[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Key which can only delete 'old backups'
- To: Richard Collins <richardc@richardc.net>, tarsnap-users@tarsnap.com
- Subject: Re: Key which can only delete 'old backups'
- From: Colin Percival <cperciva@tarsnap.com>
- Date: Wed, 19 Mar 2014 20:45:20 -0700
- In-reply-to: <CAAU-wDUJXoBfdUU2puShquemVPOpdtevpz8jKCbdv3NS7V=hJA@mail.gmail.com>
- References: <CAAU-wDUJXoBfdUU2puShquemVPOpdtevpz8jKCbdv3NS7V=hJA@mail.gmail.com>
On 03/19/14 17:13, Richard Collins wrote:
> I have been using tarsnap for a few months now and am finally getting around to
> automating deletion of old archives.
>
> On the server being backed up I have a write-only key which is used for the
> regular backups. It would be nice if after doing a backup, the backup script
> could delete archives older than say 3 months. This would require a delete key
> to be on the server being backed up.
>
> However this seems to defeat the purpose of privilege separation. What if an
> attacker gains access to the server, uses the delete key to delete all the
> backups, then deletes everything on the server.
>
> Have I missed something and it is possible to automate deletion of old archives
> from the server being backed up without a key that could be used to delete all
> the backups?
What you're asking for isn't possible, because the Tarsnap service doesn't know
what an "archive" is. All the service knows about is blocks of storage -- the
process of taking a stream of bytes and splitting it into blocks and removing
the duplicate blocks is all done in the tarsnap client.
As a result, while I could theoretically have keys which could only delete
*blocks* which are more than 3 months old, that wouldn't do you any good --
since an archive you create today will probably be using some of those 3+ month
old blocks.
There's two common ways people deal with this:
1. Have a passphrase-protected key file with the delete key, and periodically
log in to your server and enter the passphrase to launch a round of deletes.
2. Have the delete key on a different server and use the --fsck operation to
reconstruct the cache directory as needed (since you need to have an up to date
cache directory in order to create or delete archives).
If you go back through the mailing list archives you'll find a few discussion
threads about this.
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid