From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dietmar@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 03F1B67A8F
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:52 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id EB0D61FFE5
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:51 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 520101FFD6
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:50 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 16C5646066
 for <pbs-devel@lists.proxmox.com>; Tue, 10 Nov 2020 12:57:50 +0100 (CET)
Date: Tue, 10 Nov 2020 12:57:05 +0100 (CET)
From: Dietmar Maurer <dietmar@proxmox.com>
To: Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>, 
 Dylan Whyte <d.whyte@proxmox.com>
Message-ID: <628602956.1015.1605009425880@webmail.proxmox.com>
In-Reply-To: <20201110110456.21178-1-d.whyte@proxmox.com>
References: <20201110110456.21178-1-d.whyte@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.4-Rev12
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.110 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: [pbs-devel] applied: [PATCH docs] encryption: add best practice for
 storing master key
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 11:57:52 -0000

applied, thanks.

But I wonder if it would be better to create an extra subsection 
about "Storing Encryption Keys", because it basically applied to both

 - normal encryption keys
 - and the master key


> On 11/10/2020 12:04 PM Dylan Whyte <d.whyte@proxmox.com> wrote:
> 
>  
> Further clarify that the paperkey should be a last resort
> recovery option, after a password manager and usb drive.
> 
> Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
> ---
>  docs/backup-client.rst | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
> 
> diff --git a/docs/backup-client.rst b/docs/backup-client.rst
> index 1ef42898..125c1fbc 100644
> --- a/docs/backup-client.rst
> +++ b/docs/backup-client.rst
> @@ -367,11 +367,16 @@ To set up a master key:
>    and needs to be restored, this will not be possible as the encryption key will be
>    lost along with the broken system.
>  
> -In preparation for the worst case scenario, you should consider keeping a paper
> -copy of your master key locked away in a safe place. The ``paperkey`` subcommand
> -can be used to create a QR encoded version of your master key. The following
> -command sends the output of the ``paperkey`` command to a text file, for easy
> -printing.
> +It is recommended that you keep your master key safe, but easily accessible, in
> +order for quick disaster recovery. For this reason, the best place to store it
> +is in your password manager, where it is immediately recoverable. As a backup to
> +this, you should also save the key to a USB drive and store that in a secure
> +place. This way, it is detached from any system, but is still easy to recover
> +from, in case of emergency. Finally, in preparation for the worst case scenario,
> +you should also consider keeping a paper copy of your master key locked away in
> +a safe place. The ``paperkey`` subcommand can be used to create a QR encoded
> +version of your master key. The following command sends the output of the
> +``paperkey`` command to a text file, for easy printing.
>  
>  .. code-block:: console
>  
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel