• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Password useless for Personal FTP Repository Backed up ZIP files!

C

Commander

Basic Pleskian
If I go into the Backup Manager, then click the "Personal FTP Repository", then click "Personal FTP Repository Settings", at the bottom it asks for a password and says how important it is to use a password.

So, I specify a password, then successfully do a backup to a remote FTP site.

But when I examine the backup.zip file at the remote FTP site, it a plain ZIP file that you can open without any password!!!

How is this secure, what's the point of asking us to specify a password when it's not used to password lock the backed up ZIP file???
 
This feature means that content of backup will be crypted but not that backup will be protected by password.
Password will be requested for restoring this crypted content of backup.
 
That doesn't seem to be correct - I just checked and I am able to unzip any file in the generated ZIP file without having to provide any password and the contents of the extracted file are not encrypted.
 
Have you checked passwords in zip files, for example? Not all backup content is crypted, but only critical data, passwords, logins, etc. for example.
 
What would be a name of a file that should definitely be encrypted? (I don't see any file named "passwords" in the zip)
 
"Passwords" is not filename. A password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which should be kept secret from those not allowed access.
For password protected backups we encrypt passwords, settings of APS, DNS, etc.
 
Understood. But I would feel much more comfortable seeing a file that is actually encrypted, so it would be greatly appreciated if you could indicate at least one file that should be encrypted in my backups so I can confirm it is working as designed.

Also, if I alternatively selected "server settings AND CONTENT", then that would mean that potentially sensitive info (access.mdb's, pdf documents, ect) would be saved in the generated ZIP backup file and NOT be encrypted - so anyone that gains access to the remote FTP backup file would be able to access such confidential files. So, it would be GREATLY appreciated if you could offer the option to additionally password protect the generated ZIP backup file so this wouldn't be possible.
 
Like I said, I would feel more comfortable seeing an encrypted file for myself - so please tell me which file(s) in the backup are encrypted so I can confirm it is working correctly?
 
Commander said:
Like I said, I would feel more comfortable seeing an encrypted file for myself - so please tell me which file(s) in the backup are encrypted so I can confirm it is working correctly?
Click to expand...
In your archive you can open xml file like backup_*_info_*.xml and check passwords there. They will be encrypted.
 
well ... it explains how Plesk works however i still strongly believe this is a security fault.


Let's asume for a second that an wordpress/sugarcrm/zurmocrm/orangehrm/alfresco instalation is kept among the backed up files, ... these applications will have wp-config.php, settings.php, databases.php files that will store passwords for the databases or other services (cloud storage credentials) at the VM.


So, to be honest I cannot see much sense in encrypting only some passwords or other sensitive content while doing a backup leaving out other core content.


Taken from the Plesk backup manager:

"For security reasons, we recommend that you protect sensitive data contained in backups with a password. This particularly concerns passwords included into backups. Such protection makes it impossible for an attacker to obtain your data when the security of your backup storage is compromised." --- So I went ahead and ticked the relevant box and typed my strong password


Taken from the admin guide:

Plesk's encryption key. By default, all backups created in Plesk are encrypted with an internal key

The above sentences give a sense of false security and may even be perceived as misleading (they most certainly misled me)

Having said that, it’s obvious for me that Odin decides Plesk development route, but it's just my 2 cents.

(OP: maybe you would like to join both threads)

Regards
Ric
 
I couldn't agree more.

What's even stranger, is that Plesk already has the software routine that does the Zipping of files to make the backups, and that SAME routine can easily password lock the same zip file with just a few extra lines of code. So, why on earth would Odin not implement this VERY simple, but VERY effective feature is beyond my comprehension.
 
You must log in or register to reply here.

Similar threads

S
Question Restoring from Plesk Backup Manager
Replies
2
Views
3K
sagelike
S
Gh()st
Issue Remote Storage FTP(S) Issue
Replies
1
Views
842
paulrm
P
VirtualHorror
Issue Plesk backup issue - taking too long to list files of a particular website
2
Replies
20
Views
4K
VirtualHorror
VirtualHorror
S
Issue Plesk backup - Unable to back up protected dir passwords Error: Failed to create archive: Transport error: File or dir pd not exists
Replies
2
Views
1K
s.kazimierczak
S
F
Resolved Trying to Install Ghost CMS as a Node.js app isn't working
Replies
4
Views
4K
FifthRateIntellectual
F
Back
Top