Encryption and Backups was Re: Onboarding, Documentation, etc.

["Kevin A. McGrail" <ke...@mcgrail.com>]

On 5/12/2017 7:32 PM, Dave Jones wrote:
> One thing we need to specify in more detail is the way we are going
> to encrypt things in the sysadmins repo.  We don't want to put the
> encryption details on the wiki per se since it's public.
The only thing I envision in the repo encrypted is passwords.

> For example, the PowerDNS API key is in the pdns.local.conf file. 
I believe documenting the location of the API key in the Wiki is sufficient.

> The local firewall allows port 8081 inbound from any source and the 
> conf file is restricting which IPs the daemon will respond to.  I 
> would like
> to restrict the PowerDNS web server/API to specific source IPs 
> matching the conf file for dual layers of protection. 
Good idea!
> We still shouldn't document publicly the PowerDNS API key but where 
> should we document that?  It will be in many scripts on servers that 
> need to update DNS records so that will be a form of documentation if 
> we reference the scripts on the wiki.
I don't think there are many servers that update the DNS records. If 
there are, we can talk more but I believe it's just a local script on 
that one box when we get it working.
> In my opinion, referencing scripts and config files on the wiki is 
> good enough for documenting sensitive information.

Agreed but there are some items like root level passwords to old boxes, 
a shared signing key, etc. that can be at least temporarily stored in 
svn encrypted.

For example, there is a box called incoming.  I have the root password.  
But I'd prefer to not use it and switch to sudo and add accounts for you 
two.

Regards,

KAM

Re: Encryption and Backups was Re: Onboarding, Documentation, etc.

["Kevin A. McGrail" <km...@apache.org>]

On 5/13/2017 10:25 AM, Dave Jones wrote:
> How exactly do you want them to be stored?  I am not familiar with 
> doing this.
The process I have seen used in the ASF is to use gpg to encrypt the 
files hence why one of the requests for you and Bryan was for your 
public keys to be put up on people.

> I was under the impression when you told me "there were things all 
> over the place that updated DNS" this could be from other servers too.
I may have over stated the issue, sorry.  As we bring things back 
online, we'll find out :-)

My concern is that in the past, we used so much of a VM machine's 
resources that it brought the machine to it's knees.  So sa-vm1 being 
ramped up could bring that same issue to light.

So if you see the legacy list of machines, there was a lot more systems 
involved.  If we can get down to just one box, it'll be simple.  But if 
we need more boxes, sobeit!

> This would be good to use something like a LastPass shared note. I use 
> LastPass extensively for personal and work (LastPass Enterprise). 
Agreed.  LastPass, OnePass, etc.  As Bryan comes onboard, I'll look at 
what needs to be encrypted and if it gets too much, we can look at that.

Regards,
KAM

-- 
Kevin A. McGrail
Asst. Treasurer, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project

Re: Encryption and Backups was Re: Onboarding, Documentation, etc.

[Dave Jones <da...@apache.org>]

On 05/13/2017 08:29 AM, Kevin A. McGrail wrote:
> On 5/12/2017 7:32 PM, Dave Jones wrote:
>> One thing we need to specify in more detail is the way we are going
>> to encrypt things in the sysadmins repo.  We don't want to put the
>> encryption details on the wiki per se since it's public.
> The only thing I envision in the repo encrypted is passwords.

How exactly do you want them to be stored?  I am not familiar with doing 
this.

> 
>> For example, the PowerDNS API key is in the pdns.local.conf file. 
> I believe documenting the location of the API key in the Wiki is 
> sufficient.
> 
>> The local firewall allows port 8081 inbound from any source and the 
>> conf file is restricting which IPs the daemon will respond to.  I 
>> would like
>> to restrict the PowerDNS web server/API to specific source IPs 
>> matching the conf file for dual layers of protection. 
> Good idea!
>> We still shouldn't document publicly the PowerDNS API key but where 
>> should we document that?  It will be in many scripts on servers that 
>> need to update DNS records so that will be a form of documentation if 
>> we reference the scripts on the wiki.
> I don't think there are many servers that update the DNS records. If 
> there are, we can talk more but I believe it's just a local script on 
> that one box when we get it working.

Local scripts would be great then we could restrict the API to localhost
and remove port 8081 from the firewall for better security.

I was under the impression when you told me "there were things all over 
the place that updated DNS" this could be from other servers too.

>> In my opinion, referencing scripts and config files on the wiki is 
>> good enough for documenting sensitive information.
> 
> Agreed but there are some items like root level passwords to old boxes, 
> a shared signing key, etc. that can be at least temporarily stored in 
> svn encrypted.
> 
> For example, there is a box called incoming.  I have the root password. 
> But I'd prefer to not use it and switch to sudo and add accounts for you 
> two.
> 

This would be good to use something like a LastPass shared note.  I use 
LastPass extensively for personal and work (LastPass Enterprise).

> Regards,
> 
> KAM
>