Skip to content
Snippets Groups Projects
Verified Commit 41fc5187 authored by Nicolas Lenz's avatar Nicolas Lenz :snowflake:
Browse files

wip

parent aadf6e5e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 77 additions and 0 deletions
docs/backups.md 0 → 100644
+ 77
0
View file @ 41fc5187
# Backups
## Password Manager
I have to do regular manual exports of my password manager database, additionally from the regular backups I'm doing of my server, which includes the Vaultwarden data. This has multiple purposes.
Firstly, it's part of my disaster recovery strategy. Were I to lose my entire server, I still want to be able to quickly regain access to my passwords. Having to spin a new Vaultwarden instance up from a backup or something to be able to regain access to things like
- I self-host my password manager
- in case I lose my server I still want to be able to recover access to my passwords
- espcially because my backups are potentially encrypted with keys I
TODO create recurring todo task (can be simultaneous check that I remember the password)
### Guide
1.
## Encryption Hierarchy
Encrypted stuff and what they're encrypted with / where their keys are stored.
- **password manager:** only in my memory
- **agenix secrets:** SSH private keys
- **SSH private keys:** on devices + TODO password manager
- **backups:** backup keys
- **backup keys:** agenix secret + TODO password manager
- **full disk encryption:** my memory, password manager
TODO backup strategy
```mermaid
graph TD
memory((my\nmemory))
pw[password manager]
devices[devices]
ssh[SSH private keys]
agenix[agenix secrets]
backups[backups]
memory -.-> devices
memory --> pw
pw --> devices
devices --> ssh
ssh --> agenix
agenix --> backups
pw -.-> backups
pw -.-> ssh
```
The default dependencies are as follows: TODO
## Disaster Recovery
### Targeted Worst-Case Scenario
My defined worst-case scenario I want to be prepared for is: my house burns down. I lose all my devices from PC over laptop to my phone at once. I still want to be able to fully recover my data from my off-site backup in this case.
### Guide
This is a guide of what I would need to do in case of the worst-case scenario. The purpose of this is so I can verify the feasibility of the procedure, and of course also as help if it were to actually become necessary to follow it.
1. Get a loaner notebook.
2. Travel to my off-site backup location.
3. Hook up the backup drive to the notebook. It's unencrypted, so this doesn't need any extra steps.
4. Decrypt the password manager export using age: `age --decrypt -o pw pw.age`
5. Access the backups using the encryption key from the password manager.
6. Access the agenix secrets using the SSH private keys from the password manager.
7. Rebuild my systems using the now accessible data.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment