backend uses single shared S3 key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu One Servers |
Won't Fix
|
High
|
Lucio Torre |
Bug Description
As I understand from the UbuntuOne design details, the S3 storage backend uses the same S3 key for all access. If this key were ever compromised, all customer data would be available to an attacker. One method to mitigate this danger would be to store some form of encryption key for each UbuntuOne user which would be used to encrypt the data stored in S3. If a user granted file access to other people, their key could still be used to fetch the decrypted data for their share.
Instead of having a single point of failure, it would mean that both the metadata server (with the encryption keys) and the backend systems (with the S3 key) would need to be compromised to experience total breach of customer data.
visibility: | private → public |
Changed in ubunet: | |
importance: | Undecided → High |
Changed in ubuntuone-servers: | |
status: | Triaged → Won't Fix |
This is one part of bug 375289.
From my comment on that bug:
The Ubuntu One servers will encrypt each user's data with a key unique to that user, before storing it in Amazon's S3 service or any other scalable storage services we use. The point of this is that if there's a break-in to S3, there is no exposure of private data; and if one of the Ubuntu One storage API servers is compromised, there is a small exposure of private data, based on the users who were using that particular storage server at the time. It still means we need to keep the database of these encryption keys very very safe. We have facilities and procedures do that in the Canonical data centre, and this gives us one database that we need to keep secure and monitor very carefully.
We'll be making this change right away.