From 09103d44a6ced4c2978ff04e18d32732c814db86 Mon Sep 17 00:00:00 2001
From: yova <yova@ecobytes.net>
Date: Thu, 3 Mar 2022 15:33:44 +0100
Subject: [PATCH] clarify secrets

---
 content/blog/ovh-pca-backupninja-duplicity.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/content/blog/ovh-pca-backupninja-duplicity.md b/content/blog/ovh-pca-backupninja-duplicity.md
index 390f4de..cc031cc 100644
--- a/content/blog/ovh-pca-backupninja-duplicity.md
+++ b/content/blog/ovh-pca-backupninja-duplicity.md
@@ -12,11 +12,14 @@ OVH provides a cheap way for longterm storing backup data, the Public Cloud Arch
 - Enable email sending for backup status mails by [installing a mta](/msmtp-on-debian/).
 - Install system dependencies
   - `apt install librsync-dev gpg backupninja`
+- Make sure to have disk encryption enabled for all files containing **secrets**
+
 
 #### GPG
-- Create a new secret key. Note the password.
+- Create a new secret key. Note the password. Keep this private and on **encrypted filesystems only**!
   - `gpg --quick-generate-key cloud@freedomhost.de`
   - `gpg --export-secret-key keyid > private.key`
+- Make sure that `~/.gnupg` folder is on an encrypted filesystem on the server
 - Copy the key to the server
   - `scp private.key server:`
 - Import it in the local keyring on server
@@ -48,8 +51,8 @@ OVH provides a cheap way for longterm storing backup data, the Public Cloud Arch
 ## Configuration
 - 3 files are used for this:
   - `/etc/backupninja.conf`: Here you can set the time of day when the backup should be run, and to whom to send status emails. This file is pre-installed and quite self-explaining
-  - `/etc/ovh-config.json` for holding the OVH credentials
-  - `/etc/backup.d/20_ovh_pca.dup` for configuring duplicity for backupninja usage
+  - `/etc/ovh-config.json` for holding the OVH **credentials**
+  - `/etc/backup.d/20_ovh_pca.dup` for configuring duplicity for backupninja usage contains **gnupg secrets**.
 
 
 ### `/etc/backup.d/20_ovh_pca.dup`
@@ -75,11 +78,12 @@ desturl = 'multi:///etc/ovh-config.json?mode=mirror&onfail=abort'
 
 
 ###  `/etc/ovh-config.json`
-- get this [template](/texts/ovh-config.json)
+- This is the **credentials** file for OVH. Get this [template](/texts/ovh-config.json)
   - adapt the `url` keys to something meaningful ex. `backedupserver1_cold` and `backedupserver2_hot`. This will be the names of the Cloud Archives resp. Object Stores
   - change `PCA_TENANTID` and `SWIFT_TENANTID` to noted `OS_TENANT_ID`
   - change `PCA_USERNAME` and `SWIFT_USERNAME` to noted `OS_USERNAME`
   - do the same for Password and Regionname
+- Make sure minimal access rights with `chmod 600`  
 
 ## testing
 - do a test run