The whole argument of --storage is stored in backupmeta which may include sensitive data

[DanielZhangQD]

According to the current implementation, the argument for --storage will be stored in backup meta and will be retrieved and sent to TiKV during restore.
In this case, for backup & restore with cloud storage, e.g. AWS S3, keys will also be included in the backup meta, which is insecure and should be avoided.

• Is it necessary to store the argument in the backup meta? The --storage option is required in each backup, checksum and restore command.
• It's also insecure to specify the keys in the argument of --storage, we may set the keys or other sensitive data in environment variables and retrieve them and send them to TiKV in BR.

@kennytm @overvenus @tennix What do you think?

[gregwebs]

On AWS and GCP there is no reason to send credentials through the backup program. In general credential keys should never be used. Instead TiKV should be deployed with an IAM role with the appropriate S3 credentials. Set an IAM role for the instance, or on k8s connect the iam role to the service account it runs with. If we use a proper SDK it finds these credentials automatically in the instance metadata.

So this is only a concern for Ceph or a cloud that doesn't have credentials in the metadata.

[DanielZhangQD]

We also have to consider the case for on-prem deployment, so we may have to use secrets. @gregwebs

[kennytm]

Why do we save the --storage into backupmeta in the first place? Since we may move the archive, the --storage during restore is not necessarily the same as that during backup.

[DanielZhangQD]

Why do we save the --storage into backupmeta in the first place? Since we may move the archive, the --storage during restore is not necessarily the same as that during backup.

If we move the archive, then the --storage in backupmeta is useless, right?

[kennytm]

Right. Besides you need --storage to find the backupmeta in first place.

[gregwebs]

We also have to consider the case for on-prem deployment, so we may have to use secrets. @gregwebs

Yes, that's what I referred to as Ceph. But why do we need the BR program to transmit credentials to TiKV in that case either? TiKV can be deployed with the credentials it needs. In this case they can be set in environment variables or as a credentials file.

[DanielZhangQD]

Yes, we'd better set credentials in environment variables or as a credentials file for both BR and TiKV. @gregwebs @tennix

[tennix]

@gregwebs Does this sdk uses environment variable to get the secret? What if the secret changes, I think tikv needs to restart to read the new secret environment variable.

[overvenus]

FYI, after #73, the path in backup meta is no longer used, it can be removed completely now.

[DanielZhangQD]

FYI, after #73, the path in backup meta is no longer used, it can be removed completely now.

Great!