Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-02-08 18:58:40 -05:00
Code Issues Packages Projects Releases Wiki Activity

Port v4 emergency restore password handling to v2 and v3

Browse Source 
Fixes QubesOS/qubes-issues#1967
This commit is contained in:
Rusty Bird 2022-01-02 13:18:56 +00:00
parent cf460ca6a5
commit 51398a74be
No known key found for this signature in database
GPG Key ID: 469D78F47AAF2ADF
2 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
user/how-to-guides/backup-emergency-restore-v2.md
View File

@ -40,11 +40,17 @@ encrypted and compressed.
dom0-home/dom0user.000.hmac dom0-home/dom0user.000.hmac
~~~ ~~~
2. Verify the integrity of the `private.img` file which houses your data. 2. Set the backup passphrase environment variable. While this isn't strictly
required, it will be handy later and will avoid saving the passphrase in
the shell's history.
[user@restore ~]$ read -r backup_pass
3. Verify the integrity of the `private.img` file which houses your data.
~~~ ~~~
[user@restore ~]$ cd vm1/ [user@restore ~]$ cd vm1/
[user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000 [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000
HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
[user@restore vm1]$ cat private.img.000.hmac [user@restore vm1]$ cat private.img.000.hmac
(stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
@ -58,17 +64,17 @@ encrypted and compressed.
complete list of supported message digest algorithms can be found with complete list of supported message digest algorithms can be found with
`openssl list-message-digest-algorithms`. `openssl list-message-digest-algorithms`.
3. Decrypt the `private.img` file. 4. Decrypt the `private.img` file.
~~~ ~~~
[user@restore vm1]$ openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in private.img.000 -out private.img.dec.000 [user@restore vm1]$ openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in private.img.000 -out private.img.dec.000
~~~ ~~~
**Note:** For multi-part files, a loop can be used: **Note:** For multi-part files, a loop can be used:
~~~ ~~~
find -name 'private.img.*' | sort -V | while read f; do find -name 'private.img.*' | sort -V | while read f; do
openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in $f -out openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in $f -out
${f/.img/.img.dec} ${f/.img/.img.dec}
done done
~~~ ~~~
@ -78,7 +84,7 @@ encrypted and compressed.
list of supported cipher algorithms can be found with `openssl list of supported cipher algorithms can be found with `openssl
list-cipher-algorithms`. list-cipher-algorithms`.
4. Decompress the decrypted `private.img` file. 5. Decompress the decrypted `private.img` file.
~~~ ~~~
[user@restore vm1]$ zforce private.img.dec.* [user@restore vm1]$ zforce private.img.dec.*
@ -88,7 +94,7 @@ encrypted and compressed.
**Note:** If your backup was compressed with a program other than `gzip`, you **Note:** If your backup was compressed with a program other than `gzip`, you
must substitute the correct compression program. must substitute the correct compression program.
5. Untar the decrypted and decompressed `private.img` file. 6. Untar the decrypted and decompressed `private.img` file.
~~~ ~~~
[user@restore vm1]$ tar -M -xvf private.img.dec.000 [user@restore vm1]$ tar -M -xvf private.img.dec.000
@ -110,7 +116,7 @@ encrypted and compressed.
3. `tar --new-volume-script=./new-volume-script -xvf private.img.dec.000`. 3. `tar --new-volume-script=./new-volume-script -xvf private.img.dec.000`.
(The `--new-volume-script` option enables multi-volume untaring.) (The `--new-volume-script` option enables multi-volume untaring.)
6. Mount the private.img file and access your data. 7. Mount the private.img file and access your data.
~~~ ~~~
[user@restore vm1]$ sudo mkdir /mnt/img [user@restore vm1]$ sudo mkdir /mnt/img

38
user/how-to-guides/backup-emergency-restore-v3.md
View File

@ -38,10 +38,16 @@ any GNU/Linux system with the following procedure.
dom0-home/dom0user.000 dom0-home/dom0user.000
dom0-home/dom0user.000.hmac dom0-home/dom0user.000.hmac
2. Verify the integrity of the `backup-header` file, which contains basic 2. Set the backup passphrase environment variable. While this isn't strictly
required, it will be handy later and will avoid saving the passphrase in
the shell's history.
[user@restore ~]$ read -r backup_pass
3. Verify the integrity of the `backup-header` file, which contains basic
information about your backup. information about your backup.
[user@restore ~]$ openssl dgst -sha512 -hmac "your_passphrase" backup-header [user@restore ~]$ openssl dgst -sha512 -hmac "$backup_pass" backup-header
HMAC-SHA512(backup-header)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c HMAC-SHA512(backup-header)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c
[user@restore ~]$ cat backup-header.hmac [user@restore ~]$ cat backup-header.hmac
(stdin)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c (stdin)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c
@ -52,13 +58,13 @@ any GNU/Linux system with the following procedure.
**Note:** If your backup was hashed with a message digest algorithm other **Note:** If your backup was hashed with a message digest algorithm other
than `sha512`, you must substitute the correct message digest command. This than `sha512`, you must substitute the correct message digest command. This
information is contained in the `backup-header` file (see step 3), however information is contained in the `backup-header` file (see step 4), however
it is not recommended to open this file until its integrity and it is not recommended to open this file until its integrity and
authenticity has been verified (the current step). A complete list of authenticity has been verified (the current step). A complete list of
supported message digest algorithms can be found with `openssl supported message digest algorithms can be found with `openssl
list-message-digest-algorithms`. list-message-digest-algorithms`.
3. Read the `backup-header`. You'll need some of this information later. The 4. Read the `backup-header`. You'll need some of this information later. The
file will look similar to this: file will look similar to this:
[user@restore ~]$ cat backup-header [user@restore ~]$ cat backup-header
@ -72,10 +78,10 @@ any GNU/Linux system with the following procedure.
**Note:** If you see `version=2` here, go to [Emergency Backup Recovery - **Note:** If you see `version=2` here, go to [Emergency Backup Recovery -
format version 2](/doc/backup-emergency-restore-v2/) instead. format version 2](/doc/backup-emergency-restore-v2/) instead.
4. Verify the integrity of the `private.img` file which houses your data. 5. Verify the integrity of the `private.img` file which houses your data.
[user@restore ~]$ cd vm1/ [user@restore ~]$ cd vm1/
[user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000 [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000
HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
[user@restore vm1]$ cat private.img.000.hmac [user@restore vm1]$ cat private.img.000.hmac
(stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
@ -86,21 +92,21 @@ any GNU/Linux system with the following procedure.
**Note:** If your backup was hashed with a message digest algorithm other **Note:** If your backup was hashed with a message digest algorithm other
than `sha512`, you must substitute the correct message digest command. This than `sha512`, you must substitute the correct message digest command. This
information is contained in the `backup-header` file (see step 3). A information is contained in the `backup-header` file (see step 4). A
complete list of supported message digest algorithms can be found with complete list of supported message digest algorithms can be found with
`openssl list-message-digest-algorithms`. `openssl list-message-digest-algorithms`.
5. Decrypt the `private.img` file. 6. Decrypt the `private.img` file.
[user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:your_passphrase -aes-256-cbc -out private.img.dec [user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -out private.img.dec
**Note:** If your backup was encrypted with a cipher algorithm other than **Note:** If your backup was encrypted with a cipher algorithm other than
`aes-256-cbc`, you must substitute the correct cipher command. This `aes-256-cbc`, you must substitute the correct cipher command. This
information is contained in the `backup-header` file (see step 3). A information is contained in the `backup-header` file (see step 4). A
complete list of supported cipher algorithms can be found with `openssl complete list of supported cipher algorithms can be found with `openssl
list-cipher-algorithms`. list-cipher-algorithms`.
6. Decompress the decrypted `private.img` file. 7. Decompress the decrypted `private.img` file.
[user@restore vm1]$ zforce private.img.dec [user@restore vm1]$ zforce private.img.dec
private.img.dec -- replaced with private.img.dec.gz private.img.dec -- replaced with private.img.dec.gz
@ -108,26 +114,26 @@ any GNU/Linux system with the following procedure.
**Note:** If your backup was compressed with a program other than `gzip`, **Note:** If your backup was compressed with a program other than `gzip`,
you must substitute the correct compression program. This information is you must substitute the correct compression program. This information is
contained in the `backup-header` file (see step 3). For example, if you contained in the `backup-header` file (see step 4). For example, if you
used `bzip2`, then you should do this: used `bzip2`, then you should do this:
[user@restore vm1]$ mv private.img.dec private.img.dec.bz2 [user@restore vm1]$ mv private.img.dec private.img.dec.bz2
[user@restore vm1]$ bunzip2 private.img.dec.bz2 [user@restore vm1]$ bunzip2 private.img.dec.bz2
7. Untar the decrypted and decompressed `private.img` file. 8. Untar the decrypted and decompressed `private.img` file.
[user@restore vm1]$ tar -xvf private.img.dec [user@restore vm1]$ tar -xvf private.img.dec
vm1/private.img vm1/private.img
8. Mount the private.img file and access your data. 9. Mount the private.img file and access your data.
[user@restore vm1]$ sudo mkdir /mnt/img [user@restore vm1]$ sudo mkdir /mnt/img
[user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/ [user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/
[user@restore vm1]$ cat /mnt/img/home/user/your_data.txt [user@restore vm1]$ cat /mnt/img/home/user/your_data.txt
This data has been successfully recovered! This data has been successfully recovered!
9. Success! If you wish to recover data from more than one VM in your backup, 10. Success! If you wish to recover data from more than one VM in your backup,
simply repeat steps 4--8 for each additional VM. simply repeat steps 5--9 for each additional VM.
**Note:** You may wish to store a copy of these instructions with your **Note:** You may wish to store a copy of these instructions with your
Qubes backups in the event that you fail to recall the above procedure Qubes backups in the event that you fail to recall the above procedure