From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <dietmar@proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 03F1B67A8F for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:52 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EB0D61FFE5 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:51 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 520101FFD6 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:50 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 16C5646066 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:50 +0100 (CET) Date: Tue, 10 Nov 2020 12:57:05 +0100 (CET) From: Dietmar Maurer <dietmar@proxmox.com> To: Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>, Dylan Whyte <d.whyte@proxmox.com> Message-ID: <628602956.1015.1605009425880@webmail.proxmox.com> In-Reply-To: <20201110110456.21178-1-d.whyte@proxmox.com> References: <20201110110456.21178-1-d.whyte@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.4-Rev12 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.110 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: [pbs-devel] applied: [PATCH docs] encryption: add best practice for storing master key X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion <pbs-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/> List-Post: <mailto:pbs-devel@lists.proxmox.com> List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe> X-List-Received-Date: Tue, 10 Nov 2020 11:57:52 -0000 applied, thanks. But I wonder if it would be better to create an extra subsection about "Storing Encryption Keys", because it basically applied to both - normal encryption keys - and the master key > On 11/10/2020 12:04 PM Dylan Whyte <d.whyte@proxmox.com> wrote: > > > Further clarify that the paperkey should be a last resort > recovery option, after a password manager and usb drive. > > Signed-off-by: Dylan Whyte <d.whyte@proxmox.com> > --- > docs/backup-client.rst | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/docs/backup-client.rst b/docs/backup-client.rst > index 1ef42898..125c1fbc 100644 > --- a/docs/backup-client.rst > +++ b/docs/backup-client.rst > @@ -367,11 +367,16 @@ To set up a master key: > and needs to be restored, this will not be possible as the encryption key will be > lost along with the broken system. > > -In preparation for the worst case scenario, you should consider keeping a paper > -copy of your master key locked away in a safe place. The ``paperkey`` subcommand > -can be used to create a QR encoded version of your master key. The following > -command sends the output of the ``paperkey`` command to a text file, for easy > -printing. > +It is recommended that you keep your master key safe, but easily accessible, in > +order for quick disaster recovery. For this reason, the best place to store it > +is in your password manager, where it is immediately recoverable. As a backup to > +this, you should also save the key to a USB drive and store that in a secure > +place. This way, it is detached from any system, but is still easy to recover > +from, in case of emergency. Finally, in preparation for the worst case scenario, > +you should also consider keeping a paper copy of your master key locked away in > +a safe place. The ``paperkey`` subcommand can be used to create a QR encoded > +version of your master key. The following command sends the output of the > +``paperkey`` command to a text file, for easy printing. > > .. code-block:: console > > -- > 2.20.1 > > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel