[Dirvish] Dirvish and GPG
Jon Radel
jon at radel.com
Sun May 25 03:25:36 UTC 2008
Asheesh Laroia wrote:
> On Sat, 24 May 2008, Roberto Mello wrote:
>
>> Has anyone implemented Dirvish with GPG signing of the backups to make
>> sure they haven't been tampered with?
>
> I haven't implemented this, but this is how I would. At the end of a
> dirvish run:
>
> find . -type f -print0 | xargs sha1sum > SUMS
> gpg --sign SUMS
>
> Then to verify:
>
> gpg --verify SUMS
> sha1sum -c SUMS
>
> -- Asheesh.
>
I fear I may be missing something? What keeps the person who tampers
with the files from creating a new SUMS file and messing with its times
unless you force a human to enter passphrases after every backup? Now,
admittedly, if you configure something like SELinux with great care, you
can make twiddling the SUMS file after the fact very difficult, but if
you do that, you could probably make it equally difficult to tamper with
the backups in the first place.
--Jon Radel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3283 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dirvish.org/pipermail/dirvish/attachments/20080524/974f1028/attachment.bin
More information about the Dirvish
mailing list