QRecallDownloadIdentity KeysForumsSupport
  [Search] Search   [Recent Topics] Recent Topics   [Hottest Topics] Hottest Topics   [Groups] Back to home page 
Password protected encrypted archive tasks will not run  XML
Forum Index » Beta Version
Author Message
Jeff V



Joined: 15-Dec-15 00:14
Messages: 2
Offline

Using the Capture Assistant, I created a schedule for my home folder to be backed up. But before I had the Capture action run, I installed an encryption key that was password protected and also created a recovery key. I made sure that the "Store password on keychain" option was checked. Then I attempted to run the initial Capture of my data, but repeatedly get the error "A password is required to access this archive". I have double checked, and there is an encryption key file in the "~/Library/Application Support/QRecall/Keys" folder and a password for this archive in my "login" keychain on my Mac, and that keychain is definitely unlocked. I am not even given an option to manually enter the password. I looked through all the beta documentation referring to encryption, and it seemed like I followed the steps correctly. What am I doing wrong?

I am on beta (2.0.0.26)

This message was edited 1 time. Last update was at 15-Dec-15 01:25

James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

Jeff,

In all likelihood, this is a bug. There have been a number of recent changes in how passwords are handled/obtained, and I wouldn't at all be surprised if something fell through the cracks.

Please send a diagnostic report; open the QRecall application and choose Help > Send Report. This will contain a lot of low-leve information that will help me diagnose the problem.


- QRecall Development -
[Email]
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

Jeff,

This is turning out the be quite the mystery.

It looks like QRecall is doing everything right, but it's still not working. I've posted the problem in the Apple developers forum in hopes of discovering a solution.

Here's what's happening. When you add a password to the keychain, it's stored there along with a list of applications that are allowed to freely access it. This list includes the QRecall application and the QRecallHelper process.

When the QRecall application asks for the password, it gets it. That's why you can open the archive in a browser window.

Most other actions, like capture, are performed by the QRecallHelper process. When it asks for the password, the keychain says no such record exists. That's why your capture (and most everything else you try) won't run.

If you open the keychain record for your archive encryption password, you'll see that both QRecall and QRecallHelper are both listed as trusted apps, but for some reason it's not working. (I suspect one of the recent security updates, but it's too soon to tell).

For now, I suggest removing the password and storying your encryption key in plain text. Not quite as secure, but your archive data will still be encrypted.

- QRecall Development -
[Email]
Jeff V



Joined: 15-Dec-15 00:14
Messages: 2
Offline

Ok, that makes sense. It seemed to me that QRecall was doing its job correctly, but I couldn't figure out why everything wasn't working the way it should've been. Thanks for the helpful responses!
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

Well, that was four days I really wish I could have back.

Regardless, I now have a solution to the keychain access problem for privileged actions (specifically, capture). It turns out there's some tricky issues with running code outside the user's login session that prevents it from accessing the user's security information—as it should.

The problem was, this is one of those situations where an outside process really did need to access your user's private information and the OS X security framework was, naturally, not inclined to make this easy.

The fix for this problem will appear in the next release.

- QRecall Development -
[Email]
Jeffrey Fort



Joined: 20-Oct-16 06:48
Messages: 4
Offline

I have an "encryption key password" and a "recovery key." I am trying to learn how this program works so that when I really need to restore a file I can do it. When I try to restore I get a notice that I need a password. Which of the two is it looking for and how/where do I put it in? I don't see such a dialog box or the like.

Findlay, Ohio
[Email] [WWW]
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

Jeffrey Fort wrote:I have an "encryption key password" and a "recovery key."

An "encryption key" is the cryptographic key used to encrypt, and decrypt, the data in your archive. It is stored in a "key file" in your home directory.

An "encryption key password" is a way of protecting that key file from unwanted agents by encrypting the file with a password.

If you've encrypted your key file with a password, QRecall will need you to supply that password every time it opens the archive. You can enter it manually when browsing the archive. For actions to run automatically, it will require that you store the password on your keychain.

When I try to restore I get a notice that I need a password.

That's a tough one. If you get this dialog when you open the archive, it's probably asking for the encryption key password (see above). Or it might be asking for your recovery key passphrase (see below). But if it's telling you that it needs to perform privileged operations, then it's asking for your administration account password. To avoid that in the future, go to QRecall > Preferences > Authorization and pre-authorize QRecall to use administrative privileges.

A "recovery key" is a backup of your key file stored in the archive itself, and protected with a passphrase. This is independent of your encryption key password (if any). It's basically a protected backup of your encryption key file and is only needed if you've lost your key file. (Without your encryption key file, your archive is unusable.)

For example, if you lose your startup volume and need to restore from scratch, you would start by installing a fresh copy of macOS. But that fresh copy of macOS doesn't have your encryption key file, so QRecall can't open up your archive and restore your hard drive.

That's where the "recovery key" comes into play. When you open the archive, QRecall will prompt you for the recovery key passphrase. Enter it, and it will restore the encryption key file from the secure backup copy stored in the archive. Once the encryption key file has been recovered, QRecall can then open the archive and retrieve your files.

For a explanation of how all of this works, see QRecall > QRecall Help > Guide > Advanced > Encryption. The section "Do not lose your encryption key!" is highly recommended reading.

- QRecall Development -
[Email]
Jeffrey Fort



Joined: 20-Oct-16 06:48
Messages: 4
Offline

You said: When you open the archive, QRecall will prompt you for the recovery key passphrase. Enter it, and it will restore the encryption key file from the secure backup copy stored in the archive. Once the encryption key file has been recovered, QRecall can then open the archive and retrieve your files.

I don't get that prompt. The archive appears to be open and I select a file in it. Then I select "restore" from the top. I looks like it is restoring but then it stops and says I need a password, but there is no place to type it in.

QRecall.pdf

Findlay, Ohio
[Email] [WWW]
James Bucanek



Joined: 14-Feb-07 10:05
Messages: 1473
Offline

Jeffery,

Send a diagnostic report (QRecall > Help > Send Report...) and we'll investigate further.

- QRecall Development -
[Email]
 
Forum Index » Beta Version
Go to:   
Powered by JForum 2.1.8 © JForum Team