Security and AutoConfigBackup
I hope this doesn't come across as questioning the integrity of the pfSense staff. Rather, it's an opportunity for me and my team to learn more about security.
We have recently become a Gold Subscriber which makes us eligible to use the AutoConfigBackup package. Between ourselves, we've been debating whether there are any security risks in using this service.
We understand that the Config files are stored encrypted, but anything can be cracked, eventually. Obviously there are passwords hashed in the config file. Beyond that, I'm not sure there's much that is sensitive.
What is the community's feelings about using this service, or about storing your config files in an encrypted format on cloud services such as DropBox and others? Is the risk large, small, or non-existent?
Thanks for any information you can provide to help educate us! And Thanks to the pfSense developers! This is an awesome tool!
I generate a long key (password) to use to encrypt for AutoConfigBackup. Then I store that safely off the public internet. If someone does break into the pfSense AutoConfigBackup server, then it will take them some tome longer than I (or they) probably care about to brute force crack it.
The config also has certificates in it for OpenVPN road warriors, site-to-site PSKeys and so on. So you really do not want to publish config.xml
If you just put clear-text files on DropBox then they (DropBox sys admins and the US govt) can get to them easily. To save space, they keep hashes of the clear-text files and if that file is already stored somewhere in DropBox then they just keep a link to it for you - e.g. if 20,000 people put the latest Firefox installer in their DropBox, then DropBox only store it once. Because of this, we know that they are not individually encrypting your files using your password as a key. So on the back-end server itself there must be bucket loads of plain-text storage space. Given all the recent revelations in the USA, I would assume that anything on DropBox can (and maybe is) be mirrored to a secret site in Utah. For stuff you care to keep private, encrypt it yourself locally first with a long key, then dump the encrypted file/s into DropBox.
Thank you Phil!
This is good information. I appreciate your time and perspective. We've tried to keep anything out of DropBox and Google that was the least bit security sensitive. But it's helpful to know some of the good reasons for that practice. :-)
I also hadn't thought about the certificates being stored in the XML file. That's a very good point.
Does anyone know if there is a limit to the size (length) of the AutoConfigBackup key?