Version 6 (modified by Jamie McClelland, 5 years ago) (diff)


MFPL Shared Keyring

Support Team Home

MFPL uses an OpenPGP encrypted file, that is shared via git, to store root and encrypted disk passphrases. If you have broken keyringer, some instructions for repair can be found at #6700.

To help us securely read and create new keys, we use a program called keyringer.

Setting up Keyringer

Members of the support team can access the keys by following these steps:

  • Checkout the keyringer software:
    git clone git://
  • Edit ~/.bashrc and add the following line, which is the path to your bash $PATH variable. After editing ~/.bashrc:
    export PATH="$PATH:/path/to/keyringer"
  • Source your bash:
    source ~/.bashrc
  • Initialize the MFPL keyringer. Replace "/path/to/keys" with the path where you want to checkout the MFPL keyring in your filesystem
    keyringer mfpl init /path/to/keys
  • Before you can successfully run the script, you must have all of the people in the "config/recipients" in you gpg keyring. To ensure they are all in your keyring you can run:
    for fpr in $(grep -v '#' config/recipients/default |cut -d\  -f2); do gpg --recv-key $fpr; done
  • Create a symlink to the pass script in the keys directory in your bin directory:
    ln -s /path/to/keys/pass ~/bin/
  • Use the bash wrapper script in the MFPL key ringer directory to search for keys. For example, to find the passphrase for assata:
    pass assata 

Editing a Keyringer Entry

From time to time you may need to edit a row in the keyring, for example after changing a password.

Using the helper script

The MF/PL keyringer repository comes with a script call pass that can be used as a wrapper to the keyringer commands used to decrypt and encrypt the keyring file.

To search for a key try:

./pass <server>

Or, to add one, simply type (for this to work correctly you'll probably want to have pwgen installed) apt-get install pwgen:


And follow the prompts.


Assuming that you have keyringer set up properly, there is a command should unlock the keys, and pass it to an editor. It also creates a decrypted temp file in the keyringer temp directory. The command is:

Be sure to update your git repository before trying to add a new key or you will create a messy conflict situation:

git pull
keyringer mfpl edit mfpl.asc

You will be prompted for your key auth (if it isn't already loaded). It will then check all signatures against the recipients file (/path/to/keys/config/recipients/default. Then it will present you with an option like:

Press any key to open the decrypted data in /usr/bin/emacsclient -a '' -t, Ctrl-C to abort

Pressing "any key" has never worked for me. However I can edit the tmp file. The tmp directory is in the mfpl keyring directory, ie /path/to/keys/tmp. After editing the tmp file, you can hit Ctrl-C in your terminal. This will encrypt the tmp file to all recipients in the recipients list, and overwrite the original.

Next you will need to commit your changes. Assuming your're in your /path/to/keys/ dir, a simple:

git commit -a

should do the trick.

You will then need to push your changes so that the rest of the support team has access to the new password:

git push origin master

You must have all public keys in your gpg keyring for this to work

You can easily add them with:

for id in $(grep -v '#' config/recipients/default  | cut -d\  -f2); do gpg --recv-key "$id"; done