[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Are key privilege separation and backup rotation compatible?
On 03/18/17 17:45, Tim McCormack wrote:
> - Put a passphrased copy of the full key on the server and periodically
> SSH in to run deletions (no automated rotation)
Anecdotally, it seems that a lot of people do this; but you're quite right
about the risk given a Sufficiently Malicious Attacker. (Note however that
at a certain point having a Sufficiently Malicious Attacker means that you
have lost anyway: They could replace the tarsnap binary with one creating
archives full of garbage, and then wait for all your older archives to be
rotated away.)
> - Add the 'read' capability to my server's tarsnap key (this would
> still allow destruction of my backup history, right?)
I'm not entirely sure what you mean here. If your server has write+read
keys, it will be able to run --fsck to regenerate the cache directory and
it will be able to create new archives, but it will not be able to delete
old archives.
> Is there another option?
Yes: After you do the "--fsck + delete old archives" elsewhere, copy the
cache directory onto the write-keys-only server.
--
Colin Percival
Security Officer Emeritus, FreeBSD | The power to serve
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid