Support asymmetric backups

[fd0]

This issue should collect use cases for asymmetric backups. In this situation, restic is able to efficiently create new backups, but unable to decrypt/restore and/or modify old backups. Please add your use case to this issue if you have one. I think we have enough use cases, thanks!

Summary (2018-04-28)

At the moment, restic (mostly) interacts with "dumb" storage (local, s3, b2, gcs, azure, everything except for the REST server with --append-only). restic can save, list, get and delete data in a backend. This is required for a backup, so the needed credentials to access the backend need to be present. On the upside, restic can use almost any storage, there are very few restrictions. On the downside, once attackers gain access to a server, they can easily extract the credentials for accessing the backend and the restic password, giving them all possibilities: Decrypt historical data from the repository, modify data, delete the whole repository.

When we add asymmetric cryptography, the only difference for attackers in such a situation is that they cannot decrypt historical data from the repository. Everything else, especially deleting all the data, is still possible. So "just add asymmetric crypto" is not the whole story.

The other idea is to not access the "dumb" storage directly, but indirectly via a custom server implementation. We've played around with this idea and added the --append-only option for the REST server, which can be seen as an "adapter" to access the "dumb" storage at the local harddisk.

The only exception from the first paragraph of this summary, and an implementation of the "adapter", is the rclone backend: It can be accessed e.g. via SSH (restic -o rclone.program='ssh user@server', with a hard-coded call to rclone via ForceCommand in .ssh/authorized_keys for the SSH key the user logs in). The cloud access credentials reside on the server, the user and machine running restic won't have access to those. If --append-only is specified in the call to rclone, data can only be added.

Having "non-dumb" storage alone won't help against attackers reading data from the repository (at least not without changing the repo format), but will prevent deleting all data in the repo.

So, in conclusion, to defend best against attackers taking over a server that uses restic for backups, I think we would need to implement both (non-dumb storage and asymmetric crypto). That's a long-term goal :)

[cfcs]

A brief recap from the previous discussion:

• Useful for backups of email servers or remote backups of log data in the event that such a server is compromised. Sensitive data that has been shredded from the server may be present in the backup, and it may be useful to be able to deny an attacker access to such historical data. It was simultaneously discussed that it could be useful to have a "blob network server" with a capability system that allows you to configure append-only / read-only / read-write access as appropriate. Having asymmetric cryptography in place would remove the need for having yet another set of symmetric keys for issuing capabilities, and would likely simplify the implementation of a capability system as well.
• In a setting with several machines, one backup key can be used to access several backup datasets without having to manage a multitude of symmetric keys. If a cryptosystem such as Daniel Bernstein's Curve25519 is used, such a key may be derived from a passphrase, meaning you can use one master passphrase to manage backups created by a (potentially large) number of different security domains. Although something similar can of course be achieved with n symmetric keys and an encrypted key storage.

[fw42]

@heipei FYI you might want to subscribe to this issue

[ThomasWaldmann]

well, the most obvious and pressing use case is not having the backups erased by an attacker who has broken into your production system (backup client) and knows how to use restic from there.

[fd0]

That's hardly possible just by using asymmetric crypto. The point here is that old backup contents (not necessarily metadata) should not be available to an attacker who has broken into a server.

[cfcs]

Data confidentiality (write-only) would be achievable for these scenarios with the implementation of asymmetric crypto.

Data integrity is a slightly different beast:
While you can use asymmetric cryptography (and a one-time signature scheme) to prove that a given dataset has not been altered, you cannot prevent its complete removal or replacement. That is a problem that requires a storage system that is append-only (and read-only, for some parts).
Thanks to discretionary access control that is relatively straightforward to implement on *nix with a backend such as ssh (using commands like chmod, chown, chattr +i, chattr +a to configure the access policies). append-only backups don't even need to be encrypted to prevent attackers from reading them (that's part of what rsyslog does, for example), but that suddenly makes the backup server an interesting target, and cloning sensitive data to more devices doesn't exactly improve the odds of maintaining data confidentiality.

Having asymmetric crypto implemented would enable people to do this kind of backups on dumb, untrusted systems, one of the things restic is all about (apart from the improved deduplication and all the other nice features). I hope this elaboration clarifies my point a bit.

[JensRantil]

This is of interest to us for the two cases described in #187 (comment). I'm subscribing to this thread to keep an eye on this.

[lorenzb]

Regarding data integrity: AFAIK, you can achieve append-only behaviour on Amazon S3 by only granting your IAM credentials the PutObject and GetObject permissions, but withholding the DeleteObject permission.

Regarding data confidentiality, I wanted to mention an attack scenario that is enabled by the use of symmetric crypto:
If an attacker has control over a victim's user account at a point in time where the victim uses restic to perform a backup, he can:

• steal the victim's restic key
• steal the victim's IAM credentials/sftp login/...

The attacker can then immediately wipe any trace of his attack from the victim's system making detection less likely. Since he has stolen the restic key and the credentials for the remote storage system, the victim will conveniently deliver any (backed-up) future data to him: Our attacker only needs to download and decrypt new backups from the remote storage system from time to time.

Asymmetric crypto could help prevent this by allowing the victim to store the key for restoring backups offline.

[JensRantil]

Regarding data integrity: AFAIK, you can achieve append-only behaviour on Amazon S3 by only granting your IAM credentials the PutObject and GetObject permissions, but withholding the DeleteObject permission.

Unfortunately PutObject also gives you privileges to overwrite a previously uploaded file. So, maybe it's not full data integrity?

[viric]

Asymmetric crypto would allow also the usage of an OpenPGP key like yubikey or so.

[viric]

Today I realized that I don't really want support for asymmetric encryption in restic, but support to NOT store the key in the repository. I understand that using asymmetric encryption efficiently would mean that restic can upload new backups without the ability to read the repository, which is quite tricky.

So, for me, it would be fine if I could handle the symmetric key without restic, and it were not uploaded in any way to the repository, no matter what complex KDF is used.