diff --git a/user/how-to-guides/backup-emergency-restore-v2.md b/user/how-to-guides/backup-emergency-restore-v2.md index d1a4b082..b261eaed 100644 --- a/user/how-to-guides/backup-emergency-restore-v2.md +++ b/user/how-to-guides/backup-emergency-restore-v2.md @@ -40,11 +40,17 @@ encrypted and compressed. dom0-home/dom0user.000.hmac ~~~ -2. Verify the integrity of the `private.img` file which houses your data. +2. Set the backup passphrase environment variable. While this isn't strictly + required, it will be handy later and will avoid saving the passphrase in + the shell's history. + + [user@restore ~]$ read -r backup_pass + +3. Verify the integrity of the `private.img` file which houses your data. ~~~ [user@restore ~]$ cd vm1/ - [user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000 + [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000 HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e [user@restore vm1]$ cat private.img.000.hmac (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e @@ -58,17 +64,17 @@ encrypted and compressed. complete list of supported message digest algorithms can be found with `openssl list-message-digest-algorithms`. -3. Decrypt the `private.img` file. +4. Decrypt the `private.img` file. ~~~ - [user@restore vm1]$ openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in private.img.000 -out private.img.dec.000 + [user@restore vm1]$ openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in private.img.000 -out private.img.dec.000 ~~~ **Note:** For multi-part files, a loop can be used: ~~~ find -name 'private.img.*' | sort -V | while read f; do - openssl enc -d -pass pass:your_passphrase -aes-256-cbc -in $f -out + openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -in $f -out ${f/.img/.img.dec} done ~~~ @@ -78,7 +84,7 @@ encrypted and compressed. list of supported cipher algorithms can be found with `openssl list-cipher-algorithms`. -4. Decompress the decrypted `private.img` file. +5. Decompress the decrypted `private.img` file. ~~~ [user@restore vm1]$ zforce private.img.dec.* @@ -88,7 +94,7 @@ encrypted and compressed. **Note:** If your backup was compressed with a program other than `gzip`, you must substitute the correct compression program. -5. Untar the decrypted and decompressed `private.img` file. +6. Untar the decrypted and decompressed `private.img` file. ~~~ [user@restore vm1]$ tar -M -xvf private.img.dec.000 @@ -110,7 +116,7 @@ encrypted and compressed. 3. `tar --new-volume-script=./new-volume-script -xvf private.img.dec.000`. (The `--new-volume-script` option enables multi-volume untaring.) -6. Mount the private.img file and access your data. +7. Mount the private.img file and access your data. ~~~ [user@restore vm1]$ sudo mkdir /mnt/img diff --git a/user/how-to-guides/backup-emergency-restore-v3.md b/user/how-to-guides/backup-emergency-restore-v3.md index 1c42d09a..19fb437f 100644 --- a/user/how-to-guides/backup-emergency-restore-v3.md +++ b/user/how-to-guides/backup-emergency-restore-v3.md @@ -38,10 +38,16 @@ any GNU/Linux system with the following procedure. dom0-home/dom0user.000 dom0-home/dom0user.000.hmac - 2. Verify the integrity of the `backup-header` file, which contains basic + 2. Set the backup passphrase environment variable. While this isn't strictly + required, it will be handy later and will avoid saving the passphrase in + the shell's history. + + [user@restore ~]$ read -r backup_pass + + 3. Verify the integrity of the `backup-header` file, which contains basic information about your backup. - [user@restore ~]$ openssl dgst -sha512 -hmac "your_passphrase" backup-header + [user@restore ~]$ openssl dgst -sha512 -hmac "$backup_pass" backup-header HMAC-SHA512(backup-header)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c [user@restore ~]$ cat backup-header.hmac (stdin)= 5b266783e116fe3b2601a54c249ca5f5f96d421dfe6828eeaeb2dcd014e9e945c27b3d7b0f952f5d55c927318906d9c360f387b0e1f069bb8195e96543e2969c @@ -52,13 +58,13 @@ any GNU/Linux system with the following procedure. **Note:** If your backup was hashed with a message digest algorithm other than `sha512`, you must substitute the correct message digest command. This - information is contained in the `backup-header` file (see step 3), however + information is contained in the `backup-header` file (see step 4), however it is not recommended to open this file until its integrity and authenticity has been verified (the current step). A complete list of supported message digest algorithms can be found with `openssl list-message-digest-algorithms`. - 3. Read the `backup-header`. You'll need some of this information later. The + 4. Read the `backup-header`. You'll need some of this information later. The file will look similar to this: [user@restore ~]$ cat backup-header @@ -72,10 +78,10 @@ any GNU/Linux system with the following procedure. **Note:** If you see `version=2` here, go to [Emergency Backup Recovery - format version 2](/doc/backup-emergency-restore-v2/) instead. - 4. Verify the integrity of the `private.img` file which houses your data. + 5. Verify the integrity of the `private.img` file which houses your data. [user@restore ~]$ cd vm1/ - [user@restore vm1]$ openssl dgst -sha512 -hmac "your_passphrase" private.img.000 + [user@restore vm1]$ openssl dgst -sha512 -hmac "$backup_pass" private.img.000 HMAC-SHA512(private.img.000)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e [user@restore vm1]$ cat private.img.000.hmac (stdin)= cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e @@ -86,21 +92,21 @@ any GNU/Linux system with the following procedure. **Note:** If your backup was hashed with a message digest algorithm other than `sha512`, you must substitute the correct message digest command. This - information is contained in the `backup-header` file (see step 3). A + information is contained in the `backup-header` file (see step 4). A complete list of supported message digest algorithms can be found with `openssl list-message-digest-algorithms`. - 5. Decrypt the `private.img` file. + 6. Decrypt the `private.img` file. - [user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:your_passphrase -aes-256-cbc -out private.img.dec + [user@restore vm1]$ find -name 'private.img.*[0-9]' | sort -V | xargs cat | openssl enc -d -pass pass:"$backup_pass" -aes-256-cbc -out private.img.dec **Note:** If your backup was encrypted with a cipher algorithm other than `aes-256-cbc`, you must substitute the correct cipher command. This - information is contained in the `backup-header` file (see step 3). A + information is contained in the `backup-header` file (see step 4). A complete list of supported cipher algorithms can be found with `openssl list-cipher-algorithms`. - 6. Decompress the decrypted `private.img` file. + 7. Decompress the decrypted `private.img` file. [user@restore vm1]$ zforce private.img.dec private.img.dec -- replaced with private.img.dec.gz @@ -108,26 +114,26 @@ any GNU/Linux system with the following procedure. **Note:** If your backup was compressed with a program other than `gzip`, you must substitute the correct compression program. This information is - contained in the `backup-header` file (see step 3). For example, if you + contained in the `backup-header` file (see step 4). For example, if you used `bzip2`, then you should do this: [user@restore vm1]$ mv private.img.dec private.img.dec.bz2 [user@restore vm1]$ bunzip2 private.img.dec.bz2 - 7. Untar the decrypted and decompressed `private.img` file. + 8. Untar the decrypted and decompressed `private.img` file. [user@restore vm1]$ tar -xvf private.img.dec vm1/private.img - 8. Mount the private.img file and access your data. + 9. Mount the private.img file and access your data. [user@restore vm1]$ sudo mkdir /mnt/img [user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/ [user@restore vm1]$ cat /mnt/img/home/user/your_data.txt This data has been successfully recovered! - 9. Success! If you wish to recover data from more than one VM in your backup, - simply repeat steps 4--8 for each additional VM. +10. Success! If you wish to recover data from more than one VM in your backup, + simply repeat steps 5--9 for each additional VM. **Note:** You may wish to store a copy of these instructions with your Qubes backups in the event that you fail to recall the above procedure diff --git a/user/how-to-guides/backup-emergency-restore-v4.md b/user/how-to-guides/backup-emergency-restore-v4.md index 16d46349..19367a24 100644 --- a/user/how-to-guides/backup-emergency-restore-v4.md +++ b/user/how-to-guides/backup-emergency-restore-v4.md @@ -111,7 +111,7 @@ Emergency Recovery Instructions required, it will be handy later and will avoid saving the passphrase in the shell's history. - [user@restore ~]$ read backup_pass + [user@restore ~]$ read -r backup_pass 3. Verify the integrity of `backup-header`. For compatibility reasons, `backup-header.hmac` is an encrypted *and integrity protected* diff --git a/user/security-in-qubes/yubi-key.md b/user/security-in-qubes/yubi-key.md index 10f5809d..db1c2f02 100644 --- a/user/security-in-qubes/yubi-key.md +++ b/user/security-in-qubes/yubi-key.md @@ -72,7 +72,7 @@ To use this mode you need to: (This way your password will not leak to the terminal command history file.) ``` - read password + read -r password ``` Now run the following command to calculate your hashed password.