-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 31/05/2019 10.33 AM, Side Realiq wrote: > Thank you Andrew! > > Wouldn't described scenario be mitigated, if one downloads the > backup in a separate disposable non-internet VM, decrypt it, and > transfer the decrypted files to the vault? >
The problem is that, if the decrypted files have been compromised, they could compromise the vault when you open them inside the vault. P.S. -- Please avoid top-posting. >> ---------------------------------------- From: Andrew David Wong >> <a...@qubes-os.org> Sent: Thu May 30 06:54:05 CEST 2019 To: Side >> Realiq <siderea...@mailfence.com> Cc: >> <qubes-users@googlegroups.com> Subject: Re: [qubes-users] How to >> automate cloud backups of trusted vault files? >> >> > On 29/05/2019 12.04 PM, 'Side Realiq' via qubes-users wrote: >>>> [...] >>>> >>>> I do the encryption in the vault itself and only encrypted >>>> files should/will be shared to the cloudVM via the device. >>>> Are there any security issues doing it this way? >>>> > > qvm-backup performs properly authenticated encryption. When you > restore, the backup is correctly verified for authenticity and > integrity before it is decrypted. Most DIY encryption methods > probably don't do this correctly, which could potentially expose > you to a range of possible attacks. > > For example, if you ever wish to restore a file that was backed up > from your vault using your proposed method, you will presumably > copy what you believe to be one of your encrypted backup files from > some backup location into your vault. If that file has been > malicious modified by an attacker, it could exploit a hypothetical > vulnerability in your restore process (e.g., by feeding malformed > input to the program performing decryption), possibly resulting in > a silent compromise of your vault. > > This is the sort of attack scenario that qvm-backup was designed > to protect against. > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlzx1d8ACgkQ203TvDlQ MDBeZg//TqWtQybcvRnWobDa6bkTNjH0ouR8RwGLYZ2f8P8fN+/1VNxKNknDs7H1 7nwwE6/Ak4p93oOU7uIEekQ4ELIOuSLTOAZPvYdNGHDd6f2+CfEafyxbqCPuUDmy ve529oOfPZX1pPWJNMtfoa+jsUHT6qsjWjbfeE6ige0ZxUY4J0IqUhtUWPzFQ7PR EN+0gJ17KaM2Cwpi+RRN1fFLl588lcRBhoIARcV/9E4DciTTMWS8Inm5ygKOui5+ hMxaVwjH719VT4+rgtVH7+MnDvqatTr5W4g6PmUW43PLr5TWdgjTRWsj1PF6QxEf ZOeXrfr1ekuhXNpAY87+qafC4VUSzTjbfpk2ZbYzRHWVeceK1CmcaOpeECoacf7v IHR53SEih1PsWs4Th1gtXvzxW+VVC75rUr4bcCo55hD8vwfHIG+AkCwLNgKb90GY S/54NNtvWdNxYWgE7n/aMqj4XEKg3C9u1vgN4lYaqaejcO8HsqOrr7qwCqDPSVSX uSCFduOLgeFoXdoiNOs92mJ3DM7fr/vLrC81WY0chhSUsH0aEgeSyU+6kIf97RYq RWHZ6mXlhpkE0GQM6vz8jE36qAcAn8aL9bSzgxFKVenNCL5m/1DTasus5RlDQmpM VTNcwrdkVDAlk4D6DdDcH8CqH2SYvLxIQEK254VnBUdiF3CLmtM= =I0Qm -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba1aa270-8a77-0ea6-852c-d52c8f028664%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
