Hello everyone,
I’m just stumbling across the topic of repo password.
I can easily change the password while the repo is connected.
- Without having to know the old password and without having to confirm the new one!
Please correct me, but I can’t find a way to protect this natively.
If I used ObjectLock I would still have the two files kopia.blogcfg and kopia.repository in an old version in the bucket, but that is not practical.
My thought is this:
Let’s assume a short retention of 2 weeks and S3 ObjectLock. An attacker changes the repo password, I don’t notice. On day 15 my source is encrypted due to ransomware. When I try to restart from new hardware, I can no longer access the repo because the password has been changed. The weeks with good data in the S3 repo is not usable.
Further:
As far as I can see, the S3 access can also be read in plain text from the config file. Which is bearable with ObjectLock. However, objectlock is useless due to an unprotected repo password.
In my opinion, it doesn’t help to perform a repo disconnect after every snap. A good observer waits for the moment when the repo is open.
Am I missing a protection option to prevent the scenario?
Thanks for input.