Disclaimer: I am not a security expert.
Question: What is the purpose & concept of the revocable user key in restic? (
restic key remove)?
If I understand correctly, user key revocation doesn’t prevent users with the revoked password from accessing the data inside the repository (because they already obtained the repo encryption key with
restic cat masterkey before their key was revoked).
Perhaps the goal is to prevent a user from accessing a repository with an unmodified client? This doesn’t seem very valuable - it is trivial to overcome as the client is open source. Probably a 1-line change to set the encryption key to a constant instead of retrieving it from the repository.
Restic seems to have a really nice implementation of data-at-rest-encryption, key-wrapping keys, and data integrity verification.
But if I understand correctly, Restic does not support concept of cryptoperiods (NIST 800-57, section 5.3) - the ability to re-encrypt data within the repository when needed. Like when a key leaks, a user leaves the organization, or technology improves sufficiently to make old keys crackable.
For applications like restic (symmetric data encryption, large volumes, originator-usage, key-wrapping keys), I believe NIST recommends cryptoperiods of < 2 years. (5.3.6)
If restic supported re-encryption, the
restic key removerevocation function would make a lot more sense. I think restic could support either of two use cases for key revocation:
- Preventing users with revoked passwords from accessing the repository at all (by re-encrypting the entire repository to a new encryption key which is not accessible with the revoked password). Note that these users may have taken a copy of the repository while they had access.
- Preventing users with revoked passwords from accessing new data in the repository (added after their key was revoked). This would not require re-encryption of old content, but would require the repository to support multiple encryption keys. New data would be encrypted with a new encryption key. Which would mean that every blob in the repository would require a pointer to its encryption key.
Note that implementing #2 above would also allow old data to be protected either fully or partially by migrating old blobs to the new key. It would also allow re-encryption to occur over time - re-encryption could be performed blob-by-blob instead of the entire repo at once.
Am I thinking about this correctly? Is this a valuable feature request?