Upss, turned out we don't have a developer-level documentation of our backups infrastructure (and call me a conservative, but qubes-devel threads do not count as a documentation!).
Things we should cover:
Backup threat models:
traditional: backups coming malicious USB/disk/NAS, verified using digital sig
paranoid: backups made on a compromised system (upcoming post on this)
Implementation (diagram-level description):
in Qubes 3.x
in Qubes 4.0 (using AdminAPI, will be partly covered in the upcoming post)
Upss, turned out we don't have a developer-level documentation of our backups infrastructure (and call me a conservative, but qubes-devel threads do not count as a documentation!).
Things we should cover: