On Mon, 31 Mar 2014 10:32:28 +0200 Andreas Olsson <[email protected]> wrote:
> mån 2014-03-31 klockan 08:05 +0000 skrev tarsnap: > > ... > > The (part of the) keyfile would then only reside in RAM during the > > time that tarsnap is running (and does it really need to stay there > > all the time?), making it more difficult for hackers to catch it. > > Couldn't you just as easily solve that part yourself by at the backup > moment copy your tarsnap key to a tmpfs mount? To be on the safe side > it probably wouldn't hurt to disable swap, or go with an encrypted > swap. > > // Andreas Yes I could even copy it to tarsnap's regular keyfile directory on the VM of which I'm managing the backup and remove it afterwards, but what I was aiming at was to not at all have it on any file system (or am I technically wrong in that RAM is a file system also?) that is part of a net-connected VM. You are right though that having it temporarily on a net-connected file system will lower the exposure but I really would like to go that one step further, if possible. thanks
