New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
B2 application key is written to an unencrypted file #641
Comments
Please observe that if the user is compromised, they can modify The proper fix for this is to use an application key which only has permissions to write data and does not have permissions to actually delete anything. Ramsomware could try to pollute the bucket with dummy data, but it could be filtered via |
That's reasonable, thanks. You're right, since I'm already imagining a particularly clever breed of ransomware, I may as well imagine an even more clever breed. My backup utility, restic, needs delete capability to prune old snapshots. That must be a common need of backup utilities. But restic doesn't need delete capability to perform routine backups -- snapshot pruning is a separate operation. I could do the snapshot pruning from a different system with a different B2 application key that has delete capability. That would be a dangerous key to leave lying around, of course. Is there a better way to manage this risk? |
You can configure server-side retention policies which will take care of deletion for you, see here. Then you don't need any keys with deletion capability at all. |
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate or assist you further. |
After running
b2 authorize-account
, my B2 application key is stored unencrypted in the sqlite3 database$HOME/.b2_account_info
. This file is readable by the user ID that runsb2 authorize-account
, so any other program I run as that user, or asroot
, can read this file.Correct me if I'm wrong, but I believe this means that if this user ID accidentally runs ransomware, the ransomware could use the plaintext information in
$HOME/.b2_account_info
to delete all the files in my B2 buckets. And ransomware would want to do that, because B2 buckets are often where backups are stored.Therefore I'd prefer to store my B2 application key more securely. For example, if I could write a wrapper script for
b2
that reads my application key from an encrypted file and then exports its value to$B2_APPLICATION_KEY
to perform the desiredb2
command, I would do that. (I think such a feature would help address issue #597 more naturally.)But it seems that I cannot do something like that, because
b2
requires that I first runb2 authorize-account
, which writes my application key to an insecure file to be used by subsequentb2
command invocations.Or have I overlooked an alternative method of
b2
authorization?The text was updated successfully, but these errors were encountered: