wiki:keyringer

Version 15 (modified by Jamie McClelland, 22 months ago) (diff)

--

MFPL Shared Keyring

Support Team Home

The May First/People Link shared keyring maintains our shared passwords and other sensitive data on accessible to the support team, such as protocols on handling attacks and sensitive data about our networks.

NOTE: repo change May 2017: The old MF/PL keys respository was in: gitosis@git.mayfirst.org:mfpl/keys. Now it is: gitolite3@git.mayfirst.org:keys. Please update!

Documents

Our protocol and network documents are in the folder called docs.

For passwords, MFPL uses an OpenPGP encrypted file, that is shared via git, to store root and encrypted disk passphrases. To help us securely read and create new keys, we use a program called keyringer.

Setting up Keyringer

Members of the support team can access the keys by following these steps:

  • Install keyringer. If you are not running Debian or otherwise can't install it from your distribution, you can checkout the keyringer software via git clone https://git.fluxo.info/keyringer.
  • Initialize the MFPL keyringer. Replace "/path/to/keys" with the path where you want to checkout the MFPL keyring in your filesystem
    keyringer mfpl init /path/to/keys gitolite3@git.mayfirst.org:keys
    
  • Before you can successfully run the script, you must have all of the people in the "config/recipients" in your gpg keyring. To ensure they are all in your keyring, you can change into the directory where you checked out the May First/People Link keyring (/path/to/keys from above) and run:
    gpg --recv $(grep -v '#' config/recipients/default |cut -d\  -f2)
    
  • Create a symlink to the pass script in the keys directory in your bin directory:
    ln -s /path/to/keys/pass ~/bin/
    
  • Use the bash wrapper script in the MFPL key ringer directory to search for keys. For example, to find the passphrase for assata:
    pass assata 
    

Editing a Keyringer Entry

From time to time you may need to edit a row in the keyring, for example after changing a password.

Using the helper script

The MF/PL keyringer repository comes with a script call pass that can be used as a wrapper to the keyringer commands used to decrypt and encrypt the keyring file.

To search for a key try:

./pass <server>

Or, to add one, simply type (for this to work correctly you'll probably want to have pwgen installed) apt-get install pwgen:

./pass

And follow the prompts.

Manually

Assuming that you have keyringer set up properly, there is a command should unlock the keys, and pass it to an editor. It also creates a decrypted temp file in the keyringer temp directory. The command is:

Be sure to update your git repository before trying to add a new key or you will create a messy conflict situation:

git pull
keyringer mfpl edit mfpl.asc

You will be prompted for your key auth (if it isn't already loaded). It will then check all signatures against the recipients file (/path/to/keys/config/recipients/default. Then it will present you with an option like:

Press any key to open the decrypted data in /usr/bin/emacsclient -a '' -t, Ctrl-C to abort

Pressing "any key" has never worked for me. However I can edit the tmp file. The tmp directory is in the mfpl keyring directory, ie /path/to/keys/tmp. After editing the tmp file, you can hit Ctrl-C in your terminal. This will encrypt the tmp file to all recipients in the recipients list, and overwrite the original.

Next you will need to commit your changes. Assuming your're in your /path/to/keys/ dir, a simple:

git commit -a

should do the trick.

You will then need to push your changes so that the rest of the support team has access to the new password:

git push origin master