Opsmate

Login

Documentation

Key Management

Key Types

Every server has four different private keys:

  • The Backup Key, for creating backups. Must be present on the server you are backing up.
  • The Browse Key, for browsing backup metadata, but not decrypting files themselves. Must be present in your local key ring to access backups with the Opsmate command line tools. Must be present in your cloud key ring to browse backups from the Opsmate website.
  • The Decryption Key, for decrypting backups. Must be present in your local key ring to access backups with the Opsmate command line tools, or to extract a bundle with the opsmate extract command. Must be present in your cloud key ring to see file contents from the Opsmate website.
  • The Deletion Key, for deleting backups. Must be present in your local key ring to use the opsmate delete command.

The four keys are grouped together in a key group, which is uniquely identified by a UUID (e.g. 1853db19-3371-44bc-841e-caca8fcd7111). Every server is associated with exactly one key group. Multiple servers may use the same key group, in which case data deduplication takes place between all the servers sharing the key group.

Opsmate uses four separate private keys because it allows for optimal security and flexibility. By controlling where the four keys are distributed, it is possible to have a server that is allowed to create backups but not retrieve them, or a server that is allowed to retrieve backups but not delete them.

Key Rings

Keys are stored in a key ring. You have three key rings:

  • Your system-wide local key ring, stored by default in /var/lib/opsmate/backups/keystore. This key ring is created when you set up Opsmate and is accessed when backing up your system. It must contain at least your Backup Key. This key ring is used when running Opsmate as root and is accessible only by root.
  • Your personal local key ring, stored in ~/.opsmate/backups/keystore. This key ring is used when running Opsmate as a non-root user, and is lets you restore files from your normal user account.
  • Your cloud key ring, which is stored on Opsmate servers and can be managed by visiting your keys page. This key ring is used when browsing backups through the Opsmate website, and serves as a backup of your local key rings.

Managing Your Keys With opsmate key

You can manage your key rings with the opsmate key command as described below. By default, opsmate key manages your local key ring. To manage your cloud key ring instead, pass the -c option.

Many of the sub-commands to opsmate key take a KEYID as an argument. The KEYID can be specified in one of the following ways:

  • N -- the Nth key group (as output by opsmate key list)
  • N.M -- the Mth key in the Nth key group (as output by opsmate key list)
  • UUID -- the key group with this UUID
  • UUID TYPE -- the key with this TYPE and UUID (where TYPE is backup, browse, decryption, or deletion)

List your keys

opsmate key list

Upload a key to your cloud key ring

opsmate key upload KEYID

Change a key's passphrase

opsmate key passphrase KEYID

Export a key

opsmate key export [--change-passphrase] -o FILENAME KEYID

By default, the key is exported with the same passphrase. Pass the --change-passphrase option to export it with a different passphrase (or no passphrase).

Download a key from your cloud key ring

opsmate key download KEYID

Import a key

opsmate key import FILENAME

Change a key's label

opsmate key rename KEYID NAME

Remove a key

opsmate key remove KEYID

Passphrases

Keys can optionally be protected with a passphrase, which must be entered when performing any operation requiring those keys. Passphrases in your local key ring can be changed with the opsmate key passphrase command. Passphrases in your cloud key ring can be changed on the keys page or by running opsmate key passphrase with the -c option as described above.

Do not forget your passphrase! Opsmate cannot reset or recover a forgotten passphrase. If you use passphrases, you should store a backup copy of your key ring, without passphrases, in a secure place (such as on a thumb drive in a safe deposit box).

Protecting Your Keys

Your keys can be used to read and delete your data, so they should be treated akin to passwords, private SSH keys, API secrets, etc., and be protected with the utmost care. Key passphrases, if used, should follow standard best practices for passwords and not be too short, too simple, or easily guessable.

Do not lose your keys! If all copies of your Decryption and Browse Keys are lost, your backups will be inaccessible. Be sure to make backups of your key ring.

The simplest protection against losing your keys is to upload them to your cloud key ring, which is done automatically unless hybrid or paranoid mode is enabled. If you don't upload your keys, you are responsible for their safekeeping. See the page Backing Up Your Key Ring for guidance.