Every server has four different private keys:
- The Backup Key, for creating backups. Must be present on the server you are backing up.
- The Browse Key, for browsing backup metadata, but not decrypting files themselves. Must be present in your local key ring to access backups with the Opsmate command line tools. Must be present in your cloud key ring to browse backups from the Opsmate website.
- The Decryption Key, for decrypting backups. Must be present in your local key ring to access backups with the Opsmate command line tools, or to extract a bundle with the
opsmate extractcommand. Must be present in your cloud key ring to see file contents from the Opsmate website.
- The Deletion Key, for deleting backups. Must be present in your local key ring to use the
The four keys are grouped together in a key group, which is uniquely identified by a UUID (e.g.
1853db19-3371-44bc-841e-caca8fcd7111). Every server is associated with exactly one key group. Multiple servers may use the same key group, in which case data deduplication takes place between all the servers sharing the key group.
Opsmate uses four separate private keys because it allows for optimal security and flexibility. By controlling where the four keys are distributed, it is possible to have a server that is allowed to create backups but not retrieve them, or a server that is allowed to retrieve backups but not delete them.
Keys are stored in a key ring. You have three key rings:
- Your system-wide local key ring, stored by default in
/var/lib/opsmate/backups/keystore. This key ring is created when you set up Opsmate and is accessed when backing up your system. It must contain at least your Backup Key. This key ring is used when running Opsmate as root and is accessible only by root.
- Your personal local key ring, stored in
~/.opsmate/backups/keystore. This key ring is used when running Opsmate as a non-root user, and is lets you restore files from your normal user account.
- Your cloud key ring, which is stored on Opsmate servers and can be managed by visiting your keys page. This key ring is used when browsing backups through the Opsmate website, and serves as a backup of your local key rings.
Managing Your Keys With
You can manage your key rings with the
opsmate key command as described below. By default,
opsmate key manages your local key ring. To manage your cloud key ring instead, pass the
Many of the sub-commands to
opsmate key take a KEYID as an argument.
The KEYID can be specified in one of the following ways:
N-- the Nth key group (as output by
opsmate key list)
N.M-- the Mth key in the Nth key group (as output by
opsmate key list)
UUID-- the key group with this UUID
UUID TYPE-- the key with this TYPE and UUID (where TYPE is
List your keys
opsmate key list
Upload a key to your cloud key ring
opsmate key upload KEYID
Change a key's passphrase
opsmate key passphrase KEYID
Export a key
opsmate key export [--change-passphrase] -o FILENAME KEYID
By default, the key is exported with the same passphrase. Pass the
--change-passphrase option to export it with a different passphrase (or no passphrase).
Download a key from your cloud key ring
opsmate key download KEYID
Import a key
opsmate key import FILENAME
Change a key's label
opsmate key rename KEYID NAME
Remove a key
opsmate key remove KEYID
Keys can optionally be protected with a passphrase, which must be entered when performing any operation requiring those keys. Passphrases in your local key ring can be changed with the
opsmate key passphrase command. Passphrases in your cloud key ring can be changed on the keys page or by running
opsmate key passphrase with the
-c option as described above.
Do not forget your passphrase! Opsmate cannot reset or recover a forgotten passphrase. If you use passphrases, you should store a backup copy of your key ring, without passphrases, in a secure place (such as on a thumb drive in a safe deposit box).
Protecting Your Keys
Your keys can be used to read and delete your data, so they should be treated akin to passwords, private SSH keys, API secrets, etc., and be protected with the utmost care. Key passphrases, if used, should follow standard best practices for passwords and not be too short, too simple, or easily guessable.
Do not lose your keys! If all copies of your Decryption and Browse Keys are lost, your backups will be inaccessible. Be sure to make backups of your key ring.
The simplest protection against losing your keys is to upload them to your cloud key ring, which is done automatically unless hybrid or paranoid mode is enabled. If you don't upload your keys, you are responsible for their safekeeping. See the page Backing Up Your Key Ring for guidance.