I've been trying set up TLKBAM with S3 for a while now and have it working, but not without some confusion. I've read the documentation and followed the man pages but am having serious problems understanding the security measures, namely the difference between and purpose of the passphrase and escrow keys.
If I follow the man pages in order, it takes me through the following steps:
(Note: All of the following was done using the TLK Redmine 11.1 appliance)
# Step 1 tklbam-init [ API-KEY ]
No problems there
# Step 2 tklbam-passphrase [-options]
Here I used the '--random' flag to generate a random passphrase which it printed to the screen (as expected)
# Step 3 tklbam-escrow [ -options ] KEYFILE
The description here says: "Creates an escrow key you can pass directly to the restore command. Save this somewhere safe."
Arguments: "KEYFILE: File path to save the escrow key (- for stdout)"
As I wasn't sure where the keyfile should go, I decided to use '-' expecting it to print it to stdout. However, invoking this command as:
tklbam-escrow --random-passphrase -
just prints out the help text. I eventually decided to just use
tklbam-escrow --random-passphrase /path/to/some/dir/key
and it seemed as though it worked ok, printing out another passphrase to stdout.
So at this stage I now have 2 different passphrases and an escrow key. As I wanted to back up the keyfile to my local drive, I copied it using down scp. However, when I go into the Webmin interface it also gives me the option to download the escrow key. As a matter of curiosity I did so and compared it to the key I downloaded using scp and seen that they are not the same.
# Step 4 tklbam-backup
I proceeded to run a backup and all went ok
# Step 5 tklbam-list
A quick check and it's all there
# Step 6 tklbam-restore:
I wanted to test the backup so I installed a fresh TKL appliance VM using VirtualBox and this time decided to do the TLKBAM configuration and restore operation through the Webmin interface rather than the command line.
After entering the API key in the Webmin interface (on the new fresh VM) I was surprised to see that it also gave me the option to download the Escrow key (thinking perhaps it was able to retrieve it from the hub) but on downloading I could see that this was also different from the 2 I had previously downloaded from the original appliance.
Ignoring this I chose to restore my previous backup to this fresh VM. It asked me for the passphrase so I entered the first one generated from step 2 above.
The passphrase was accepted and the backup seemed to go ok. I rebooted the appliance but on reboot it asked me to enter the password for the root account again. It did the same for the MySql root account and Redmine admin account (as it would during a fresh appliance install)
It also asked me for the TLKBAM API Key again. When I entered this it gave a quick dialog saying something along the lines of "linking account", but quickly switched to another dialog saying
"error: already initialized".
Selecting ok, brought me back to the dialog to enter the API key so this time I chose to 'skip'.
Next was the dialog for installing security updates so I agreed to that but this completed very quickly (unlike the fresh install).
Going for a test I could see that phpmyadmin and another web application (both of which were installed separately from the original appliance default applications) were there and working as expected. Great! However, when I tried to test Redmine, (installed as part of the original appliance), using the URL 'http://[ip.address.of.vm]/railsapp/public' it failed with:
The requested URL /railsapp/public/dispatch.cgi was not found on this server.
Since I originally changed the apache config for Redmine from www.mydomain.com to redmine.mydomain.com, I thought this might be the issue so I changed my hosts file to point redmine.mydomain.com to the ip address of the new Virtualbox VM. This time it worked as expected so all is good. Very, very impressive. Turnkey and TKLBAM will definitely be part of my workflow from now on :)
However there are some things I am still unsure of.
1. Why do I have 2 different passphrases and 3 different escrow keys?
2. What is the purpose of each?
3. What exactly is the Escrow Key used for?
4. Does is matter that I have stored my Escrow key on the same volume that is being backed up to the S3 storage?
5. Why did the appliance ask me for all of the root/admin passwords again on reboot?
6. What would have happened if I had chose different passwords on boot this time?
And if you have time:
7. Is setting the host file as I have done above the best method to test subdomains like this or is there a preferred method people use which allows them to subdomains is these cases no matter what the ip address is?
Apologies for the verboseness of the post and thank you for all the brilliant work!