diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/backups.md | 21 | ||||
| -rw-r--r-- | docs/changelog.md | 10 | ||||
| -rw-r--r-- | docs/todo.md | 4 |
3 files changed, 35 insertions, 0 deletions
diff --git a/docs/backups.md b/docs/backups.md index 4cfeff4..c612116 100644 --- a/docs/backups.md +++ b/docs/backups.md @@ -135,7 +135,28 @@ For [Borg][]: Make sure to cleanup `~/temp/misc/restore` after recovering what you need. +Note on backup keys: + +* In the past (before 2024), the Hydra Suite and it's companion [Puppet][] + modules used pre-generated [Borg][] repository keys for the sake of automation. + This is [not possible anymore][]. +* As it's [important to keep copies of the borg repository key safely + elsewhere][], the managed configuration supports OpenPGP-encrypting the + repository key and uploading it to the remote repository. +* This OpenPGP-encrypted key file is named as `keyfile.asc` and is uploaded + in the root folder of the remote repository. +* This OpenPGP-encrypted key file is encrypted and signed with a provided + OpenPGP keypair and passphrase (convention is to use the machines's OpenPGP + general purpose key, or the machine's role key). +* This allows the operators to fetch this encrypted keyfile and use their copy + of the machine's OpenPGP key to extract the passphrase _on their + encrypted-storage workstations_ (recommendation is to not do this on the remote + repository). + [Borg]: https://www.borgbackup.org/ +[Puppet]: https://www.puppet.com/ +[not possible anymore]: https://github.com/borgbackup/borg/issues/7047 +[important to keep copies of the borg repository key safely elsewhere]: https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory ### eCryptfs diff --git a/docs/changelog.md b/docs/changelog.md new file mode 100644 index 0000000..3620de4 --- /dev/null +++ b/docs/changelog.md @@ -0,0 +1,10 @@ +# ChangeLog + +## 0.3.0 - Unrelased + +* [x] Keys: + * [x] Deprecate generating and deploying/import borg keys, since + pre-generation is not a supported behavior right now: + https://github.com/borgbackup/borg/issues/7047 + * [x] Document about how keys are encrypted and backed up in the server: + https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory diff --git a/docs/todo.md b/docs/todo.md index b01437e..dc7cc3b 100644 --- a/docs/todo.md +++ b/docs/todo.md @@ -4,3 +4,7 @@ * [ ] Provision: * [ ] Fix booting issues detailed [here](tpc.md#booting). +* [ ] Upgrade: + * [ ] Raspbian does not have the `non-free-firmware` component? + Maybe this is not an issue, as we may move away from + Raspbian/Raspberry Pi OS. |