[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Untrusted destination questions/issues
|
From: |
Martin Pool |
|
Subject: |
Re: [Duplicity-talk] Untrusted destination questions/issues |
|
Date: |
Tue, 1 Feb 2011 10:48:12 +1100 |
On 1 February 2011 08:01, Daniel Burdakov <address@hidden> wrote:
>> Because duplicity uses GnuPG to encrypt and/or sign these archives, they
>> will be safe from spying and/or modification by the server.
> I like this idea of "untrusted destination", but have some questions about it.
>
> All data on server are:
> - manifest (one per backup)
> - volumes of content, "difftar"
> - volumes of signatures, "sigtar"
> Correct?
>
> All these files are encrypted and signed with GnuPG, correct?
> Server can not read any of these files, because they are encrypted.
> Server can not modify any of these files or add some new files,
> because it will broke GnuPG signature.
True, though bear in mind signatures are not on by default.
I think the practical problem at the moment is:
* malicious modification by the server is likely to cause an obscure error
* obscure internal errors sometimes happen for other reasons
> I suggest:
> - Add line with own filename inside manifest, so renaming file will
> break GnuPG signature. Check this line every time when manifest is
> read. This will prevent server from manipulating with backup dates.
> - Add SHA1 hashes of "sigtar" volumes to manifest, to protect
> "sigtar"-s from replacing.
That seems to make sense to me, but others know the format better.