From 8bb443321c24b03e45949c476a13bb8feae7fee2 Mon Sep 17 00:00:00 2001 From: Andrew Engelbrecht Date: Mon, 11 Oct 2021 23:50:12 -0400 Subject: [PATCH] updated design / security notes in readme --- README.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 9032c31..edb9e7f 100644 --- a/README.md +++ b/README.md @@ -88,23 +88,25 @@ randomized way. The other main reason for central coordination is because you may clone a production machine, and run it as a dev instance, with a different IP address and domain name. If both machines have the same credentials for pushing their -backup, they'll both end up in the same repo. If you prune backups from time to -time, you would occasionally delete a production backup and leave a dev backup -in place. If you export snapshots to tape archives, then in that scenario, you -would possibly archive a dev backup to tape. Kaya connects to machines via SSH, -so keeping a production machine's domain name associated with it avoids this -issue. It also sends credentials to the target machine as part of the -connection, so the target machine doesn't have to keep track of them. - -The rest-server's `--append-only` mode should prevent infected machines from -deleting their own past backups. Target machines are still able to push new -ones, and to read past backup history. - -Kaya uses SSH tunneling, with a reverse port forward, so the client can talk to -the rest-server on the backup server without the need to rely upon CA +backup, they would both end up in the same repo. If you then prune backups from +time to time, you would occasionally delete a production backup and leave a dev +backup in place. If you export snapshots to tape archives, then in that +scenario, you would possibly archive a dev backup to tape. + +Kaya avoids this issue by connecting via SSH from a backup server to machines +with persistent domain names. It also sends credentials to the target machine +as part of the connection, so the target machine doesn't have to keep track of +them. Authentication and authorization are mediated by SSH keys. + +Kaya uses SSH tunneling, with reverse port forwarding, so the client can talk +to the rest-server on the backup server without the need to rely upon CA certificates. This is especially useful for older machines that may have an outdated root certificate store. +The rest-server's `--append-only` mode is meant to prevent infected machines +from deleting their own past backups. Target machines are still able to push +new backups, and to read archived data. + ## Contributing If you'd like to contribute to Kaya, feel free to open an issue or pull -- 2.25.1