory, they could trick your delete script
into deleting data which is still needed by other archives; alternatively, they
could potentially trick your archive-creation script into not storing data (but
that's harder and would require them to know exactly what data is going to be
backed up).
In short: You probably want your cache directory to be encrypted. ;-)
> I did some rudimentary Google searching but wasn't able to find the
> answer to this question. Thanks in advance.
Thanks for asking! With some luck this will be indexed by Google before the
next time someone needs to know.
--
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid