key rollover page: boxbackup
boxbackup
=========
Boxbackup is not present in Debian stable, only in testing/Lenny.
Upstream has published a first impact analysis of key material created
on system with insufficient random PRNG. You can read the details
here:
http://lists.warhead.org.uk/pipermail/boxbackup/2008-May/004476.html
If the PRNG in your OpenSSL was insufficiently random, you need to:
* Regenerate all affected certificates, which have been generated or
signed on an affected system
* Regenerate all the data keys (*-FileEncKeys.raw)
* Destroy the data stored on your server to an appropriate level of
security (overwrite with zeros at the least, more if you're paranoid)
* Upload everything again
* Take appropriate measures under the assumption that you have been
storing your data in plain text on a public server without authentication.
(ie, start from scratch, destroying all trace of the backed up
data, and take other measures to mitigate the exposure of your
secrets)
Reply to: