(1) backend store (2) commandline app (3) passwords are always encrypted (4) gpg
- -u/--username fas username. Used for looking up gpg keyids and expanding groups
List the available passphrases
$ shared-secrets list root @sysadmin-main sigul-bridge @rel-eng transifex-ssh-agent @sysadmin-web,@sysadmin-main
This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.
- --date: show date of last passphrase modification (Note, includes refresh)
- --expandgroups: Expand groups into list of usernames. Will ask for fas password
Retrieve the secret
shared-secrets decrypt root GPG Password(or agent): iamnotapassword
This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine.
- Should this store in a file instead of printing to stdout?
Update the secret
shared-secrets chpass root New passphrase: Repeat new passphrase: Passphrase for root updated successfully
Retrieve the list of users who have access for root Retrieve the gpg public keys for the users who have access for root Verify the gpg public key matches the key fingerprint in fas Encrypt the passphrase for all of the users Send the encrypted passphrase to the server
Refresh the encryption on secrets
shared-secrets refresh [optional [list of people [and groups to refresh for]]] GPG Password(or agent): Refreshed for: root, transifex-ssh-agent Error: Could not refresh for: sigul-bridge
Retrieve list of secrets If we're changing for people, retrieve group information for each group listed in secrets Check people and groups against secrets For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group. Upload the new secrets to the server. Report which groups succeeded and which failed.
user gets people with access on the failed groups to update
Create a new secret
shared-secrets createsecret fedorahosted @sysadmin-main
Upload to the server a secret for the first value with groups listed in the second value This will not overwrite an existing secret
Update access to a secret
shared-secrets setusers fedorahosted @sysadmin-main @sysadmin-hosted