vorta icon indicating copy to clipboard operation
vorta copied to clipboard

Published 20 hours ago verified publisher icon borgbase

add UI for borg key backup

Open ThomasWaldmann opened this issue 1 year ago • 8 comments

The problem

Now and then I get contacted by borg users who have lost the borg key, asking for help with regaining access to their archived data.

Of course there is no way to do that if the key is really lost - that would be a severe security issue if that was possible.

So the only option is to try to recover the deleted key and that is usually rather complicated and often not successful:

  • usage of "undelete" tools for local filesystems, hoping the storage device block(s) with the key have not yet been overwritten or discarded.

  • sometimes users directly back up onto FUSE-mounted cloud storage. if they don't have file versioning activated there, guess it is impossible to recover a file from a bucket. otoh, having versioning active might be a bad idea concerning space usage and related costs, because borg compact moves around a lot of data.

So, users should be motivated to have a borg key backup.

borg init tells them every time to do that.

Does vorta also tell them? Vorta should also actively help them doing that.

Requested Solution

Add a UI wrapping borg key export (and maybe also borg key import later).

Guess the best way would be to use the option creating that html page with the QR code and the key hexdump and then invoke the default browser showing that html file.

ThomasWaldmann avatar Jan 31 '24 15:01 ThomasWaldmann

In the current version of Vorta it is easy to export the settings on a per-profile base. Doing this, the users are asked if the repo passphrase should be included to the settings ( .json) file. Perhaps the corresponding keysfiles (repokeys) could/ should optionally be added to these setting .json file?

Currently Vorta does not try to "educate" the user about best practice. Perhaps it is a good idea to actively promote to "save the profile settings" including the repo "passphrase" and "export keys" and to store these savely (e.g. password manager) and keep a copy at a save place (i.e. out side your computer or even building)?

goebbe avatar Feb 07 '24 08:02 goebbe

I just tested the behaviour, using Vorta 9.1.

  • When creating a new repo using Vorta, there is no hint for a "borg key backup".
  • Currently there is no UI element / button to fascilitate "borg key backup"
  • When exporting the setting for a Vorta-profile, (local) keyfiles or repokeys are not included in the .json file.

goebbe avatar Mar 08 '24 12:03 goebbe

@goebbe borg emits these hints at borg init time (on stderr or stdout), but maybe vorta does not show them on the GUI (or they disappear too quickly?).

ThomasWaldmann avatar Mar 08 '24 14:03 ThomasWaldmann

@ThomasWaldmann exactly. I tried to test if Vorta passes the information/ warning about the keys to the user.

If I understand correctly, users should be encouraged to make a backup of the borg keyfile, when initializing a repo.

I believe there are two distinct steps:

  1. Tell the user, that he/she should make a backup of the keyfiles (local or repokeys) - as borg does on the comandline)
  2. Provide information/ tools to access the keyfiles (local or repokeys) for the actual backup.

~~If a keyfile is used, making a backup is relatively straightforward (if you know where to find the keyfiles). If a repokey is used (the default in Vorta), things get more complicated. To my knowledge, backing up the repokey cannot be achieved easily using Vorta.~~ The user has to call borg commands directly. But maybe I miss something.

By the way, these are the relevant lines from the log files, when initialising, using keyfiles:

2024-03-08 13:22:13,068 - vorta.borg.borg_job - INFO - Key in "/home/goebbe/.config/borg/keys/192_168_0_5__backup_vorta_repo_test_key" created.
2024-03-08 13:22:13,069 - vorta.borg.borg_job - INFO - Keep this key safe. Your data will be inaccessible without it.

edit: borg key export and borg key import should be used for the keyfile backup.

goebbe avatar Mar 08 '24 14:03 goebbe

The step to create a key backup is the same no matter whether keyfile or repokey is used and the backup should be made in both cases.

ThomasWaldmann avatar Mar 08 '24 16:03 ThomasWaldmann

@ThomasWaldmann borg key export could be used in both cases (i.e. when using a (local) keyfile OR when using repokey) - so Vorta could use this command anyway.

In the case of a (local) keyfile: Would it be sufficient to just copy/ backup the keyfile directly from /home/user/.config/borg/keys/your_repo_key or would borg export key do additional magic?

Related question: When restoring, using Vorta from a different computer, with a (local) keyfile: Would it be sufficient to just copy the keyfile to /home/user/.config/borg/keys/ or is it necessary to use borg key import

goebbe avatar Mar 10 '24 11:03 goebbe

borg key export offers misc. ways how to export a key and you MUST use that.

Same for borg key import.

No manual key file copying.

ThomasWaldmann avatar Mar 10 '24 12:03 ThomasWaldmann

Related: https://github.com/borgbase/vorta/pull/599 from @samu-w

goebbe avatar Mar 12 '24 10:03 goebbe