Open trixpan opened 9 years ago
emory
commented
9 years ago My work-around is a static password on a Yubikey with a brain salt of a shorter memorable phrase appended to it. e.g. 'lkjasdfkljasdf8#$#$#$3423@3$89u..jkasdfjklasdf8348347283123kASKJKDFAFSDFduck-pony-boy'
trixpan
commented
9 years ago @emory Is is a smart workaround but doesn't address the main issue: User input of the password, you still need top type your brain salt and the password into the system you are backing up.
Had we the ability to use Public Key encryption I could for example have multiple systems doing automated backups to a single location, all using the same public keys, and yet, none of them knowing private key used to protect the data.
The relevance of this feature is highlighted by the following section of the documentation:
Note For automated backups the passphrase can be specified using the ATTIC_PASSPHRASE environment variable.
(PS: I realise most asymmetric key encryption systems use public keys in combination with symmetric algorithms and passwords in order to achieve desirable encryption performance).
emory
commented
9 years ago Understood, I'd be fine using a PKCS/X.509 method personally, but I imagine a gnupg-derived method would work as well for most people too (and then you'd have the benefit of a key agent).
It would be great to be able to use externally produced RSA public keys to encrypt backups and to decrypt using RSA private keys.
Ideally this method should support external key provider so that users could store their backup keys using safer mechanisms such as smartcards (rather than passphrases only).