From Fedora Project Wiki
Elements
- central store
- commandline app
- passwords are always encrypted to the backend
- private key encryption
- audit trail
Interface
Global options
- -u/--username fas username. Used for looking up gpg keyids and expanding groups
List the available passphrases
$ shared-secrets list root @sysadmin-main sigul-bridge @rel-eng transifex-ssh-agent @sysadmin-web,@sysadmin-main
This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.
options
- --date: show date of last passphrase modification (Note, includes refresh)
- --expandgroups: Expand groups into list of usernames. Will ask for fas password
Retrieve the secret
shared-secrets decrypt root GPG Password(or agent): iamnotapassword
This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine using the user's private key.
- Should this store in a file instead of printing to stdout?
Update the secret
shared-secrets change-secret root FAS passphrase: New secret: Repeat new secret: Shared secret for root updated successfully
- Retrieve the list of users who have access for root
- Retrieve the gpg public keys for the users who have access for root
- Verify the gpg public key matches the key fingerprint in fas
- Encrypt the passphrase for all of the users
- Send the encrypted passphrase to the server
Refresh the encryption on secrets
shared-secrets refresh [optional [list of people [and groups to refresh for]]] FAS passphrase: Refreshed for: root, transifex-ssh-agent Error: Could not refresh for: sigul-bridge
- Retrieve list of secrets
- If we're changing for people, retrieve group information for each group listed in secrets
- Check people and groups against secrets
- For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group.
- Upload the new secrets to the server.
- Report which groups succeeded and which failed.
user gets people with access on the failed groups to update
Create a new secret
shared-secrets create-secret fedorahosted @sysadmin-main FAS passphrase: New secret: Repeat new secret:
- Retrieve list of users for the listed groups
- Encrypt secret for all groups
- Create the secret on the server
This will not overwrite an existing secret
Update access to a secret
shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted FAS passphrase: GPG Password(or agent):
Changes the users who have access to this secret. Refreshes the encryption on the password.