Context Navigation

Changes between Version 1 and Version 2 of keyringer

Timestamp:: Apr 11, 2013, 4:32:38 PM (13 years ago)
Author:: Dana
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

keyringer

-              v1
+              v2
+See [wiki:"faq/admin/keyringer"].
+= MFPL Shared Keyring =
+[wiki:support-team Support Team Home]
+MFPL uses an OpenPGP encrypted file, that is shared via git, to store root and encrypted disk passphrases.
+To help us securely read and create new keys, we use a program called [http://git.sarava.org/?p=keyringer.git;a=summary keyringer].
+= Setting up Keyringer =
+Members of the support team can access the keys by following these steps:
+ * Checkout the keyringer software:
+{{{
+git clone git://git.sarava.org/keyringer.git
+}}}
+ * Edit ~/.bashrc and add the following line, which is the path to your bash $PATH variable. After editing ~/.bashrc:
+{{{
+export PATH="$PATH:/path/to/keyringer"
+}}}
+ * Source your bash:
+{{{
+source ~/.bashrc
+}}}
+ * Initialize the MFPL keyringer. Replace "/path/to/keys" with the path where you want to checkout the MFPL keyring in your filesystem
+{{{
+keyringer mfpl init /path/to/keys gitosis@git.mayfirst.org:mfpl/keys
+}}}
+ * Before you can successfully run the script, you must have all of the people in the "config/recipients" in you gpg keyring. To ensure they are all in your keyring you can run:
+{{{
+for fpr in $(grep -v '#' config/recipients/default |cut -d\  -f2); do gpg --recv-key $fpr; done
+}}}
+ * Create a symlink to the pass script in the keys directory in your bin directory:
+{{{
+ln -s /path/to/keys/pass ~/bin/
+}}}
+ * Use the bash wrapper script in the MFPL key ringer directory to search for keys. For example, to find the passphrase for assata:
+{{{
+pass assata
+}}}
+= Editing a Keyringer Entry =
+From time to time you may need to edit a row in the keyring, for example after changing a password.
+== Using the helper script ==
+The MF/PL keyringer repository comes with a script call pass that can be used as a wrapper to the keyringer commands used to decrypt and encrypt the keyring file.
+To search for a key try:
+{{{
+./pass <server>
+}}}
+Or, to add one, simply type:
+{{{
+./pass
+}}}
+And follow the prompts.
+== Manually ==
+Assuming that you have keyringer set up properly, there is a  command should unlock the keys, and pass it to an editor. It also creates a decrypted temp file in the keyringer temp directory. The command is:
+Be sure to update your git repository before trying to add a new key or you will create a messy conflict situation:
+{{{
+git pull
+}}}
+{{{
+keyringer mfpl edit mfpl.asc
+}}}
+You will be prompted for your key auth (if it isn't already loaded). It will then check all signatures against the recipients file ({{{/path/to/keys/config/recipients/default}}}. Then it will present you with an option like:
+{{{
+Press any key to open the decrypted data in /usr/bin/emacsclient -a '' -t, Ctrl-C to abort
+}}}
+Pressing "any key" has never worked for me. However I can edit the tmp file. The tmp directory is in the mfpl keyring directory, ie {{{/path/to/keys/tmp}}}. After editing the tmp file, you can hit Ctrl-C in your terminal. This will encrypt the tmp file to all recipients in th recipients list, and overwrite the original.
+Next you will need to commit your changes. Assuming your're in your {{{/path/to/keys/}}} dir, a simple:
+{{{
+git commit -a
+}}}
+should do the trick.
+You will then need to push your changes so that the rest of the support team has access to the new password:
+{{{
+git push origin master
+}}}