How are backups encrypted? Is there a reason they use a password instead of a set of public keys?
I think the short answer is: scrypt + AES-256. The long answer is the thread already linked above (except scrypt was added later to replace the original KDF).
Hm, I’m not sure what you mean. Do you mean like encrypting your backup to a public PGP key the way you would encrypt an email to your recipient’s public PGP key? I imagine that your main use case would be to encrypt your backup to your own public key, then use your private key when you want to decrypt. I can’t recall ever hearing of the Qubes backup system supporting this. I suppose with sufficient hacking you might be able to DIY. My main concern would be that asymmetric encryption is notably weaker than symmetric encryption in certain respects. Personally, I wouldn’t consider that to be a worthwhile trade-off, but I don’t know your use case or threat model.
1 Like
Why not just encrypt the backup secret with PGP? Well the answer might be practical: in case of emergency, there’s only “bare” OS and the backups. In order to restore, one would need to setup the PGP or whatever public key system before restoring. This use case is pretty similar to disk encryption.
So I think standalone encryption secret is ok in this use case. Just use proper password phrase. Done.
Well, as I mentioned above, asymmetric encryption is notably weaker than symmetric encryption in certain respects, so you certainly wouldn’t want to use asymmetric as the default in an encrypted backup system. Maybe some individual users are willing to sacrifice some security for some convenience this way, but it shouldn’t be the default.
On the other hand, it’s also possible to use PGP for symmetric encryption, which might be what you’re referring to. I vaguely recall that this possibility was considered and discussed in the aforementioned thread and ultimately rejected because it did too much parsing on untrusted input, but this was many years ago.
This leads me to one of the most important reasons that the Qubes backup system is the way it is: authenticated encryption. Many encryption programs don’t allow their encrypted output to be properly authenticated. If you tried to use something that like for Qubes backups in dom0, it would be a major security risk, since attempting to restore a malicious backup file could compromise your entire system. Thankfully, the Qubes backup system was specifically designed to defend against this sort of threat, which is why it verifies the authenticity of all purported backup files before parsing them.
Designing a backup system is hard to get right. Encryption is even harder. Unless you are an expert, it is generally not a good idea to try to roll your own. Better to use the proven, time-tested tools developed by experts, especially when they’re already built-in, IMHO.
Not really. I was simply saying the actual encryption key (password) could be protected with PGP. That’s no different from any password protection system, like password managers. But it really makes no sense as it would introduce more complexity in the restore process: in order to restore, one would have to set up PGP (or any other public key infrastructure, if not using PGP).
Unless you are talking about using so called session key with PGP, which is very common use case. Session key in this context would be the backup password.
Yes. Exactly. (that functionality is part of the gpg command)
Yes. Setting a “backup password” for ones qubes backups (A password they’ll never use for a long time, until something horrible happens (meaning they will have no practice at it and no memory of it)) didn’t seem like a great idea to me, when their password manager is going to end up being in one of the qubes.
I think just as important as having good encryption on the backups, is having ability to decrypt the backups during disaster recovery 
This is your mistake. You should be using that passphrase regularly when you test your backup system. Backups are useless if you can’t restore from them. This is why the Qubes backup system includes a tool that allows you to verify backup integrity by simulating a restore. (This is already covered in the documentation, btw.)
Exactly!