duplicity-team team mailing list archive

Thread
Date

Re: [Question #291346]: Encryped passwords/phrases

To: duplicity-team@xxxxxxxxxxxxxxxxxxx
From: edso <question291346@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Apr 2016 08:23:08 -0000
Reply-to: question291346@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Question #291346 on Duplicity changed:
https://answers.launchpad.net/duplicity/+question/291346

    Status: Open => Answered

edso proposed the following answer:
On 19.04.2016 09:58, Christoph Löhr wrote:
> Question #291346 on Duplicity changed:
> https://answers.launchpad.net/duplicity/+question/291346
> 
>     Status: Answered => Open
> 
> Christoph Löhr is still having a problem:
> Hi,
> 
> this is not the part of how i want to use it. There are some
> considerations, in special that the machines should to automated
> backups, without user interactions or agents running. In addition of
> course without clear text passwords.

without interaction you would use usually passphraseless machine key and
additionally encrypt against your own or a global public key in general
(yes, you can encrypt against multiple keys w/ duplicity).

> Your answer sounds, like, build your own wrapper around the duplicity to
> fix this issue with the passwords.

to your ears may be, but i know what i mean and _that is_:

having the secret on the box means the hacker has it as well.
obfuscating it simply makes retrieving it little more difficult. you
provide the means to decode it on the same box, that's inherently
insecure.

what do want to achieve anyway in the big picture? usually you want to
protect your data. you use duplicity to dump your backups on inherently
insecure space because you trust gpg's encryption is sufficiently secure
for a third party not to break it.

so if an attacker already has access to your box, as the user that runs duplicity, he also has access to the data you want to backup. additionally he has access to the space you dump your backups to and can modify the data there and also read your old backups. essentially that box and it's backup space are lost.
to my knowledge the best way to work around that vector is to have passive copy of your backup repo, only copying new files, never touch existing ones. the challenge after the armageddon will be to find the latest clean backup of course.

in conclusion: use passphraseless keys for automation w/o human
interaction with gpg, that's why the option is there.

..ede/duply.net

-- 
You received this question notification because your team duplicity-team
is an answer contact for Duplicity.