Security, permissions and keys
NPBackup security model is a zero trust model:
- the client doesn't trust the server which should not be able to read the backup contents
- the server should not trust the client which maybe used to delete all backups
Using an encryption password, the client only sends encrypted data to the server, so point 1 is observed.
The client encrypts all sensible data in the configuration files, and restricts actions via a permission system, in order to achieve point 2.
Still, the client could be highjacked, so it's advisable to use a write only target as server (like rest-server --append-only or an S3 server with specific IAM / ILM rules).
By default, NPBackup protects the encrypted data via an AES password
In order to enforce that protection, it is advised to set a manager password.
In the GUI, use the configuration interface, in the destination tab, and use set permissions.
This will allow you to choose between 4 permission levels, and provide a password.
Once set, the password will be invisible in the configuration file.
Clues that manager password is set are in the gui via manager password initialized or in the configuration file with via is_protected: true parameter.
The manager password is set at repo level, but keep in mind that every manager password can decrypt any data in the same configuration file.
Please note that right clicking on "" in the configuration GUI will allow to decrypt that data, by prompting the manager password. This allows a system admin to see repo URI and passwords, without leaving this information available on the computer. The configuration file should never be world readable, as one could change the backup admin password, allowing to decrypt other parts of the conf file.
Only when the manager password is set will the permissions be enforced. Permissions are:
- full: Set by default, allows all including destructive operations
- restore: Allows everything backup does plus restore, check and dump operations
- restore_only: Allows only restoring backups, but not creating ones
- backup: Allows, backup, snapshot/object listing operations and repo unlocking
In order to set the manager password and permissions directly in configuration file, you can edit the repo_uri value like:
repo_uri: <uri>, <permission>, <manager password>
# example
repo_uri: s3:https://some.path/some-bucket,restore,My!SecretPassword123
Once loaded, repo_uri will be encrypted, and permission / manager password won't be visible.
NPBackup' security model relies on symmetric encryption of all sensitive data that allows to access a repository.
In order to achieve this, NPBackup contains an AES-KEY that can be set:
- at compile time
NPBackup ships with a default AES key, which can be used for any conf file using the default binaries from github.
You may recompile NPBackup with an alternative AES key (in which case you'll have "private" builds instead of "public" ones, as the NPBackup version tells). Please see the compile instructions to do so.
- at run time via an AES-KEY file
If you don't want to compile your own NPBackup executables, you can generate a key with
npbackup-cli --create-key=npbackup.key
This file can later be used by NPBackup by defining environment variable NPBACKUP_KEY_LOCATION, or NPBACKUP_KEY_COMMAND in case you have a command that outputs the key to stdout (ie a password manager binary).