wiki:keyringer

Version 2 (modified by Dana, 6 years ago) (diff)

--

MFPL Shared Keyring

Support Team Home

MFPL uses an OpenPGP encrypted file, that is shared via git, to store root and encrypted disk passphrases.

To help us securely read and create new keys, we use a program called keyringer.

Setting up Keyringer

Members of the support team can access the keys by following these steps:

  • Checkout the keyringer software:
    git clone git://git.sarava.org/keyringer.git
    
  • Edit ~/.bashrc and add the following line, which is the path to your bash $PATH variable. After editing ~/.bashrc:
    export PATH="$PATH:/path/to/keyringer"
    
  • Source your bash:
    source ~/.bashrc
    
  • Initialize the MFPL keyringer. Replace "/path/to/keys" with the path where you want to checkout the MFPL keyring in your filesystem
    keyringer mfpl init /path/to/keys gitosis@git.mayfirst.org:mfpl/keys
    
  • Before you can successfully run the script, you must have all of the people in the "config/recipients" in you gpg keyring. To ensure they are all in your keyring you can run:
    for fpr in $(grep -v '#' config/recipients/default |cut -d\  -f2); do gpg --recv-key $fpr; done
    
  • Create a symlink to the pass script in the keys directory in your bin directory:
    ln -s /path/to/keys/pass ~/bin/
    
  • Use the bash wrapper script in the MFPL key ringer directory to search for keys. For example, to find the passphrase for assata:
    pass assata 
    

Editing a Keyringer Entry

From time to time you may need to edit a row in the keyring, for example after changing a password.

Using the helper script

The MF/PL keyringer repository comes with a script call pass that can be used as a wrapper to the keyringer commands used to decrypt and encrypt the keyring file.

To search for a key try:

./pass <server>

Or, to add one, simply type:

./pass

And follow the prompts.

Manually

Assuming that you have keyringer set up properly, there is a command should unlock the keys, and pass it to an editor. It also creates a decrypted temp file in the keyringer temp directory. The command is:

Be sure to update your git repository before trying to add a new key or you will create a messy conflict situation:

git pull
keyringer mfpl edit mfpl.asc

You will be prompted for your key auth (if it isn't already loaded). It will then check all signatures against the recipients file (/path/to/keys/config/recipients/default. Then it will present you with an option like:

Press any key to open the decrypted data in /usr/bin/emacsclient -a '' -t, Ctrl-C to abort

Pressing "any key" has never worked for me. However I can edit the tmp file. The tmp directory is in the mfpl keyring directory, ie /path/to/keys/tmp. After editing the tmp file, you can hit Ctrl-C in your terminal. This will encrypt the tmp file to all recipients in th recipients list, and overwrite the original.

Next you will need to commit your changes. Assuming your're in your /path/to/keys/ dir, a simple:

git commit -a

should do the trick.

You will then need to push your changes so that the rest of the support team has access to the new password:

git push origin master