Enhancement #485
closedEnhancement #483: Daneel's body is willing to retire
Admin data and tools need to move away from Daneel
100%
Description
- CA data
- mkcert
- ansible
- scripts like:
- check_certs_expiration
- adm_publish_tlsa
mkcert could be packaged and delivered in the repositories.
All of this is security sensitive.
Do I miss anything?
Updated by Marc Dequènes over 8 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 10
- Help Needed set to Yes
An idea would be to store encrypted data on Toushirou, in a git repository for example.
I tried eCryptfs+SSHFS and it led to errors when pushing. Using LUKS+SSHFS led to corruption (mix of files/blockdev). I did not see any other encrypted fs solution and Rtp confirmed there is no such thing working.
I also looked at git-crypt, but it messes with filters in an ugly way which was explicitly banned ban git upstream. git-remote-gcrypt seems more promising, needs testing.
Updated by Marc Dequènes over 8 years ago
- % Done changed from 10 to 70
I tested git-remote-gcrypt using my current and previous GPG key to simulate two users, and it worked fine.
So, I tried to gather everything needed in a single git repository. I tried to organize it clearly and made the necessary changes to allow running all scripts in-place. I also removed all reference to Daneel, as it is not meant to be managed anymore.
Access to Daneel is now restricted to only me. I'll keep the machine running for a while to be sure nothing has been missed. Then I will wipe the disk and stop the machine.
Updated by Marc Dequènes over 7 years ago
- Status changed from In Progress to Resolved
- % Done changed from 70 to 100
So this was done and no problem so far with g-r-g.