Verification of encryption integrity

[prcek]

Hi folks,

I tested changing the encryption key for PBS backups. Unfortunately, the backup job and verification job did not notify me that the key had been changed. This is the behavior of PVE/PBS as I understand it from the documentation. No surprise, just confirmation.

So it's great to have immutable backups, but for a malicious actor who has gained access to PVE, it's just a matter of how long the retention is set on the PBS side.

It would be great to monitor not only data integrity but also encryption integrity. So a verification job or other job would notify us of the encryption key change.

Or am I misunderstanding something? Thanks for enlightening me.

 

[LnxBil]

Interessting attack. AFAIK, the PBS cannot detect if the key was changed or not. It just sees encrypted data.

You would however most probably see the spike in disk usage, because all backups would / should be full backups from this moment on, as you cannot decide what you've already transfered or not.

 

[fabian]

we'd need to implement a (rather expensive) client-side verification to properly do that..

 

[fabian]

the server doesn't know about the encryption key (all of the encryption happens on the client side, while the client signs the manifest, that is not verifiable without the key, so a malicious client could lie). changing the encryption key breaks the incremental chain, as the key influences the digest under which chunks are referenced. the only way to verify is with a client and the corresponding key.

 

[prcek]

changing the encryption key breaks the incremental chain

Could PBS recognize such an anomaly and report suspicious behavior?

 

[fabian]

some sort of threshold-based warnings - like if there is more than 90% new chunks - would be nice (not just for this, but also for accidents). it's hard to guard against malicious actors though - after all, you can always modify your malicious behaviour to stay within the thresholds..

 

[prcek]

If we set threshold-based warnings on the PBS side, then the treshold value will only be known to the PBS administrator. It certainly makes no sense to substitute the role of SIEM, so IMHO I consider threshold-based warnings to be sufficient basic protection.