Charmed bootstack-charmers-duplicity reference - hardening

charm
1

Security Hardening Guidance

Data in transit

Encryption

It’s highly recommended to use protocols that provide encryption of in-transit data. The only backend option that doesn’t offer any kind of encryption is ftp, which should be avoided.

SSH - Use keys over passwords

The backup backends using SSH are: rsync, scp, and sftp. It’s preferable to use key-based instead of password-based authentication for the following reasons:

  • SSH keys are typically much longer (2048 or 4096 bits) than passwords (which are often 8-16 characters). This makes brute-force attacks on SSH keys significantly more difficult compared to passwords.
  • In password-based authentication, passwords are transmitted over the network (even if encrypted), and there is a risk of them being intercepted or exposed through other attack vectors like phishing. In key-based authentication, the private key never leaves the client machine, eliminating the risk of it being intercepted during the authentication process.

To enable key-based authentication users need to use the following charm configurations:

  • private_ssh_key
  • known_host_key

An example on how to configure those charm configurations can be found here at the SCP/Rsync/SFTP Backups section.

If you don’t have ssh keys you can create a new one using the following command:

ssh-keygen

Normally the private key can be found at ~/.ssh/id_rsa. To easily transform into base64 (required for the charm configuration) you can do:

cat ~/.ssh/id_rsa | base64

Data at rest

Encrypt Backup Files

Encryption ensures that sensitive data is protected from unauthorized access. In the event of a data breach, encrypted backups can reduce the potential damage. Even if an attacker accesses the backup, they cannot use the data without the decryption key. Moreover, when transferring backup files over the network, encryption secures data against interception and eavesdropping.

Use GPG Keys Over Passwords

Similarly to SSH key-based authentication, GPG uses asymmetric encryption, which involves a key pair: a public key for encryption and a private key for decryption. This means you can share the public key widely to allow others to encrypt messages, while only you hold the private key needed to decrypt them. Moreover, keys can be significantly longer and more complex than traditional passwords. This makes them far more resistant to brute-force attacks.

It also has the advantage that the private key never needs to be shared or transmitted. This eliminates the risk of password interception. To enable GPG encryption users need to use the gpg_public_key charm option.

If you don’t have a GPG key, you can generate one using the gnupg package:

How to create a GPG key


sudo apt update

sudo apt install gnupg

gpg --full-generate-key

Then follow the Prompts:

  1. Key Type: Choose the default option (usually ECC (sign and encrypt)).
  2. Elliptic Curve: Curve 25519.
  3. Key Expiration: Specify when the key should expire (e.g., 1 year). Enter 0 for no expiration.
  4. Name: Enter your full name.
  5. Email Address: Provide your email address.
  6. Comment: Optionally add a comment (e.g., “Duplicity”).
  7. Passphrase: Set a secure passphrase for your key.

Export your Public Key:

gpg --armor --export your.email@example.com > ecc-public-key.asc

Configure the charm:

juju config duplicity gpg_public_key=@./ecc-public-key.asc