duplicity-talk
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Untrusted destination questions/issues


From: Martin Pool
Subject: Re: [Duplicity-talk] Untrusted destination questions/issues
Date: Tue, 1 Feb 2011 10:48:12 +1100

On 1 February 2011 08:01, Daniel Burdakov <address@hidden> wrote:
>> Because duplicity uses GnuPG to encrypt and/or sign these archives, they 
>> will be safe from spying and/or modification by the server.
> I like this idea of "untrusted destination", but have some questions about it.
>
> All data on server are:
> - manifest (one per backup)
> - volumes of content, "difftar"
> - volumes of signatures, "sigtar"
> Correct?
>
> All these files are encrypted and signed with GnuPG, correct?
> Server can not read any of these files, because they are encrypted.
> Server can not modify any of these files or add some new files,
> because it will broke GnuPG signature.

True, though bear in mind signatures are not on by default.

I think the practical problem at the moment is:
 * malicious modification by the server is likely to cause an obscure error
 * obscure internal errors sometimes happen for other reasons

> I suggest:
> - Add line with own filename inside manifest, so renaming file will
> break GnuPG signature. Check this line every time when manifest is
> read. This will prevent server from manipulating with backup dates.
> - Add SHA1 hashes of "sigtar" volumes to manifest, to protect
> "sigtar"-s from replacing.

That seems to make sense to me, but others know the format better.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]