9.2Creating Key Files - Public/Private Key Files

When creating files with public and private keys, it is recommended to use the same files for all backups:

• For the public key specify the actual path (could be a network share/mount) to the Reservoir work path directory. The new public.key file replaces the existing one (if any);
• For the private key specify the same [recordable] CD or USB RAM Disk key fob, so that the new one will be added to the existing list in private.key file.

The reason is to accumulate private keys so at the disaster site you’ll be able to restore from tapes created with different public keys. At the disaster site, copy the private.key file stored on the key fob to the Reservoir WorkPath directory; during Regen process it goes through all recorded private keys to find the correct one.

The CreateKeys command line program (must be requested from UPSTREAM sales or technical support as it is not included in the distribution for security reasons) should be secured (stored on that same key fob) and distributed with the license file (not with the Reservoir) to avoid “man in the middle” attacks: someone unauthorized can substitute the legit public/private keys with his own to highjack backups.

Public and private key data is scrambled.  The public key is protected from tampering: hash calculated and stored in the file itself.

CreateKeys program usage:

Sample run on Windows:

You can use a script like this to make sure that keys are created in the right place all the time:

CreateKeys.in file may look like this:

The first string specifies the location of the public key file, and the second one specifies where to accumulate private key data.