Repokey, passphrase compromised - how to proceed securely carrying backup history?

[justauserid]

After an infostealer attack on my computer, I'm assuming my credentials were compromised.

I have already secured my BorgBase server and a/c access (much stronger password, added 2FA, changed SSH key), but my main concern is the Borg backup setup itself. (BorgBase repo was not accessed)

Doc inidcates that changing the passphrase isn't enough if the repository key is also compromised.

My questions are:

1. Doc says: "... not protect future (nor past) backups to the same repository" But wouldn't securing server access (where repo is hosted) protect it in practice?

2. Is my understanding correct: since a repo's repokey can't be changed, changing the passphrase that encrypts repokey is pointless if the repokey itself was compromised?

3. If so, is creating a new repo the only way to continue backing up securely at this point?

4. How can I move archives from the old repo (mode: repokey-blake2) to the new repo to preserve the backup history? A three year old comment from Thomas mentions this: "... somehow move over all your data (which could take quite a while)". However it does add "somehow" :(

[justauserid]

https://borgbackup.readthedocs.io/en/latest/usage/transfer.html this should work I suppose. I will try to look for a tutorial on it to see someone has published their experience.

[RonnyPfannschmidt]

Note that the docs are for the next major version

[ThomasWaldmann]

As a quick measure, change passphrases everywhere (including ssh and borg key, but also e.g. for your e-mail accounts).

The infostealer could theoretically have stolen your repokey also (because it likely had control of your machine). This would be a quite borg-specific attack though, thus I am not sure about how probable that is.

1. If you change your ssh key (at borgbase), ACCESS to the remote borg repo via ssh is protected again. But, if the attacker would somehow else gain access to the borg repo, they could use a stolen borg passphrase+key to decrypt information from there.
2. That is correct IF the attacker has stolen your borg key and the passphrase that protected it.
3. Yes. You could do a risk estimate though, how probable it is that attacker has stolen passphrase AND borg repokey (the repokey is stored in the repo, so you need to use borg or borg-specific code to access it).
4. There is no simple / quick way to do that (AFAIK). borg transfer is borg2/master branch only, so that does not help you. The borg 1.x way is doing some scripting with either doing extract/create or mount/create. Be careful, borg mount does not support all metadate extract/create supports (e.g. no ACLs).

[justauserid]

Hey, thanks a lot for the detailed reply.

As a quick measure, change passphrases everywhere (including ssh and borg key, but also e.g. for your e-mail accounts).

I have done that. All critical ones (email host, domain registrar, finance, storage etc) were changed within minutes and some more later and since then I have been on the rest of those.

About

how probable it is that attacker has stolen passphrase AND borg repokey

My layperson's analysis indicates the attack failed because I didn't provide my Mac password and disconnected the Internet within seconds of first password popup which literally was at the script start.

The attack was pretty much this. I copied the script from the running osascript process before killing it. Its logic was roughly:

create "/tmp/lovemrtrump" collection folder CF -> collect sysinfo, username -> write that into CF/"hardware" file -> if password is non-empty -> ask for password IN A LOOP -> if password received, validated -> dump lots of creds/sensitive data (< 10MB files) in the CF -> compress all into "/tmp/out.zip" -> delete CF -> try to send "out.zip" -> on success (10 send retries) delete "out.zip" -> download "asset.py" -> run it -> exit applescript.

It kept asking for password (IN A LOOP) and even before starting to send data it was supposed to clear the CF folder i.e data collection traces but tmp/lovemrtrump/hardware was still there as per the script it password was not given.

I looked into/grepped hours of full Mac system logs (on both sides of attack start time), and there were no network/process logs with those file names, URLs, or processes. The BorgBase server log also shows no event/access.

But while I am 100% sure I never gave it the Mac password, I am not sure how long of a delay it was before I cut the internet—it could have been 20, 30, or even 70 seconds. Not sure. Hence I am just a software engineer and not a security/forensics professional, I am assuming it was compromised - because I do not really know/understand a lot of things (and had to take help of Gemini to understand a lot of what I typed above).

Since

borg transfer is borg2/master branch only

Would you say this plan is advisable?

1. Change the passphrase for the existing repo and then keep it locked/idle/inaccessible with no SSH Key added to it on BorgBase → just keep backup history until now (just in case; and keep the old SSH key safe somewhere).
2. Set up a new repo with a new SSH key and new passphrase/repokey.
3. Set up Borg/Vorta to back up to this new repo fresh
4. Hope that when borg transfer is released into borg for laypersons like me, I can transfer all the old archives into the new repo. → I do not know whether such a borg transfer will even be feasible.

And then later (even if point 4 above is not feasible) I would just delete the old repo after 2-3 years, as I doubt I will need that if I don't need that for 2-3 years. (A lot of those data are also backed up via restic and a bit via Tarsnap).

Do I have a better chance/way to proceed instead of this?

[ThomasWaldmann]

Sounds reasonable. See also #8956 (comment) (but be very careful, this is bleeding edge code).

[ThomasWaldmann]

borg-import now has a "from borg" importer!

https://github.com/borgbackup/borg-import
borgbackup/borg-import#71