Changes between Version 1 and Version 2 of keyringer

Apr 11, 2013, 12:32:38 PM (7 years ago)



  • keyringer

    v1 v2  
    1 See [wiki:"faq/admin/keyringer"].
     1= MFPL Shared Keyring =
     3[wiki:support-team Support Team Home]
     5MFPL uses an OpenPGP encrypted file, that is shared via git, to store root and encrypted disk passphrases.
     7To help us securely read and create new keys, we use a program called [;a=summary keyringer].
     9= Setting up Keyringer =
     10Members of the support team can access the keys by following these steps:
     12 * Checkout the keyringer software:
     14git clone git://
     16 * Edit ~/.bashrc and add the following line, which is the path to your bash $PATH variable. After editing ~/.bashrc:
     18export PATH="$PATH:/path/to/keyringer"
     20 * Source your bash:
     22source ~/.bashrc
     24 * Initialize the MFPL keyringer. Replace "/path/to/keys" with the path where you want to checkout the MFPL keyring in your filesystem
     26keyringer mfpl init /path/to/keys
     28 * Before you can successfully run the script, you must have all of the people in the "config/recipients" in you gpg keyring. To ensure they are all in your keyring you can run:
     30for fpr in $(grep -v '#' config/recipients/default |cut -d\  -f2); do gpg --recv-key $fpr; done
     32 * Create a symlink to the pass script in the keys directory in your bin directory:
     34ln -s /path/to/keys/pass ~/bin/
     36 * Use the bash wrapper script in the MFPL key ringer directory to search for keys. For example, to find the passphrase for assata:
     38pass assata
     41= Editing a Keyringer Entry =
     42From time to time you may need to edit a row in the keyring, for example after changing a password.
     44== Using the helper script ==
     46The MF/PL keyringer repository comes with a script call pass that can be used as a wrapper to the keyringer commands used to decrypt and encrypt the keyring file.
     48To search for a key try:
     51./pass <server>
     54Or, to add one, simply type:
     60And follow the prompts.
     62== Manually ==
     64Assuming that you have keyringer set up properly, there is a  command should unlock the keys, and pass it to an editor. It also creates a decrypted temp file in the keyringer temp directory. The command is:
     66Be sure to update your git repository before trying to add a new key or you will create a messy conflict situation:
     69git pull
     73keyringer mfpl edit mfpl.asc
     76You will be prompted for your key auth (if it isn't already loaded). It will then check all signatures against the recipients file ({{{/path/to/keys/config/recipients/default}}}. Then it will present you with an option like:
     78Press any key to open the decrypted data in /usr/bin/emacsclient -a '' -t, Ctrl-C to abort
     81Pressing "any key" has never worked for me. However I can edit the tmp file. The tmp directory is in the mfpl keyring directory, ie {{{/path/to/keys/tmp}}}. After editing the tmp file, you can hit Ctrl-C in your terminal. This will encrypt the tmp file to all recipients in th recipients list, and overwrite the original.
     83Next you will need to commit your changes. Assuming your're in your {{{/path/to/keys/}}} dir, a simple:
     86git commit -a
     89should do the trick.
     91You will then need to push your changes so that the rest of the support team has access to the new password:
     94git push origin master