Master key rollover

[skruppy]

There should be the possibility to regenerate the master key and reencrypt everything.

Once the master key is compromised, the whole system stays compromised and can't be migrated to a secure repository with an other master key.

There are several reasons to change the master key:

• If a user was revoked from the key list, she can't decrypt the master key anymore. But she could have saved it when she was on the user list. Therefore, after a key remove, there should be a (automatic) master key rollover.
• A crypto algorithm has become insecure. From time to time, a crypto algorithm becomes insecure and has to be exchanged. This might also require a new master key (length). But at least it requires the same rollover as for a "simple" master key change.
• The master key was weak (I'm looking on you Debian)
• From time to time, the master key should simply be changed to make offline cracking harder (e.g. automatic/configurable rollover every three Month).

The rollover of a large repository could take up some time. Therefore it should not block the creation of new snapshots and should be interruptible and resumable at any moment. With those constraints, the rollover could be done by a cron job, which doesn't have to care much about running backups, or by an extra time limited phase after each backup (n minutes backup + 15 minutes rollover of the next part of blobs).

There are basically two methods to the rollover:

• For each newly encrypted blob, the old blob will be deleted instantly.
• The old files stay untouched until the whole rollover was successful.

[fw42]

Why can't you just create a completely new, independent repository and copy all the data over into that? Doesn't that achieve exactly the same thing? I'm not a fan of adding complexity to the codebase for things that can trivially be solved outside of restic, so I'm skeptical of this feature.

[skruppy]

How should I copy the data? The blobs are encrypted. If I copy them, they are useless.

[fw42]

But you still have the old master key / password, no? Just create a new repo, mount the old one, then copy the data from the old one to the new one... Or am I misunderstanding the problem?

[fw42]

My suggested solution isn't "in place" (i.e. you need twice the storage space if you want to go with what I'm suggesting), so maybe that's what I was missing? Is that something that's important to you?

[skruppy]

Yes, the old master key is still available (for now). I didn't thought it would be possible to write to an fuse mounted backup and create snapshots by writing to it.

I have no problem with a solution not being in place.

And yes, it's important to change the master key. It's like a door to your home, you can't (for now) replace if it's broken or enhance if weakened. Changing the user keys has no effect if you can't also change the master key.

[fd0]

The fuse mounted backup is read-only, but you could create new snapshots by running restic backup within the fuse mount and let restic read the data from there.

I'm not convinced yet that we really need a "key rollover" function to reencrypt everything. At the moment, there is exactly one master key for encryption and one for MAC, and all data (except the key files) is encrypted and signed with these keys. If we were to implement having multiple master keys, each blob/pack would need an additional header that specifies which key should be used to decrypt/verify it. This means a lot of additional complexity and another layer of indirection.

What I can live with is having a function that takes two repositories and copies all data from the first to the second, so when we decide to change the repository format in a backwards-incompatible way users can easily create a new repository and fill it with the old data.

[episource]

What I can live with is having a function that takes two repositories and copies all data from the first to the second, so when we decide to change the repository format in a backwards-incompatible way users can easily create a new repository and fill it with the old data.

Indeed, such functionality is rather important and cannot be replaced by copying data out of a fuse mounted backup set: Restic is able to store more data than just file content. Examples are:

• Snapshot metadata like exclude rules
• Timestamps
• Permission and Ownership for files and directories
• Inode number
• In future maybe ACLs, Extended Attributes (Save and restore extended attributes #25), Alternate datastreams and much more

I don't see any easy way to preseve this information without built-in support for copying data over to a new repository.

[fd0]

I've thought about this a bit:

The first situation you described is as follows: An attacker had access to the repository and a password for it. In addition, she saved the key file for the password locally. Afterwards, the password was removed from the repository (e.g. with restic key rm), but she still has access to it and can read and decrypt files using the local copy of the master key in the keyfile she saved earlier.

@Skrupellos Do you think this situation is likely to occur? Why didn't the attacker just copy all data she is interested in from the repository before the password/key was removed, so that she needs to do it afterwards? Why was the access not removed along with the password?

In addition, I don't understand the last point in your list above: How does changing the master key regularly help to make "offline cracking" harder? What do you mean by that exactly, e.g. what key is "cracked"? Can you give an example?

Please don't get me wrong, I'm trying to find out more about the specific situation you had in mind so that we can evaluate whether this feature is needed or not.

I see the need for a copy command and will add an issue that tracks this feature.

[fd0]

I'm closing this issue, if you have any feedback for us, please add a comment.

[matthijskooijman]

I'm considering to use restic and looking at its security, so I'm coming back to this older issue (hopefully with a useful contribution).

The first situation you described is as follows: An attacker had access to the repository and a password for it. In addition, she saved the key file for the password locally. Afterwards, the password was removed from the repository (e.g. with restic key rm), but she still has access to it and can read and decrypt files using the local copy of the master key in the keyfile she saved earlier.

@Skrupellos Do you think this situation is likely to occur? Why didn't the attacker just copy all data she is interested in from the repository before the password/key was removed, so that she needs to do it afterwards? Why was the access not removed along with the password?

AFAICS this is a relevant case for future security. If an attacker has the master key, and in the future can get access to the encrypted backups, it can read new backup data that did not exist at the time it compromised the key. This is a bit similar to the case described in #187 (comment) (except there the break-in is undetected, but that case could also be thwarted using regular key roll-overs).

For this problem to occur, an attacker does need access to the encrypted files in the future. When detecting a break-in, it makes sense to also change the storage password (or whatever), which closes off that road. However, if you consider that a sufficient protection of your backups, then why bother with encryption at all? It seems to me that the storage is considered untrusted and open for compromise (especially when an attacker already compromised the key, so there is more to be gained from compromising the storage).

An similar (and stronger) case is made in #187 (comment), where an attacker could compromise the master key and storage credentials and erase all trace of the compromise, allowing infinite future access to the backup contents. When doing regular rollover of the master key and access passwords, this can be prevented.

One additional thought is that the current key management allows using a per-machine key/password. This suggests that, when a machine is compromised, you can just remove its key and your backups are secure again, which is not currently the case. I think think means that the key management feature only serves to allow multiple users of one repo to use their own password (e.g. it protects their passwords from each other), it does not protect the data form each other. This might be more of a documentation issue, I guess.