"""
Walk the index, extracting objects in disaster mode. Bad files are
reported along with a reason.
+
+ *Security considerations*: In *recovery mode* the headers of encrypted
+ objects are assumed damaged and GCM tags are not validated so
+ modification of cryptographically relevant parts of the header (more
+ specifically, the initalization vectors) can no longer be detected. If
+ an attacker can manipulate the encrypted backup set and has access to
+ the plaintext of some of the contents, they may be able to obtain the
+ plaintext of other encrypted objects by injecting initialization
+ vectors. For this reason *recovery mode* should only be used to
+ emergency situations and the contents of the resulting files should be
+ validated manually if possible and not be disclosed to untrusted
+ parties.
"""
return self.restore_backup(target_path,
backup_indexes_paths=backup_indexes_paths,
More aggressive “unfsck” mode: do not rely on the index data as the
files may be corrupt; skim files for header-like information and
attempt to retrieve the data.
+
+ *Security considerations*: As with *recovery mode*, in *rescue mode*
+ the headers of encrypted objects are assumed damaged and GCM tags are
+ not validated so modification of cryptographically relevant parts of
+ the header (more specifically, the initalization vectors) can no longer
+ be detected. If an attacker can manipulate the encrypted backup set and
+ has access to the plaintext of some of the contents, they may be able
+ to obtain the plaintext of other encrypted objects by injecting
+ initialization vectors. For this reason *rescue mode* should only be
+ used to emergency situations and the contents of the resulting files
+ should be validated manually if possible and not be disclosed to
+ untrusted parties.
"""
def gen_volume_name (nvol):
return os.path.join (os.path.dirname (backup_tar_path),