key rollover page: boxbackup

To: debian-www@lists.debian.org
Cc: team@security.debian.org
Subject: key rollover page: boxbackup
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 16 May 2008 17:16:27 +0200
Message-id: <[🔎] 20080516151627.GA3376@galadriel.inutil.org>

boxbackup
=========

Boxbackup is not present in Debian stable, only in testing/Lenny.

Upstream has published a first impact analysis of key material created
on system with insufficient random PRNG. You can read the details
here:
http://lists.warhead.org.uk/pipermail/boxbackup/2008-May/004476.html

If the PRNG in your OpenSSL was insufficiently random, you need to:

    * Regenerate all affected certificates, which have been generated or 
      signed on an affected system
    * Regenerate all the data keys (*-FileEncKeys.raw)
    * Destroy the data stored on your server to an appropriate level of 
      security (overwrite with zeros at the least, more if you're paranoid)
    * Upload everything again
    * Take appropriate measures under the assumption that you have been 
      storing your data in plain text on a public server without authentication.
      (ie, start from scratch, destroying all trace of the backed up
      data, and take other measures to mitigate the exposure of your
      secrets)

Reply to:

Follow-Ups:
- Re: key rollover page: boxbackup
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: krb5 / Lenny status
Next by Date: Re: key rollover: tor
Previous by thread: Re: key rollover: tinc
Next by thread: Re: key rollover page: boxbackup
Index(es):
- Date
- Thread