Secure offline keys

In a secure computer systems we do not want our decryption keys stored online where they could inadvertently be leaked. To support this use case, bupstash allows creating keys which do not support decrypting backups. Bupstash allows users to create 'put keys' that can only create new backups, or 'list keys' that can list backups, but not decrypt data.

Using a 'put key' lets you create backups without exposing your decryption key, while using a 'list key' let's the key rotate old backups based on queries, but without exposing the sensitive decryption key. This guide will show how to create use these key types.

Generating put and list keys

Generating and using these keys is simple, we use bupstash to create a new 'put key' or 'list key' that is derived from a regular bupstash key using the new-sub-keycommand.

$ bupstash new-sub-key -k ./backups.key -o put-backups.key --put
$ bupstash new-sub-key -k ./backups.key -o list-backups.key --list

Using put and list keys

Using these keys is the same as a regular key:

$ bupstash put --key ./put-backups.key ./data.txt
$ bupstash list --key ./list-backups.key

With the important difference that these keys cannot decrypt the contents of the snapshots. Only the original key is able to decrypt these snapshots.

$ bupstash get --key ./put-backups.key id=$id 
bupstash get: provided key is not a decryption key

$ bupstash get --key ./list-backups.key id=$id
bupstash get: provided key is not a decryption key

$ bupstash get --key ./backups.key id=$id
data...

We can now put the main key into secure offline storage for use in case of emergency, but continue to make and administer our backups using the put key and list key.

Neither the storage server, nor the devices uploading new snapshots have access to your existing snapshots.

Note that we recommend creating a new put key for every backup client if you have a shared bupstash repository.