Key metadata is stored unencrypted

[nioncode]

Output of restic version

restic 0.9.2 compiled with go1.11 on linux/amd64

How did you run restic exactly?

restic -r /repo init

What backend/server/service did you use to store the repository?

local

Expected behavior

Keys should contain no plaintext information (apart from salt, iteration, ...).

Actual behavior

Keys contain host name, username, and time of creation in plaintext.

Do you have any idea what may have caused this?

Restic stores key metadata unencrypted.

Do you have an idea how to solve the issue?

Store key metadata encrypted. We could update the key format by adding e.g. a hostname_enc field and blanking the hostname field for new repos. Then old clients would show empty metadata until they are updated. We should also migrate existing keys to remove potentially old plaintext metadata from existing repos.

[fd0]

We'll probably just remove the fields from the key metadata, that should be sufficient.

[nioncode]

How are keys identified then, if all their metadata gets removed? Or do you just want to remove the plaintext fields and introduce encrypted ones?

[fd0]

Keys only need an ID for deletion, and the key ID is the name of the key file in the repo, which depends on the content but is not contained in the metadata within the file.

I was suggesting to just remove the fields, without introducing encrypted counterparts. I doubt that the data there is really used by anybody.

[mholt]

Would the current key that was used to access the repository still be indicated? Otherwise I think there'd be absolutely no way to know which key to delete.

[fd0]

Yes, through the key ID (the filename prefix).

[cdhowie]

Perhaps have this be optional. We use a key per backup host and it's nice to be able to quickly see which key belongs to which host. Without this data in restic, we'd have to maintain the data somewhere else (company wiki, for example) -- not the worst thing, but why fix what isn't broken?

Edit: Though, if the metadata is encrypted with the repository master key, you'd still be able to see all key metadata by supplying a correct password. I'd be more likely to support that change than removing the metadata altogether.

[nioncode]

I agree that it's nice to have, but this leaks metadata unencrypted. That's why I proposed to have them stored encrypted, so that each key that can decrypt the repo can still read all metadata like it is now, but the not trusted backup location can not gather the metadata in plaintext. This way, there would be no user facing changes at all.

[cdhowie]

there would be no user facing changes at all.

That depends if the repository is automatically migrated to store the data encrypted. If so, the key IDs will necessarily change and, depending on syncing processes/restrictions, the user may need to be aware that this happened.

[monkeyhybrid]

If this metadata is to be removed, could we at least have an optional 'tag' attribute for each key that can contain anything we wish? Make the tag empty by default for those concerned with leaking metadata, but allow custom text that could be useful for key management, for those that are not.

[ducalex]

When stripping the metadata manually in the key file I get the following:

Load(<key/5d081d8a51>, 0, 0) returned error, retrying after 552.330144ms: loadAll(<key/5d081d8a51>): invalid data returned
Load(<key/5d081d8a51>, 0, 0) operation successful after 1 retries

The error is expected, as the id no longer matches the content, but the successful retry is a (nice) surprise to me. I can't find in the code where it loosens the check and accept the content anyway. Can someone point me to where that happens?