From: Dietmar Maurer <dietmar@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>, Dylan Whyte <d.whyte@proxmox.com>
Subject: [pbs-devel] applied: [PATCH docs] encryption: add best practice for storing master key
Date: Tue, 10 Nov 2020 12:57:05 +0100 (CET) [thread overview]
Message-ID: <628602956.1015.1605009425880@webmail.proxmox.com> (raw)
In-Reply-To: <20201110110456.21178-1-d.whyte@proxmox.com>
applied, thanks.
But I wonder if it would be better to create an extra subsection
about "Storing Encryption Keys", because it basically applied to both
- normal encryption keys
- and the master key
> On 11/10/2020 12:04 PM Dylan Whyte <d.whyte@proxmox.com> wrote:
>
>
> Further clarify that the paperkey should be a last resort
> recovery option, after a password manager and usb drive.
>
> Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
> ---
> docs/backup-client.rst | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/docs/backup-client.rst b/docs/backup-client.rst
> index 1ef42898..125c1fbc 100644
> --- a/docs/backup-client.rst
> +++ b/docs/backup-client.rst
> @@ -367,11 +367,16 @@ To set up a master key:
> and needs to be restored, this will not be possible as the encryption key will be
> lost along with the broken system.
>
> -In preparation for the worst case scenario, you should consider keeping a paper
> -copy of your master key locked away in a safe place. The ``paperkey`` subcommand
> -can be used to create a QR encoded version of your master key. The following
> -command sends the output of the ``paperkey`` command to a text file, for easy
> -printing.
> +It is recommended that you keep your master key safe, but easily accessible, in
> +order for quick disaster recovery. For this reason, the best place to store it
> +is in your password manager, where it is immediately recoverable. As a backup to
> +this, you should also save the key to a USB drive and store that in a secure
> +place. This way, it is detached from any system, but is still easy to recover
> +from, in case of emergency. Finally, in preparation for the worst case scenario,
> +you should also consider keeping a paper copy of your master key locked away in
> +a safe place. The ``paperkey`` subcommand can be used to create a QR encoded
> +version of your master key. The following command sends the output of the
> +``paperkey`` command to a text file, for easy printing.
>
> .. code-block:: console
>
> --
> 2.20.1
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2020-11-10 11:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 11:04 [pbs-devel] " Dylan Whyte
2020-11-10 11:57 ` Dietmar Maurer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=628602956.1015.1605009425880@webmail.proxmox.com \
--to=dietmar@proxmox.com \
--cc=d.whyte@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox