29 lines
1 KiB
Markdown
29 lines
1 KiB
Markdown
|
# Backup
|
||
|
|
|
||
|
|
Personal backup application
|
||
|
|
|
||
|
|
## Threat Model
|
||
|
|
|
||
|
|
### Objectives
|
||
|
|
|
||
|
|
- Data is securely encrypted at rest and cannot be extracted without the repository private key
|
||
|
|
- Data can be verified to come from any specific device
|
||
|
|
- Without the encryption key it should be possible to make a safe guess as to what data is no longer in use.
|
||
|
|
- Access to the repository private key requires hardware-backed multi-factor access
|
||
|
|
- An attacker with write-access to the storage backend should not be able to modify or forge data in an unnoticeable manner
|
||
|
|
- The backup clients cannot cause harm to the already backed-up data.
|
||
|
|
|
||
|
|
### Out of scope
|
||
|
|
|
||
|
|
- The owner gives an attacker both the hardware key and the password to it
|
||
|
|
- The backup server host is compromised
|
||
|
|
- An attacker with write-access to the storage backends deleting or otherwise destroying the data contained within.
|
||
|
|
- An attacker with write-access to the backed up device can modify the data that is backed up
|
||
|
|
|
||
|
|
### Diagrams
|
||
|
|
|
||
|
|
#### Creating a repository
|
||
|
|
|
||
|
|
|
||
|
|
|