Open infokiller opened 5 years ago
The Crypto is used to protect the "privacy" of the backup data.
There is already a way to do a "append only" protection:
borg
serve --append-only
works with ssh access (needs some configuration on the serverside)
Emmo
@motwok thanks, append only protection is indeed close to what I'm proposing, but we can still benefit from more fine grained access control. For example, there could be a key that authorization for appending one backup a day, but that's it. The key can't be used to delete archives or even read them. Similarly, there could be a key just for restricted pruning (so that an attacker who gains access to the key won't be able to do aggressive pruning to delete data).
iirc we already have some issue about this on this issue tracker.
@infokiller I agree some kind of access control would be neat.
Besides of the effort needed to support session keys (some asymetric key crypto is needed) i can imagine a secure scenario for management (delete, prune, list), data access (decrypting content) and appending by using a separate key for access to metadata, contentdata and appending. (just a pre-alpha-thought[TM])
Have you checked borgbackup docs, FAQ, and open Github issues?
Yes
Is this a BUG / ISSUE report or a QUESTION?
This is a feature from Tarsnap that I'd like to have. See the short security overview for the basic description, but the idea is to be able to support multiple keys in a repository, where each key can be granted individual permissions. For example, this makes it possible to define two keys:
This improves the security of the overall backup setup by implementing the principle of least principle.