[Box Backup] SSL raw key

Chris Wilson boxbackup@fluffy.co.uk
Wed, 23 Jan 2008 19:01:20 +0000 (GMT)

Hi Bertram,

On Wed, 23 Jan 2008, Bertram Scharpf wrote:

> this is rather a SSL question but it came up when configuring
> boxbackup. I may ask here.
> The config script says:
>   1) Make a backup of /etc/box/bbackupd/51-FileEncKeys.raw
>      This should be a secure offsite backup.
>      Without it, you cannot restore backups. Everything else can
>      be replaced. But this cannot.
> As far as I understand I can rebuild the SSL private and
> public keys using the raw random data in "N-FileEncKeys.raw".
> In case even this is wrong, please tell me how to start to
> "replace everything else".

You cannot replace the SSL private key this way. The idea is that you can 
generate a new one and then obtain a new certificate from your service 
provider, who signs your new certificate request (containing the new key) 
and presumably invalidates the old one.

However, this only gives you login access to the server, it does not allow 
you to decrypt your old data on the server. Only the .raw key file can do 
that. If you lose that key, you will have to re-upload all your data.

> In case it applies please show me how I can reconstruct the *.pem files.

The simplest way is to generate a completely new set of keys, as described 
in the installation instructions, but then replace the newly generated 
.raw file with your old one.

I'll write this up on the Wiki under "Recovering from Lost Keys" 

Cheers, Chris.
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\ _/_/_/_//_/___/ | We are GNU : free your mind & your software |