librelist archives

« back to archive

Untrusted remote host

Untrusted remote host

From:
Ahmad Khayyat
Date:
2015-05-21 @ 19:07
Do I need to trust a remote host if I want to use a remote repository on it
over SSH (without mounting)?

The source of my concern is the fact that Attic must be installed on the
remote host.

If the remote host is untrusted, I'd not want the remote Attic instance to
ever receive the key or any other sensitive information that may compromise
my encrypted archives.

Sv: [attic] Untrusted remote host

From:
Petter Gunnerud
Date:
2015-05-21 @ 21:21
I use attic to backup to remote repo, using encryption.I trust the server,
but I see the risk that someone will break into the house and steal the 
server hosting the repo.I created a key on the source server.Then I 
created a luks container. Copied the key into the container, and scp'ed 
the container to the remote server.For the restore test I mounted the 
container as ~/.attic/keys
This way I made the key password protected on repo server, while it's open
on the source server.(You don't need to store the key on the backup server
before you'd like to do restore on that server, but you do need a copy of 
it stored somewhere. An encrypted backup is worthless if you don't have a 
backup of the encryption key!)

      Fra: Ahmad Khayyat <akhayyat@gmail.com>
 Til: attic@librelist.com 
 Sendt: Torsdag, 21. mai 2015 21.07
 Emne: [attic] Untrusted remote host
   


Do I need to trust a remote host if I want to use a remote repository on 
it over SSH (without mounting)?

The source of my concern is the fact that Attic must be installed on the 
remote host. 

If the remote host is untrusted, I'd not want the remote Attic instance to
ever receive the key or any other sensitive information that may 
compromise my encrypted archives.


   

Re: [attic] Untrusted remote host

From:
Ahmad Khayyat
Date:
2015-05-21 @ 23:29
In my case, I don't trust the remote server because it's a VPS. So,
anything in the clear, even in memory, is subject to being visible to
the VPS host. In this context, my concern is not with the key file,
but with the actual key, and whether or not it gets communicated to
the remote server during an Attic session.

If Attic was not required to be installed on the remote server, this
would not be an issue. This is not an issue when the remote repository
is mounted over sshfs either.

However, when running a command like:

   attic list user@hostname:repository.attic

on an encrypted repository, it's hard to imagine why would Attic be
required on the remote host without it using the key, and thus
requiring the key.

In other words, am I correct in assuming that:
1. If using Attic over ssh, like in the command above, then I'm
trusting the remote server?
2. Mounting the remote repository over sshfs is more secure than using
it remotely over ssh with a remote Attic installation?

Re: [attic] Untrusted remote host

From:
Will S
Date:
2015-06-01 @ 17:39
See https://github.com/borgbackup/borg/issues/36 and linked issued therein.

On Fri, May 29, 2015 at 11:08 PM, Will S <wsha.code@gmail.com> wrote:

> To follow up on Jonas' comments that the remote host does not see any
> unencrypted data and so does not need to be trusted, I want to ask from the
> opposite perspective about how much the local machine needs to be trusted.
> If I set up ssh on the remote host to only execute "attic serve
> --restrict-to-path" as suggested in this pull request (
> https://github.com/jborg/attic/issues/275), what will the attic process
> on the server be able to do? Ideally, I would like to set up the remote
> server so that the local machine can add new archives to the repository and
> possibly prune them according to a fixed set of rules but can't delete all
> of the backups. That way even if the local computer was compromised, the
> backups would be safe.
>
>

Re: [attic] Untrusted remote host

From:
Leo Famulari
Date:
2015-05-22 @ 15:43
I'm interested in the answer to this question, too. One of the greatest
strengths of tarsnap, in my opinion, is that the encryption is performed
on the client machine. The remote server CAN'T decrypt your data.

On May 21, 2015 7:29:35 PM EDT, Ahmad Khayyat <akhayyat@gmail.com>
wrote:
>In my case, I don't trust the remote server because it's a VPS. So,
>anything in the clear, even in memory, is subject to being visible to
>the VPS host. In this context, my concern is not with the key file,
>but with the actual key, and whether or not it gets communicated to
>the remote server during an Attic session.
>
>If Attic was not required to be installed on the remote server, this
>would not be an issue. This is not an issue when the remote repository
>is mounted over sshfs either.
>
>However, when running a command like:
>
>   attic list user@hostname:repository.attic
>
>on an encrypted repository, it's hard to imagine why would Attic be
>required on the remote host without it using the key, and thus
>requiring the key.
>
>In other words, am I correct in assuming that:
>1. If using Attic over ssh, like in the command above, then I'm
>trusting the remote server?
>2. Mounting the remote repository over sshfs is more secure than using
>it remotely over ssh with a remote Attic installation?

Re: [attic] Untrusted remote host

From:
Jonas Borgström
Date:
2015-05-25 @ 13:18
On 22/05/15 17:43, Leo Famulari wrote:
> I'm interested in the answer to this question, too. One of the greatest
> strengths of tarsnap, in my opinion, is that the encryption is performed
> on the client machine. The remote server CAN'T decrypt your data.
All encryption is done one the client.
The sole purpose of the remove Attic process is to act as an efficient 
transactional key value store. Something that is not possible using 
legacy protocols.
The remote process does not care, and has no way of knowing (in case of 
an encrypted repository) what data it is storing.

/ Jonas