Comments on: Note about changing your AWS Secret Key http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/ Reliable online storage powered by Amazon S3 Sat, 22 Nov 2008 04:56:34 +0000 http://wordpress.org/?v=2.3.1 By: Jungle Disk » Blog Archive » Encryption changes coming in Jungle Disk 1.46 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-226 Jungle Disk » Blog Archive » Encryption changes coming in Jungle Disk 1.46 Tue, 06 Nov 2007 22:21:25 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-226 [...] don’t realize that their AWS Secret Key is also their encryption key. We’ve posted a reminder in several places about this issue, but we can’t ensure that users will keep their old key [...] […] don’t realize that their AWS Secret Key is also their encryption key. We’ve posted a reminder in several places about this issue, but we can’t ensure that users will keep their old key […]

]]> By: Shlep http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-194 Shlep Thu, 06 Sep 2007 00:57:09 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-194 I contacted Amazon and posted on their developer message boards and was told numerous times that the keys were unrecoverable. That may have changed over the last 6 months, but like Dave said, don't rely on it. I contacted Amazon and posted on their developer message boards and was told numerous times that the keys were unrecoverable. That may have changed over the last 6 months, but like Dave said, don’t rely on it.

]]> By: Jungle Dave http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-196 Jungle Dave Tue, 04 Sep 2007 21:50:03 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-196 For anyone else who happens to run into this situation, note that Amazon apparently keeps a record of your previous keys, and you can obtain them from their support if needed. However I don't recommend relying on this - you should always keep a record of your previous key when changing. For anyone else who happens to run into this situation, note that Amazon apparently keeps a record of your previous keys, and you can obtain them from their support if needed. However I don’t recommend relying on this - you should always keep a record of your previous key when changing.

]]> By: Shlep http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-195 Shlep Tue, 04 Sep 2007 21:46:46 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-195 Yeah, this little bit of wisdom killed me a couple of months ago. I was still a noob with JD and S3. I somehow ended up with some spyware on my system (keylogger), so I decided to change all of my passwords and I suddenly couldn't access my stuff on S3. Fortunately I still had a copy of all of the data there, but it took me a few days to re-upload 60 GB of data. I don't blame anyone at JD or S3, it was my fault, but it would have been nice to have the keys stored automagically. Keep up the great work with JD. I'm spreading the word as much as I can. Yeah, this little bit of wisdom killed me a couple of months ago. I was still a noob with JD and S3. I somehow ended up with some spyware on my system (keylogger), so I decided to change all of my passwords and I suddenly couldn’t access my stuff on S3. Fortunately I still had a copy of all of the data there, but it took me a few days to re-upload 60 GB of data. I don’t blame anyone at JD or S3, it was my fault, but it would have been nice to have the keys stored automagically.

Keep up the great work with JD. I’m spreading the word as much as I can.

]]> By: Jungle Dave http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-193 Jungle Dave Tue, 04 Sep 2007 18:14:39 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-193 We can add it to the previous list automatically, however it's important for users to know they need to keep the key somewhere safe. For example, if they re-install they will need to add the key back to the list. We can add it to the previous list automatically, however it’s important for users to know they need to keep the key somewhere safe. For example, if they re-install they will need to add the key back to the list.

]]> By: MikeB http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-192 MikeB Tue, 04 Sep 2007 18:12:49 +0000 http://blog.jungledisk.com/2007/09/04/note-about-changing-your-aws-secret-key/#comment-192 You might consider having JD automatically add the AWS Secret Key to the list of 'previous' encryption keys so that if a user changes the AWS key they won't run into this problem. In fact, this might be a good idea for JD to do for any encryption key - automatically add it to the list, then let the user manually remove them when they feel it's safe to do so. Also, is there a way to determine if it's safe to remove previous encryption keys (ie., when there are no longer any files encrypted with that key in the JD S3 bucket?) I don't know if there are other security considerations that I'm overlooking on this - this is just off the top of my head. You might consider having JD automatically add the AWS Secret Key to the list of ‘previous’ encryption keys so that if a user changes the AWS key they won’t run into this problem.

In fact, this might be a good idea for JD to do for any encryption key - automatically add it to the list, then let the user manually remove them when they feel it’s safe to do so.

Also, is there a way to determine if it’s safe to remove previous encryption keys (ie., when there are no longer any files encrypted with that key in the JD S3 bucket?)

I don’t know if there are other security considerations that I’m overlooking on this - this is just off the top of my head.

]]>