archiecobbs / s3backer

FUSE/NBD single file backing store via Amazon S3
Other
538 stars 77 forks source link

Feature requests changing encryption password #206

Closed dflipse closed 7 months ago

dflipse commented 1 year ago

For when encryption password may have been compromised, would be great previously used s3backer encryption password (--encryot flag) can be updated. This without having to backup all data and rewriting everything back in. As that would be very costly, time and resource consuming, indeed. Is this feasible?

archiecobbs commented 1 year ago

Right now there's no way to do this any more efficiently than creating another empty volume using the new password and then copying the entire disk image.

Longer term, it could be possible if an additional level of indirection were used. That would mean having the "real" encryption key encrypted using the password and then stored in the image. This is how e.g. LUKS works.

dflipse commented 1 year ago

Thanks @archiecobbs and I get your point. This would work for me and I'd like to have 'real' encryption key hidden away, indeed. Currently, I have my long/complex password saved in a file and applied chmod 600. Yet this does not guarantee it won't get compromised

archiecobbs commented 7 months ago

Closing this issue as "won't do". Feel free to add more comments if new information becomes available.