Difference between revisions of "Confidential Howto"
Jump to navigation
Jump to search
Stillflame (talk | contribs) (→Howto change the confidential information: bettered) |
|||
| (4 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| − | == | + | ==How to look at the confidential information== |
| − | * | + | * Make sure you are an accepted member of the list of authorized people, and therefore belong to the appropriate svn group and have access to the confidential information gpg key. |
| − | * | + | * Make sure you understand the proper handling of both the gpg key and the actual confidential information. |
| − | * | + | * This implies that you do all of the following on a computer you have reasonable trust in. |
| − | * | + | * That does not include [[Free Geek's internal application server]] or any other public server at Free Geek. |
| − | * | + | * Check for van Eck Phreakers in the immediate area. |
| − | * | + | * Just in case, wrap your head in aluminum foil to prevent them from stealing your password. |
* svn co svn+ssh://svn.freegeek.org/svn/freegeek_confidential | * svn co svn+ssh://svn.freegeek.org/svn/freegeek_confidential | ||
* cd freegeek_confidential | * cd freegeek_confidential | ||
* gpg -d < passwords | * gpg -d < passwords | ||
| − | * gpg will ask you for a password | + | * gpg will ask you for a password. Type it in. |
| − | * | + | * Read the passwords in your terminal. |
| − | * | + | * Make sure you close your terminal. |
| − | * | + | * Make sure you delete any copy you make of the decrypted information. |
| − | == | + | ==How to change the confidential information== |
| − | * | + | * Review the security notes from the previous section. |
* gpg -d < passwords > to_edit | * gpg -d < passwords > to_edit | ||
| − | * gpg will ask you for a password. type it in | + | ** "-d" is for decrypt |
| − | * | + | ** gpg will ask you for a password. type it in |
| + | * Edit to_edit | ||
* gpg -se < to_edit > passwords | * gpg -se < to_edit > passwords | ||
| − | * gpg will ask you for a password. type it in | + | ** "-se" is for sign and encrypt |
| − | * gpg | + | ** gpg will ask you for a password. type it in |
| − | * rm | + | ** gpg may ask you if you should use this key even though you don't know it is someone. say yes. |
| + | ** gpg will ask you who to encrypt it for. type "staff", hit enter, then hit enter when it repeats the question again | ||
| + | * rm to_edit | ||
| + | * svn commit | ||
| − | == | + | ==How to handle a compromise of this security== |
| − | + | Whether because of mishandled keys, staffing changes, or malicious attack, there will come a time when this information will need to have a "change of guards". | |
| − | * | + | * Change all the passwords at each of the places listed. |
* gpg --gen-key | * gpg --gen-key | ||
* gpg -se < new_passwords > passwords | * gpg -se < new_passwords > passwords | ||
| Line 34: | Line 38: | ||
* gpg --export 8ae62f03 > key | * gpg --export 8ae62f03 > key | ||
* gpg --export-secret-keys 8ae62f03 > secret_key | * gpg --export-secret-keys 8ae62f03 > secret_key | ||
| − | * '' | + | * ''Very carefully'' redistribute the new key. |
| + | |||
| + | [[Category: Procedures]] | ||
Latest revision as of 11:50, 25 September 2010
How to look at the confidential information
- Make sure you are an accepted member of the list of authorized people, and therefore belong to the appropriate svn group and have access to the confidential information gpg key.
- Make sure you understand the proper handling of both the gpg key and the actual confidential information.
- This implies that you do all of the following on a computer you have reasonable trust in.
- That does not include Free Geek's internal application server or any other public server at Free Geek.
- Check for van Eck Phreakers in the immediate area.
- Just in case, wrap your head in aluminum foil to prevent them from stealing your password.
- svn co svn+ssh://svn.freegeek.org/svn/freegeek_confidential
- cd freegeek_confidential
- gpg -d < passwords
- gpg will ask you for a password. Type it in.
- Read the passwords in your terminal.
- Make sure you close your terminal.
- Make sure you delete any copy you make of the decrypted information.
How to change the confidential information
- Review the security notes from the previous section.
- gpg -d < passwords > to_edit
- "-d" is for decrypt
- gpg will ask you for a password. type it in
- Edit to_edit
- gpg -se < to_edit > passwords
- "-se" is for sign and encrypt
- gpg will ask you for a password. type it in
- gpg may ask you if you should use this key even though you don't know it is someone. say yes.
- gpg will ask you who to encrypt it for. type "staff", hit enter, then hit enter when it repeats the question again
- rm to_edit
- svn commit
How to handle a compromise of this security
Whether because of mishandled keys, staffing changes, or malicious attack, there will come a time when this information will need to have a "change of guards".
- Change all the passwords at each of the places listed.
- gpg --gen-key
- gpg -se < new_passwords > passwords
- rm new_passwords
- gpg --export 8ae62f03 > key
- gpg --export-secret-keys 8ae62f03 > secret_key
- Very carefully redistribute the new key.