019-wallet-backup-merge.rst (9649B)
1 DD 19: Wallet Backup Merging 2 ############################ 3 4 Summary 5 ======= 6 7 This design doc discusses considerations for merging wallet backups. 8 9 10 Motivation 11 ========== 12 13 The wallet backup functionality is meant to be used primarily with one device 14 per backup account. Multiple devices sharing one backup account is heavily 15 discouraged, as it can lead to unexpected and unwanted user experiences, such 16 as money suddenly vanishing when it has been spent by another device 17 that shares the same backup account. 18 19 However, there are some situations where more than one device 20 accesses the same backup account. This happens when: 21 22 1. A wallet backup is restored on a new device, but the 23 old device is still active. In this scenario, the devices 24 have different device IDs, but share the same wallet root 25 public key. 26 2. An old wallet backup is taken over by an existing wallet. 27 In this scenario, the devices have different devices IDs and 28 different wallet root public keys. 29 ### CG: This is not exactly more than one device accessing the same backup account! 30 ### CG: Maybe formulate intro differently, to talk about key scenarios that deserve consideration / need to be distinguished? 31 3. A wallet device is copied, for example by restoring the whole 32 device from a device-level backup (not a wallet backup!). 33 In this scenario, the devices have the same device ID 34 and the same wallet root public key. 35 36 37 Requirements 38 ============ 39 40 The backup merging must ensure that: 41 42 * No data that the user wants to keep is lost. 43 * No data resurfaces that the user has previously intentionally deleted. 44 * Conflicts should be resolved automatically wherever possible. 45 * The solution tolerates system clocks not being monotonic. 46 47 48 Proposed Solution 49 ================= 50 51 Stored Information 52 ------------------ 53 54 * Every wallet keeps track of the following data: 55 56 * The current version number (positive integer) 57 * The current wallet root public key (Ed25519 public key) 58 ### CG: public key? Not the private key? What is the private information the wallet usually keeps? 59 * The current device ID (human-readable string) 60 * The status of every backup service account (not defined further here) 61 * The last system time observed on the current device (by device ID). 62 63 * A backup blob stores the following information relevant for backup merging: 64 65 * The backup's version number, equal to the version number of 66 the wallet when the backup was uploaded. 67 * The wallet root public key of the wallet that **owns** the backup account 68 * The device ID of the wallet that **owns** the backup account. 69 70 * Every record and tombstone in the wallet's database and the backup blob keeps 71 track of: 72 73 * The version number at which the entry was created. 74 * A timestamp for the entry, based on enforced monotonic time (per device ID). 75 76 The version number is incremented with every operation that adds an record or 77 tombstone to the wallet's database. 78 ### CG: operation or transaction? I would prefer transaction here. 79 80 81 Resolving Conflicts 82 ------------------- 83 84 This section describes how conflicts are resolved when a wallet (with ``wallet_version``, ``wallet_device_id`` 85 and ``wallet_root_pub``) is merged with a backup (with ``backup_version``, ``backup_device_id``, and 86 ``backup_root_pub``). 87 ### CG: The term 'merged' is something I do not like. Is this during 'backup', 'restore', or 'sync'? 88 ### I suspect these cases need to be distinguished, because the user asking for a 'restore' is 89 ### not creating the same situation than a wallet 'sync'ing during an automated backup, and 90 ### that may again differ from an _initial_ backup (where I guess there are no conflicts, but 91 ### to improve understanding 92 93 * If ``wallet_root_pub != backup_root_pub``: The user is shown a warning "the backup 94 account was written to by another wallet and can't be read by this wallet", and offered a dialog to either: 95 96 a. "Take over" the backup account and migrate it to the existing wallet root public key. 97 A clear warning must be shown that this will kick out the other device currently connected 98 to this account **and** will cause all data from the backup account to be lost. 99 ### CG: Do we even want to allow this? How _can_ this happen exactly? What is the relationship between backup account and root key? 100 ### CG: The private account key is derived from the root public key; 101 ### I do not see us saying anywhere that we would even support 102 ### extracting/exchanging account keys. Hence, I think this basically 103 ### cannot happen: to access the backup, I already must know the root private key. 104 b. Remove the backup account from the list. 105 106 Note that when first adding the backup account via a recovery code, there is a third option: 107 Migrate wallet to the account's wallet root public key. This is **only** possible when 108 scanning the recovery code, as the wallet needs the wallet root secret key to migrate 109 to the account. 110 ### CG: I think this should be the only thing that can possibly happen, by UI/UX. 111 ### Of course _theroretically_ someone could extract ONLY an account-priv and 112 ### use that to download the backup, but then they should just not be able to 113 ### decrypt it. End of story. 114 115 * If ``wallet_root_pub == backup_root_pub`` and ``wallet_device_id != backup_device_id``: The 116 user is shown a warning "two wallet devices are using the same backup account", and given 117 the option of: 118 119 a. Taking over the backup account from the existing device. This will not cause data loss, 120 but the other device (if it still exists!) will stop syncing. 121 b. To "abandon" the current wallet. This (optional, but recommended) will sync the current wallet state 122 with a special marker in the backup blob (so the other wallet continues syncing without 123 having to ask the user), and then delete the database contends and create a new ``wallet_root_pub``. 124 ### CG: I do not think we can 'recommend' option b, because we do not know if the other 125 ### device still exists. So the UI should be neutral here between the two equally valid choices. 126 127 * If ``wallet_root_pub == backup_root_pub`` and ``wallet_device_id == backup_device_id``: 128 129 * If ``wallet_version > backup_version``, do a normal backup 130 cycle (merge backup blob into wallet and upload a new backup). 131 ### CG: We should note that the motivation for a merge arises 132 ### from the 3rd scenario under Motivation: full device backup&recovery. 133 134 * If ``wallet_version <= backup_version``, another wallet with the same 135 root public key must have "tampered" 136 with the wallet's state. Do a normal backup cycle, but consider displaying 137 a warning/notification to the user. 138 ### CG: I think there is no point in distinguishing these two cases; 139 ### in both cases, if the merge is non-trivial, something odd happened. 140 ### Still, I am not sure that a warning/notification is helpful, as 141 ### it is hardly actionable for the user. 142 143 144 Garbage-collecting Tombstones 145 ----------------------------- 146 147 Tombstones should be automatically garbage-collected when the following criteria 148 are both fulfilled: 149 150 * The versions of active backup accounts are all larger than 151 the tombstone's version, and 152 * the tombstone exceeded a threshold age (say, 3 days). 153 154 ### CG: I backup at providers A and B. Make transaction T. Then I remove 155 ### provider A from my provider list. I then delete T. Eventually, I backup 156 ### again at provider B without the expired tombstone. Finally, 157 ### I restore from provider A, and then merge with provider B. 158 ### Here, the 'merge' has to be somehow smart enough to drop 159 ### the deleted data from provider A's backup without the tombstone. 160 ### I think we can safely decide that this is the case because 161 ### backup from A says that it was---at the time---synced with provider B. 162 ### However, this means that we do need to additionally retain the 163 ### historic chain of backup providers and their last merge points/versions! 164 165 166 Q / A 167 ===== 168 169 * Q: Why are version numbers and tombstones necessary in backups? 170 171 * A: When syncing with a backup server that still has an old version 172 (but same device ID and wallet root pub), the tombstones ensure 173 that no old data is re-surfaced that has been deleted in later 174 versions. This can happen in practice even with only one device, 175 namely when a backup provider is unavailable for a long time, 176 but then becomes available again. 177 178 * Q: Why are tombstones only GCed after exceeding an age threshold? 179 180 * A: If we deleted them immediately, this might cause data to resurface 181 if a user temporarily removes and adds a backup account (say by accident) 182 that hasn't been synced in a while. 183 ### CG: See above: the timeout does IMO not help here. 184 ### I think we need to track removed backup accounts 185 ### and the last version that was synced there, 186 ### and then basically determine if a sync/merge-chain exists 187 ### from the (possibly resurfaced) transaction version to 188 ### the current wallet version! 189 190 * Q: Why doesn't the wallet root public key get rotated every time 191 that a wallet backup is restored on a new device? 192 193 * A: Because that would mean that old "paper backups" and Anastasis 194 backups stop working, because they are based on the wallet root key. 195 196 * Q: Why can't the wallet obtain some unique devices identifier to exclude 197 case 3 (same device ID, same wallet root pub)? 198 199 * A: Because we don't have a reliable API for this on many platforms. 200 Even if we had one, we shouldn't rely on it.