TurnKey Linux Virtual Appliance Library

tklbam local backup escrow keys

cody.zuschlag's picture

I have configured tklbam and use local storage for my backups (as described here). It is not clear to me if I need to store the keys everytime I do a backup. I use:

tklbam-escrow -P /local/storage/key

Do I need to do this everytime I execute the following? Or is doing it once enough for all backups on that machine?

tklbam-backup --address file:///local/storage/backup

In fact, it is not exceptionally clear to me what the escrow key is. Honestly, I would prefer to store my backups uncrypted (i.e. using the --no-encryption option with duplicity) because I don't need an extra layer of security on our local file server (where the backups are stored). As far as I know, there is no way to have tklbam send this parameter to duplicity. Is that correct?

Jeremy Davis's picture

I'm not sure to be honest

But the easy way to find out would be to test. Run a fresh backup without creating a new key and see if you can restore it (with the old key...) I guess I'd be a little nervious though even if it works. As is usual good practice for backups they should be regularly tested (ideally restoring to a fresh instance).

And AFAIK TKLBAM doesn't have an option to not use encryption but as it's open source you are always free to have a bit of a tinker! :) IIRC the code is in the TKL GitHub repo.

IMO though unless you have huge amounts of data and/or really slow internet then using the Hub is the go - at $0.14/GB/mth it is really cheap!

Guest's picture

I've got the same question as the OP

Do I need a new key for every backup to a local disk?

Jeremy Davis's picture

I've got pretty much the same answer as before...:)

As I have never used TKLBAM with local storage I can't be sure... When you use the Hub you only need to use an escrow key if you password protect your backups and want to have a failsafe (in cause you forget your password). And the one key applies to all your backups. The Hub automagically takes care of the encrytion of files etc.

When running TKLBAM 'manually' (i.e. not linked to the Hub) you don't have the advantage of the Hub taking care of backup locations and encryption. So my suspicion is that you would need to create a new key each time and that they are individual keys which relate to just one backup.

But like I suggested above, why not try it? Then you'll know for sure...

Guest's picture

I ran into this again, so I

I ran into this again, so I finally tested this. As it turns out, no you only need to create a single key and you can use it for any of the backups you make. I am making my backups to a local NAS instead of Amazon, but I don't think this makes any difference.

Jeremy Davis's picture

Great, thanks Nelson

Thanks so much for posting back. When you say "you only need to create a single key and you can use it for any of the backups you make" I assume that means that a single key covers multiple backups from the one server. I'm guessing that wouldn't cover multiple servers though?
Nelson Hoover's picture

You're right. One key per

You're right. One key per server works for multiple backups from the same server.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)