[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Automated tarsnap backups.



Thanks, 

This seems to satisfy my use-case. It seems like I can have the master key encrypted and the -w key be unencrypted.


On Fri, Feb 14, 2014 at 1:48 PM, Matthias Hörmann <mhoermann@gmail.com> wrote:
You can create limited keys with https://www.tarsnap.com/man-tarsnap-keymgmt.1.html
which can only perform some operations if you are concerned about e.g. an attacker
deleting your backups after exploiting a security hole on the box you backup.

I haven't tried it myself though so I don't know the details.

Matthias Hörmann


On Fri, Feb 14, 2014 at 7:43 PM, Joshua Kolash <joshua.kolash@gmail.com> wrote:
Curious Question for people who use tarsnap for automated backups.

I assume most people just have the keyfile as unencrypted, as it doesn't require any prompting.

Does anyone keep the keyfile encrypted and have automated backups?

I'm imagining the following server setup.

Have a BackupBox with the encrypted keyfile and the backup contents.

Have a PasswordBox with the password to the keyfile and have the PasswordBox simply ssh into the BackupBox and enter the password into tarsnap on a regular basis. The PasswordBox can then be sealed off except for re-initializing the password and ssh schedule. In effect it is like having a single purpose ssh-agent that lasts forever for narrowly defined tasks.

Does anyone do anything like this? Or is this needless complexity for little if any security gain? You still need to trust BackupBox to not be evil.

As I want automated backups I think the only point to encrypting the keyfile would be for the printed paper backup.