SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Backup Passwords


The Backup Passwords

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)SSC Guru (61K reputation)

Group: Administrators
Points: 61595 Visits: 19099
Comments posted to this topic are about the item The Backup Passwords

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
mgraham 67977
mgraham 67977
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 0
We have implemented something we call a poker key server. To retrieve a database encryption key you have to enter a long (20 character) password of which ten characters are placed in sealed envelopes in two person's locked file cabinets. If you enter the password incorrectly, the server "calls" and you are required to prove your identity with an iButton (from Maxim/Dallas Semiconductor) containing a unique serial number which is then hashed by the server using SHA-384. If the iButton hashes correctly it gives you the option of entering the 20-character password again.

It sounds like a lot of work, but two-person control combined with a skeptical key server ensures our intellectual property remains safe.
jesusagpa
jesusagpa
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 22
First though I have is a kind of function that returns a key base on some well know variables like: date when the backup run, user in charge of the backup and machine where the database is placed, and finally a variable value that few people know (you and another one). If the name of the backup include all the variables values (i.e. BCK_DDMMYYYY_NAME_XXXXBOX) except obviously the "secret" variable value, you can retrieve the password for the back up whenever you want and independently of who generate the backup and when it was generated.

The function to generate the variable should be protected accordingly.
BenWard
BenWard
SSChasing Mays
SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)

Group: General Forum Members
Points: 656 Visits: 827
I have a folder in my inbox marked 'passwords' in that i have folders named in the format yyyymmdd. every time the passwords change I create a new folder and save an email.

is this a good idea? no. is it the best option currently available to me? yes. it's either that or I keep a rolodex of passwords in my filing cabinet (probably a better idea)

Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
leon.tolmay
leon.tolmay
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 7
Seems like a bit too much trouble for something as simple as keeping track of passwords for backups across time in a secure manner. There are a few simple alternatives here. Firstly one could use one of many simple programs available (many of which are free) for storing passwords with comments in a secure manner. The comments can be used to indicated the date stamp. Alternatively get someone in your company to create a simple app that saves your passwords and dates and an additional comment in an encrypted format. This will have two advantages over existing software. The first will be that it will be unique to your company and thus will not have a hack. The second will be that one can taylor the app to your individual company needs. To a person familiar with C++ or VB this should take no longer than an hour to develop and deploy.
BenWard
BenWard
SSChasing Mays
SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)SSChasing Mays (656 reputation)

Group: General Forum Members
Points: 656 Visits: 827
Well, being an analyst programmer, I ought really go and do that myself. I might get round to it somewhen.

Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Ben Thul
Ben Thul
SSC-Enthusiastic
SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)SSC-Enthusiastic (114 reputation)

Group: General Forum Members
Points: 114 Visits: 468
KeePass (http://keepass.info) will archive old passwords for you. It also handles expiration, so you can look at your archived and know which dates it was active. Plus it has the nice benefit of having a URL/name that can be slightly rearranged for puerile entertainment. Smile
Eric M Russell
Eric M Russell
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12042 Visits: 10622
Managing backups has never been my role, so I'm not too familiar with the technicals of how the various 3rd party solutions manage the keys. My question is: Does the database administrator really need to know the password for the backups in order to maintain the day to day backup process?
My thinking is that the passwords could be held by an executive manager. Even on those occasions where a restore from backup is required, the manager could supply the password remotely without revealing it to the database administrator. This may result in a slight delay of recovery time, but if one person holds the backups and another person holds the key, then one of them acting alone could not compromise the data, even if the password remains static over a long period of time.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
@DBA_ANDY
@DBA_ANDY
SSC Rookie
SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)SSC Rookie (37 reputation)

Group: General Forum Members
Points: 37 Visits: 870
We have recently started using KeePass as well and consider it very useful.
James Goodwin
James Goodwin
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1415 Visits: 1107
I've not been responsible for backups for a long time, but here's how I think it should work.

Each backup set gets assigned a strong generated password that applies only to that set.

The Backup Set ID/Password pair is stored in:
a) A key server that the backup/restore software has access to based on user level permissions. Or...
b) A notebook in someone's office. Or...
c) Both (I actually prefer this as I don't trust the key server to not crash and burn.)

Backup tapes are moved offsite on a reasonably schedule (weekly?).

--
JimFive
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search