From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dietmar@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 1C67767506
 for <pbs-devel@lists.proxmox.com>; Mon,  9 Nov 2020 17:15:43 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 0870A18CDC
 for <pbs-devel@lists.proxmox.com>; Mon,  9 Nov 2020 17:15:13 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 6EFCF18CB7
 for <pbs-devel@lists.proxmox.com>; Mon,  9 Nov 2020 17:15:11 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3D85C45E5C
 for <pbs-devel@lists.proxmox.com>; Mon,  9 Nov 2020 17:15:11 +0100 (CET)
Date: Mon, 9 Nov 2020 17:14:27 +0100 (CET)
From: Dietmar Maurer <dietmar@proxmox.com>
To: Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>, 
 Dylan Whyte <d.whyte@proxmox.com>
Message-ID: <757496402.968.1604938467597@webmail.proxmox.com>
In-Reply-To: <20201109123958.17637-1-d.whyte@proxmox.com>
References: <20201109123958.17637-1-d.whyte@proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.4-Rev12
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.080 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 NO_DNS_FOR_FROM         0.379 Envelope sender has no MX or A DNS records
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pbs-devel] [PATCH docs] backup-client: encryption: discuss
 paperkey command
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 16:15:43 -0000

paperkey should be the last resort.

I store keys in:

1.) my passwork manager (very easy to access)
2.) USB stick, and put that in my vault (still easy to restore)
3.) paperkey (clumsy to restore, but useful if the USB stick is damaged)

> On 11/09/2020 1:39 PM Dylan Whyte <d.whyte@proxmox.com> wrote:
> 
>  
> adds a paragraph to the encryption section about
> encoding the master key into a qr code for printing
> 
> Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
> ---
>  docs/backup-client.rst | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/docs/backup-client.rst b/docs/backup-client.rst
> index a23535fa..1ef42898 100644
> --- a/docs/backup-client.rst
> +++ b/docs/backup-client.rst
> @@ -365,9 +365,17 @@ To set up a master key:
>    backed up. It can happen, for example, that you back up an entire system, using
>    a key on that system. If the system then becomes inaccessible for any reason
>    and needs to be restored, this will not be possible as the encryption key will be
> -  lost along with the broken system. In preparation for the worst case scenario,
> -  you should consider keeping a paper copy of this key locked away in
> -  a safe place.
> +  lost along with the broken system.
> +
> +In preparation for the worst case scenario, you should consider keeping a paper
> +copy of your master key locked away in a safe place. The ``paperkey`` subcommand
> +can be used to create a QR encoded version of your master key. The following
> +command sends the output of the ``paperkey`` command to a text file, for easy
> +printing.
> +
> +.. code-block:: console
> +
> +  proxmox-backup-client key paperkey --output-format text > qrkey.txt
>  
>  
>  Restoring Data
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel