Backup without password #4326
Comments
|
Duplicate of #1786 (comment) .
You're overcomplicating the whole setup. Just add a text file to the repository which contains the plaintext password. After all an empty password and a password stored in a plain text file provide the same level of security.
Feel free to add another layer of encryption. But that's not a reason to complicate the encryption in restic. |
At significantly less convenience. |
|
I have decided not to use restric because it requires a password. I once made an encrypted archive and wrote down the password on the backside of a piece of furniture. Some 14 years later I wanted to extract it but couldn't even remember what furniture I used, or if I still owned it. With the --password-file flag the same problem exists, just with a file, which isn't better. For my particular use case, encryption has zero value. |
|
@rrrlasse while your issue simply comes down to user error (also, 0.1.0 was released on 2015, which is 8 years ago...), I can understand your pain. I have since discovered that rsync comes built-in with Fedora. Not only did I think you had to download it, but didn't realise it could be used to simply copy files to and from local disks, like a glorified cp command. So I use rsync instead of restic now, where encryption is not needed. Because I use LUKS, that additional layer of encryption is not necessary. Even if restic had support for no encryption, I have a feeling rsync would be faster / less overhead anyway. Pretty sure restic even uses rsync as its backend anyway. Despite this, forcing encryption is still a stubborn approach considering it's a backup tool, not an encryption tool. In case it isn't yet clear to the devs: Restic is a backup tool. I already use encryption, either LUKS or cryfs or veracrypt. Being forced to encrypt my backups is simply inconvenient and provides no additional security, instead increasing the chance of losing data. Even so, I would rather trust other tools to encrypt my data. @MichaelEischer |
restic is designed to back up to cloud storage. For those it is not (really) optional to encrypt the backup data. |
At that point, why not just add an option to disable the password? Why jump through so many mental hoops to justify making password mandatory? Make password required by the default, sure, but a simple flag to provide the option to disable it would solve so much problems for so many people.
Not all data is sensitive data. I'm backing up publicly available census data that has been slightly transformed, because it would be inconvenient to have to regenerate it. |
|
Regarding the idea to "just use a password file", here's the problem:
The user not only forgot that he had used a password. He also forgot that restic even supported the "--password-file" flag. I'm also a software developer, and we need to try and see things as the users do, who don't have the product on their mind every day. If you have decided not to change it due to policy, then that's fine - I didn't write this comment as an attemt to convince you. I just wanted to mention a common problem in software development. |
|
All good points here. A password file may provide the same level of security at much less convenience. Users who backup to cloud storage may not necessarily want their backups to be encrypted. Those who are required to encrypt their non-sensitive data will be required to use a password, they will probably use an easy to remember password that isn't so easy to remember, and when restoring, they'll forget what it was, because writing down "password" or "abc123" would be a waste of time. Rsync has been working well for me and its faster, big difference is that it doesn't write millions of files which is a plus. Honestly, I feel like using rsync to backup, then using something like cryfs to encrypt, would be a faster and more secure workflow. As long as restic mandates passwords, it's a tool that doesn't do backup or encryption as well as other tools that do those things separately. |
|
@Opening-Button-8988 yeah, I like the UNIX mentality with "one good tool for each job". I.e. one tool for encryption, one for backup, one for compression. You can then combine them as you wish, and developers don't need to reinvent the wheel. |
|
Allowing backups with no password / a default password and removing encryption are very different beasts. For the former a An empty password does not remove the encryption of the files in the repository. Removing encryption would require changes to the repository code that risk degrading security for encrypted repositories and thus won't happen.
That would result in several severe problems when applied to restic. Restic requires random access to pack files such that an external compression would either result in compressing far too much data or inefficient compression. And taking cryptfs as an example: from what I could find it only provides encryption but no integrity checks. Like with compression, integrating encryption into the repository format allows restic to decrypt and integrity check just the relevant parts. |
Maybe I'm misunderstanding you but I can only imagine the --use-empty-password option to be useful only when creating repositories. That's the only time it makes sense. If I want to remove the password to a repo, I'll just make a new repo without a password. All those other issues you mentioned aren't relevant. "Automatically checking whether a repository uses an empty password before even asking for a password" would only be relevant for repos that already exist.
Two thoughts come to mind, keeping in mind that I'm not a programmer:
Cryfs does check for integrity violations, though I don't know if it's of the same kind that restic checks for. |
That would be perfect, at least for my use case. It's fine that you need to always specify it, and I don't mind whatever encryption it does "under the hood". In principle (wouldn't recommend it, it's just for illutration), a solution could even be to just state "Please use '1234' if you just want to use a as a dummy password" in the usage legend. It's only the "need to have knowlege about something" which is problematic. |
|
That'd work, really. Just add that to the documentation, and to the CLI docs. Would at least be a temporary solution. |
|
As someone for whom the encryption and data integrity is of paramount importance, I would prefer that not a single line of code is added or removed which has the intention of removing or weakening either encryption or integrity. People here are asking for a trade-off: weakened encryption and integrity for everyone for the benefit of their convenience. It would be my argument that anyone who does not want to remember the password simply keeps it password in a file alongside, or inside the repository. If a user cannot keep their repository directory, or its parent, safe, then they cannot keep their backup safe anyway. |
|
Making encryption optional but enabled by default absolutely does not "weaken encryption or integrity". Really that should not be difficult to understand. |
Handling an empty password without requiring the To prevent any chance of misuse I'd prefer to make the choice of an empty password explicit by always requiring the user to specify
We have no intention of providing an option to remove the encryption. What we're discussing here is allowing for an empty / a default password. |
Exactly what I'm thinking (even though we're not discussing removing encryption, but rather, passwordless repos).
Again, maybe I'm misunderstanding you, but why would you need to handle an empty password when the I'm referring here upon creation of repositories. If you're suggesting that you cannot do this without introducing a vulnerability in the opening of pre-existing repositories, because (and I'm thinking out loud here) that you would need to check whether a repository has an empty password or not, I have nothing to add since I'm not a programmer, just that it would be unfortunate. Another idea from a layman: when opening repos, it always asks for a password. But it will accept an empty password, as long as the empty password has a unique hash value that can be matched against the repository. This would probably mean that empty passwords have some known static value that can be hashed. I could be talking out of my ass here, just an idea. @MichaelEischer I just like to say thank you, for pursuing this line of discussion and being open to the idea at least. |
|
I am wondering if the "no password" use case would be fulfilled if an empty password was allowed. Hence, There is imho no way to get an unencrypted backup by accident this way. On the contrary, you are reminded every time. ;) |
|
For
The last case prevents unconditionally passing For other commands, I wouldn't mind if they also use the same logic as the (An option like |
Good point. I'm looking forward to feedback from @Opening-Button-8988. |
|
After a lengthy discussion with @rawtaz and @fd0 we've decided on the following variant: The option is called If any other If a user does not specify That variant has the benefit of cleanly distinguishing between the with password and without password cases. It also gets rid of the redundant password prompt in the no password case. |
With the semantics described in my last comment, such a nagging warning won't be necessary. |
|
I have nothing to add except 👍 It's interesting to read a programmer lay out what needs to be done, because that table is what I had in my head but was not able to visualise it as such. I know what functionality I want to see, but I don't necessarily know how it should be implemented. Based on what I've read it looks pretty intuitive to me. I also haven't used restic enough to identify problem points. |
|
I guess #1018 could be closed aswell |
I briefly read this issue: #1786
It seems there is some confusion about the need for backups without encryption. First of all, I use LUKS encryption on my drives as a first line of defense and it's implemented on all of my drives. For this reason alone, a password is less useful for a drive already encrypted using LUKS.
The particular drive I want to backup to is not only LUKS encrypted but also hardware encrypted. It's a drive that has a keypad. Call me paranoid, but I like to encrypt using both hardware and software solutions for my most sensitive data.
I also use CryFS and VeraCrypt (I'm moving away from VeraCrypt). I have some directories further encrypted using these tools and again, there is less of a need to use a password for backups of these directories since they are already encrypted.
I think it's bad practice to require a password because restic is first and foremost a backup tool, and users should be able to backup without a password if they want to. It's really that simple, freedom. Forcing users to create a password for a repository that doesn't actually need one causes users to create passwords that they may not remember, something like "password123" which, from my experience, I tend to forget placeholder passwords more often than I forget more secure ones. A password manager is not a solution here. I don't want to have to use a password manager to store a weak password for something that doesn't need to be encrypted in the first place. It's inconvenient.
As for the problem regarding users inadvertently not using a password for data that needs one - this all comes down to how you implement it. There's a very simple fix for that. Add a warning saying "No password set. Are you sure?", and tell users that not setting a password is an option.
Forcing users to set a password will inevitably lead users to create weak passwords where no password is needed, and they may forget it because they were sure they wouldn't. It's happened to me more times than I care to admit.
I forgot to mention the whole reason why I posted this issue. The drive I'm trying to backup...is the drive that holds my password manager. In order to save a backup of my password manager, I need to create a new password database, with its own password, on a complete different drive, to save the restic password which decrypts the backup, which itself is encrypted anyway. Not sure what I'm gonna do about that except use a different program.
I'll also quickly mention the fact that some users may not trust restic's cryptography, and should have the option to use an encryption tool separately without having to rely on restic's encryption (and of course, not have to double-up on encryption when they don't want to).
The text was updated successfully, but these errors were encountered: