From 514c6d120f333090a8dbea0e5876ac3967ff7f80 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 16 May 2024 21:12:31 -0300 Subject: Borg fixes as pre-generated keyfiles are currently unsupported --- docs/backups.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'docs') diff --git a/docs/backups.md b/docs/backups.md index 4cfeff4..c612116 100644 --- a/docs/backups.md +++ b/docs/backups.md @@ -135,7 +135,28 @@ For [Borg][]: Make sure to cleanup `~/temp/misc/restore` after recovering what you need. +Note on backup keys: + +* In the past (before 2024), the Hydra Suite and it's companion [Puppet][] + modules used pre-generated [Borg][] repository keys for the sake of automation. + This is [not possible anymore][]. +* As it's [important to keep copies of the borg repository key safely + elsewhere][], the managed configuration supports OpenPGP-encrypting the + repository key and uploading it to the remote repository. +* This OpenPGP-encrypted key file is named as `keyfile.asc` and is uploaded + in the root folder of the remote repository. +* This OpenPGP-encrypted key file is encrypted and signed with a provided + OpenPGP keypair and passphrase (convention is to use the machines's OpenPGP + general purpose key, or the machine's role key). +* This allows the operators to fetch this encrypted keyfile and use their copy + of the machine's OpenPGP key to extract the passphrase _on their + encrypted-storage workstations_ (recommendation is to not do this on the remote + repository). + [Borg]: https://www.borgbackup.org/ +[Puppet]: https://www.puppet.com/ +[not possible anymore]: https://github.com/borgbackup/borg/issues/7047 +[important to keep copies of the borg repository key safely elsewhere]: https://borgbackup.readthedocs.io/en/latest/faq.html#how-important-is-the-home-config-borg-directory ### eCryptfs -- cgit v1.2.3