Started to use Kopia recently and I’m pretty impressed by the project.
I was drawn to it because of the object lock capabilities discussed in the ransomware post. But now that I’ve got it set up and working, with the restricted application key, I’m wondering if the object lock actually adds any real protection beyond e.g. the Backblaze B2 lifecycle policies.
Presumably if configured correctly the only way to change the lifecycle policies is to log into the Backblaze Web UI with password and 2FA (assuming only limited access app keys are available), in which case one can also delete the backblaze account, and defeat the object locks. So is the object lock just kind of security theater with respect to a ransomware actor?
Or does relying on lifecycle settings and limited access app keys alone open up other avenues by which a ransomware that gains access to a user computer account could delete B2 bucket files?
Object lock as you noticed can be only defeated by deleting the backblaze account. Now I am not familiar with B2 but with AWS you can create hierarchy of users with only root having access to admin feature like account cancellation. Then you can deposit these credentials in your bank safe and forget them:) with people in your organization only using less privileged users (still very powerful if needed minus account cancelation). In such case object lock with legal hold gives you very strong protection. Nothing (ransomware??) and nobody (rouge user??) from within your organization can destroy or change such data - it is often legal requirement in some industries where records have to be kept for specific amount of time. Most likely companies like AWS created this feature exactly based on these requirements.
So it is as secure as your root account credentials security. Good practice is never ever use root account for anything and do not store them on any computer - only use them for initial power user creation and store them old fashioned way on piece of paper somewhere.
Object lock itself is no magic. It only works when other security precautions are taken and implemented. But it helps enormously to create what is says - “locked” data stored in online system.
Thanks, that’s helpful. My case is simple as I’m the only user, but presumably I should look to see if it’s possible to manage my B2 account with a less privileged user.
Maybe this is a question for B2 rather than Kopia, but how do I know that the permissions in (from ransomware post):
b2 create-key --bucket <bucket-name> <key-name> listBuckets,readBuckets,listFiles,readFiles,writeFiles,readBucketEncryption,readBucketReplications,readBucketRetentions,readFileRetentions,writeFileRetentions,readFileLegalHolds
Prevent the application from changing lifecycle rules?
From reading documentation and looking at the UI it seems that one would need either createBuckets or updateBuckets, so the application key should be unable to modify lifecycle rules. But I’m having trouble finding clear documentation that clearly states these things.
I have no clue about B2. Maybe some other B2 users can help.
But in general with object lock in place you do not have to worry about changing lifecycle rules by rouge actor. It means your system has been compromised - but your data is safe anyway for duration of your object lock. Nobody and nothing can change existing data.
Very different questions is how to detect such sophisticated attack… It is easy when all your data is ransom encrypted or simply deleted. When attacker does subtle changes spread over long time it might be not easy to detect it. But it has nothing to do with object lock - which always does its job.
1 Like