[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Are key privilege separation and backup rotation compatible?

On 03/18/17 17:45, Tim McCormack wrote:
> - Put a passphrased copy of the full key on the server and periodically
>   SSH in to run deletions (no automated rotation)

Anecdotally, it seems that a lot of people do this; but you're quite right
about the risk given a Sufficiently Malicious Attacker.  (Note however that
at a certain point having a Sufficiently Malicious Attacker means that you
have lost anyway: They could replace the tarsnap binary with one creating
archives full of garbage, and then wait for all your older archives to be
rotated away.)

> - Add the 'read' capability to my server's tarsnap key (this would
>   still allow destruction of my backup history, right?)

I'm not entirely sure what you mean here.  If your server has write+read
keys, it will be able to run --fsck to regenerate the cache directory and
it will be able to create new archives, but it will not be able to delete
old archives.

> Is there another option?

Yes: After you do the "--fsck + delete old archives" elsewhere, copy the
cache directory onto the write-keys-only server.

Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid