User:Toshio/Shared-secrets
From FedoraProject
< User:Toshio(Difference between revisions)
(Created page with '== ELements == (1) backend store (2) commandline app (3) passwords are always encrypted (4) gpg == Interface == === Global options === * -u/--username fas username. Used for ...') |
(Add new command) |
||
| Line 1: | Line 1: | ||
| − | == | + | == Elements == |
| − | + | # central store | |
| − | + | # commandline app | |
| − | + | # passwords are always encrypted to the backend | |
| − | + | # private key encryption | |
| + | # audit trail | ||
== Interface == | == Interface == | ||
| Line 35: | Line 36: | ||
This retrieves the encrypted passphrase. Decrypts the passphrase once it | This retrieves the encrypted passphrase. Decrypts the passphrase once it | ||
| − | is on the local machine. | + | is on the local machine using the user's private key. |
* Should this store in a file instead of printing to stdout? | * Should this store in a file instead of printing to stdout? | ||
| Line 41: | Line 42: | ||
=== Update the secret === | === Update the secret === | ||
<pre> | <pre> | ||
| − | shared-secrets | + | shared-secrets change-secret root |
| − | + | FAS passphrase: | |
| − | Repeat new | + | New secret: |
| − | + | Repeat new secret: | |
| + | Shared secret for root updated successfully | ||
</pre> | </pre> | ||
| − | Retrieve the list of users who have access for root | + | * Retrieve the list of users who have access for root |
| − | Retrieve the gpg public keys for the users who have access for root | + | * Retrieve the gpg public keys for the users who have access for root |
| − | Verify the gpg public key matches the key fingerprint in fas | + | * Verify the gpg public key matches the key fingerprint in fas |
| − | Encrypt the passphrase for all of the users | + | * Encrypt the passphrase for all of the users |
| − | Send the encrypted passphrase to the server | + | * Send the encrypted passphrase to the server |
=== Refresh the encryption on secrets === | === Refresh the encryption on secrets === | ||
| − | {{ | + | {{admon/warning|Not for removing people|Use this for adding people. When removing people, change the passphrases}} |
<pre> | <pre> | ||
shared-secrets refresh [optional [list of people [and groups to refresh for]]] | shared-secrets refresh [optional [list of people [and groups to refresh for]]] | ||
| − | + | FAS passphrase: | |
Refreshed for: root, transifex-ssh-agent | Refreshed for: root, transifex-ssh-agent | ||
| Line 63: | Line 65: | ||
</pre> | </pre> | ||
| − | Retrieve list of secrets | + | * Retrieve list of secrets |
| − | If we're changing for people, retrieve group information for each group listed | + | * If we're changing for people, retrieve group information for each group listed in secrets |
| − | in secrets | + | * Check people and groups against secrets |
| − | Check people and groups against secrets | + | * For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group. |
| − | For each secret where the people or groups have access to the secret, refresh | + | * Upload the new secrets to the server. |
| − | the encryption on the group if you have access to the group. | + | * Report which groups succeeded and which failed. |
| − | Upload the new secrets to the server. | + | |
| − | Report which groups succeeded and which failed. | + | |
user gets people with access on the failed groups to update | user gets people with access on the failed groups to update | ||
| Line 77: | Line 77: | ||
=== Create a new secret === | === Create a new secret === | ||
<pre> | <pre> | ||
| − | shared-secrets | + | shared-secrets create-secret fedorahosted @sysadmin-main |
| + | FAS passphrase: | ||
| + | New secret: | ||
| + | Repeat new secret: | ||
</pre> | </pre> | ||
| − | + | * Retrieve list of users for the listed groups | |
| + | * Encrypt secret for all groups | ||
| + | * Create the secret on the server | ||
| + | |||
This will not overwrite an existing secret | This will not overwrite an existing secret | ||
=== Update access to a secret === | === Update access to a secret === | ||
<pre> | <pre> | ||
| − | shared-secrets | + | shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted |
| + | FAS passphrase: | ||
| + | GPG Password(or agent): | ||
| + | |||
</pre> | </pre> | ||
| + | |||
| + | Changes the users who have access to this secret. Refreshes the encryption on the password. | ||
| + | |||
| + | {{admon/warning|Also change-secret if removing users|If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.}} | ||
Latest revision as of 18:18, 16 November 2010
Contents |
[edit] Elements
- central store
- commandline app
- passwords are always encrypted to the backend
- private key encryption
- audit trail
[edit] Interface
[edit] Global options
- -u/--username fas username. Used for looking up gpg keyids and expanding groups
[edit] List the available passphrases
$ shared-secrets list root @sysadmin-main sigul-bridge @rel-eng transifex-ssh-agent @sysadmin-web,@sysadmin-main
This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.
[edit] options
- --date: show date of last passphrase modification (Note, includes refresh)
- --expandgroups: Expand groups into list of usernames. Will ask for fas password
[edit] Retrieve the secret
shared-secrets decrypt root GPG Password(or agent): iamnotapassword
This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine using the user's private key.
- Should this store in a file instead of printing to stdout?
[edit] Update the secret
shared-secrets change-secret root FAS passphrase: New secret: Repeat new secret: Shared secret for root updated successfully
- Retrieve the list of users who have access for root
- Retrieve the gpg public keys for the users who have access for root
- Verify the gpg public key matches the key fingerprint in fas
- Encrypt the passphrase for all of the users
- Send the encrypted passphrase to the server
[edit] Refresh the encryption on secrets
.png){kind=small}
Not for removing people
Use this for adding people. When removing people, change the passphrases
Use this for adding people. When removing people, change the passphrases
shared-secrets refresh [optional [list of people [and groups to refresh for]]] FAS passphrase: Refreshed for: root, transifex-ssh-agent Error: Could not refresh for: sigul-bridge
- Retrieve list of secrets
- If we're changing for people, retrieve group information for each group listed in secrets
- Check people and groups against secrets
- For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group.
- Upload the new secrets to the server.
- Report which groups succeeded and which failed.
user gets people with access on the failed groups to update
[edit] Create a new secret
shared-secrets create-secret fedorahosted @sysadmin-main FAS passphrase: New secret: Repeat new secret:
- Retrieve list of users for the listed groups
- Encrypt secret for all groups
- Create the secret on the server
This will not overwrite an existing secret
[edit] Update access to a secret
shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted FAS passphrase: GPG Password(or agent):
Changes the users who have access to this secret. Refreshes the encryption on the password.
Also change-secret if removing users
If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.
If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.
