npbackup/SECURITY.md

# NPF-SEC-00001: SECURITY-ADMIN-BACKUP-PASSWORD ONLY AVAILABLE ON PRIVATE COMPILED BUILDS

Note: This security entry has been retired since v2.3.0, and totally reimplemented in v3.0  
In gui.config we have a function that allows to show unencrypted values of the yaml config file
While this is practical, it should never be allowed on non compiled builds or with the default backup admin password

# NPF-SEC-00002: pre & post execution as well as password commands can be a security risk

All these commands are run with npbackup held privileges.
In order to avoid a potential attack, the config file has to be world readable only.

# NPF-SEC-00003: Avoid password command divulgation

Password command is encrypted in order to avoid it's divulgation if config file is world readable.
Password command is also not logged.

# NPF-SEC-00004: Client should never know the repo password

Partially covered with password_command feature, and alternative aes key management.
We should have a central password server that holds repo passwords, so password is never actually stored in config.
This will prevent local backups, so we need to think of a better zero knowledge strategy here.

# NPF-SEC-00005: Viewer mode can bypass permissions

Since viewer mode requires actual knowledge of repo URI and repo password, there's no need to manage local permissions.
Viewer mode permissions are set to "restore".

# NPF-SEC-00006: Never inject permissions if some are already present

Since v3.0.0, we insert permissions directly into the encrypted repo URI.
Hence, update permissions should only happen in two cases:
- CLI: Recreate repo_uri entry and add permission field from YAML file
- GUI: Enter permission password to update permissions

# NPF-SEC-00007: Encrypted data needs to be protected

Since encryption is symmetric, we need to protect our sensible data.
Best ways:
- Compile with alternative aes-key
- Use `NPBACKUP_KEY_LOCATION` or `NPBACKUP_KEY_COMMAND` to specify alternative AES keys

# NPF-SEC-00008: Don't show manager password / sensible data with --show-config

Using `--show-config` should hide sensible data, and manager password.

# NPF-SEC-00009: Option to show sensible data

When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.  
Environment variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access, or GUI may ask for password.
Also, when wrong password is entered, we should wait in order to reduce brute force attacks.

# NPF-SEC-00010: Date attacks

When using retention policies, we need to make sure that current system date is good, in order to avoid wrong retention deletions.  
When set, an external NTP server is used to get the offset. If offset is high enough (10 min), we avoid executing the retention policies.

# NPF-SEC-00011: Default AES key obfuscation

Using obfuscation() symmetric function in order to not store the bare AES key.

# NPF-SEC-00012: Don't add PRIVATE directory to wheel / bdist builds

The PRIVATE directory might contain alternative AES keys and obfuscation functions which should never be bundled for a PyPI release.
Create SECURITY.md 2023-05-04 00:50:25 +08:00			`# NPF-SEC-00001: SECURITY-ADMIN-BACKUP-PASSWORD ONLY AVAILABLE ON PRIVATE COMPILED BUILDS`

Update SECURITY.md 2024-05-15 18:34:52 +08:00			`Note: This security entry has been retired since v2.3.0, and totally reimplemented in v3.0`
Create SECURITY.md 2023-05-04 00:50:25 +08:00			`In gui.config we have a function that allows to show unencrypted values of the yaml config file`
			`While this is practical, it should never be allowed on non compiled builds or with the default backup admin password`

			`# NPF-SEC-00002: pre & post execution as well as password commands can be a security risk`

			`All these commands are run with npbackup held privileges.`
			`In order to avoid a potential attack, the config file has to be world readable only.`

			`# NPF-SEC-00003: Avoid password command divulgation`

			`Password command is encrypted in order to avoid it's divulgation if config file is world readable.`
Don't log password command, even in debug mode 2023-05-04 18:00:21 +08:00			`Password command is also not logged.`
Create SECURITY.md 2023-05-04 00:50:25 +08:00
			`# NPF-SEC-00004: Client should never know the repo password`

Update SECURITY.md 2024-05-15 18:34:52 +08:00			`Partially covered with password_command feature, and alternative aes key management.`
Create SECURITY.md 2023-05-04 00:50:25 +08:00			`We should have a central password server that holds repo passwords, so password is never actually stored in config.`
Update SECURITY.md 2023-12-29 19:45:23 +08:00			`This will prevent local backups, so we need to think of a better zero knowledge strategy here.`

			`# NPF-SEC-00005: Viewer mode can bypass permissions`

			`Since viewer mode requires actual knowledge of repo URI and repo password, there's no need to manage local permissions.`
Update SECURITY.md 2024-01-15 08:23:16 +08:00			`Viewer mode permissions are set to "restore".`

			`# NPF-SEC-00006: Never inject permissions if some are already present`

Enforce permissions 2024-04-11 07:31:33 +08:00			`Since v3.0.0, we insert permissions directly into the encrypted repo URI.`
Update SECURITY.md 2024-01-15 08:23:16 +08:00			`Hence, update permissions should only happen in two cases:`
			`- CLI: Recreate repo_uri entry and add permission field from YAML file`
			`- GUI: Enter permission password to update permissions`

			`# NPF-SEC-00007: Encrypted data needs to be protected`

			`Since encryption is symmetric, we need to protect our sensible data.`
			`Best ways:`
			`- Compile with alternative aes-key`
Update SECURITY.md 2024-05-15 18:34:52 +08:00			- Use `NPBACKUP_KEY_LOCATION` or `NPBACKUP_KEY_COMMAND` to specify alternative AES keys
Update current progress 2024-04-18 06:41:31 +08:00
			`# NPF-SEC-00008: Don't show manager password / sensible data with --show-config`

Update SECURITY.md 2024-05-15 18:34:52 +08:00			Using `--show-config` should hide sensible data, and manager password.
Add new security related entry 2024-04-21 21:19:14 +08:00
Update SECURITY.md 2024-05-15 18:34:52 +08:00			`# NPF-SEC-00009: Option to show sensible data`
Add new security related entry 2024-04-21 21:19:14 +08:00
Add manager password env variable support 2024-04-23 16:08:31 +08:00			When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.
Enforce NPF-SEC-00009 2024-05-15 19:22:11 +08:00			Environment variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access, or GUI may ask for password.
Document optional NTP server 2024-04-24 06:02:52 +08:00			`Also, when wrong password is entered, we should wait in order to reduce brute force attacks.`

			`# NPF-SEC-00010: Date attacks`

			`When using retention policies, we need to make sure that current system date is good, in order to avoid wrong retention deletions.`
Add default key obfuscation 2024-05-07 16:53:55 +08:00			`When set, an external NTP server is used to get the offset. If offset is high enough (10 min), we avoid executing the retention policies.`

			`# NPF-SEC-00011: Default AES key obfuscation`

Add a reminder to avoid PRIVATE directory bundling 2024-06-05 06:25:34 +08:00			`Using obfuscation() symmetric function in order to not store the bare AES key.`

			`# NPF-SEC-00012: Don't add PRIVATE directory to wheel / bdist builds`

			`The PRIVATE directory might contain alternative AES keys and obfuscation functions which should never be bundled for a PyPI release.`