From FedoraProject

< User:Toshio
Revision as of 18:02, 16 November 2010 by Toshio (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



(1) backend store (2) commandline app (3) passwords are always encrypted (4) gpg


Global options

  • -u/--username fas username. Used for looking up gpg keyids and expanding groups

List the available passphrases

$ shared-secrets list

root   @sysadmin-main
sigul-bridge @rel-eng
transifex-ssh-agent @sysadmin-web,@sysadmin-main

This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.


  • --date: show date of last passphrase modification (Note, includes refresh)
  • --expandgroups: Expand groups into list of usernames. Will ask for fas password

Retrieve the secret

shared-secrets decrypt root
GPG Password(or agent):

This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine.

  • Should this store in a file instead of printing to stdout?

Update the secret

shared-secrets chpass root
New passphrase:
Repeat new passphrase:
Passphrase for root updated successfully

Retrieve the list of users who have access for root Retrieve the gpg public keys for the users who have access for root Verify the gpg public key matches the key fingerprint in fas Encrypt the passphrase for all of the users Send the encrypted passphrase to the server

Refresh the encryption on secrets


shared-secrets refresh [optional [list of people [and groups to refresh for]]]
GPG Password(or agent):

Refreshed for: root, transifex-ssh-agent
Error: Could not refresh for: sigul-bridge

Retrieve list of secrets If we're changing for people, retrieve group information for each group listed in secrets Check people and groups against secrets For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group. Upload the new secrets to the server. Report which groups succeeded and which failed.

user gets people with access on the failed groups to update

Create a new secret

shared-secrets createsecret fedorahosted @sysadmin-main

Upload to the server a secret for the first value with groups listed in the second value This will not overwrite an existing secret

Update access to a secret

shared-secrets setusers fedorahosted @sysadmin-main @sysadmin-hosted