User:Toshio/Shared-secrets

From FedoraProject

Jump to: navigation, search

Contents

Elements

  1. central store
  2. commandline app
  3. passwords are always encrypted to the backend
  4. private key encryption
  5. audit trail

Interface

Global options

  • -u/--username fas username. Used for looking up gpg keyids and expanding groups

List the available passphrases

$ shared-secrets list

root   @sysadmin-main
sigul-bridge @rel-eng
transifex-ssh-agent @sysadmin-web,@sysadmin-main

This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.

options

  • --date: show date of last passphrase modification (Note, includes refresh)
  • --expandgroups: Expand groups into list of usernames. Will ask for fas password

Retrieve the secret

shared-secrets decrypt root
GPG Password(or agent):
iamnotapassword

This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine using the user's private key.

  • Should this store in a file instead of printing to stdout?

Update the secret

shared-secrets change-secret root
FAS passphrase:
New secret:
Repeat new secret:
Shared secret for root updated successfully
  • Retrieve the list of users who have access for root
  • Retrieve the gpg public keys for the users who have access for root
  • Verify the gpg public key matches the key fingerprint in fas
  • Encrypt the passphrase for all of the users
  • Send the encrypted passphrase to the server

Refresh the encryption on secrets

Warning (medium size).png
Not for removing people
Use this for adding people. When removing people, change the passphrases
shared-secrets refresh [optional [list of people [and groups to refresh for]]]
FAS passphrase:

Refreshed for: root, transifex-ssh-agent
Error: Could not refresh for: sigul-bridge
  • Retrieve list of secrets
  • If we're changing for people, retrieve group information for each group listed in secrets
  • Check people and groups against secrets
  • For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group.
  • Upload the new secrets to the server.
  • Report which groups succeeded and which failed.

user gets people with access on the failed groups to update


Create a new secret

shared-secrets create-secret fedorahosted @sysadmin-main
FAS passphrase:
New secret:
Repeat new secret:
  • Retrieve list of users for the listed groups
  • Encrypt secret for all groups
  • Create the secret on the server

This will not overwrite an existing secret

Update access to a secret

shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted
FAS passphrase:
GPG Password(or agent):

Changes the users who have access to this secret. Refreshes the encryption on the password.

Warning (medium size).png
Also change-secret if removing users
If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.