Page MenuHomePhabricator

Secure the use of key
Closed, ResolvedPublic


Localisation exports from are now using dedicated accounts on Wikimedia, GitHub and SourceForge using a private key.

For fully automated exports, and for improved security in general, we need a secure way to use this key.

Status right now is that the key is password protected (known to about 5 people) and stored on the main server with Nikerabbit and Siebrand having backups of it.

One promising solution is where we do not need to give people direct access to the key, making it harder to steal and revoke access.

Besides that, we should review our SSH policy, which right now has root and password logins disabled. We should consider things like 2FA as well as establishing policies around periodic reviews who has access, key and passphrase locations.


Related Gerrit Patches:
translatewiki : masterAdd keyholder

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 8 2017, 3:11 PM
Raymond added a subscriber: Raymond.Dec 8 2017, 3:19 PM
mmodell added a subscriber: mmodell.Dec 9 2017, 3:48 AM

So I can probably assist some with setting up keyholder. It's slightly complicated to set up and we use puppet to manage all of the complexities in Wikimedia production.

With keyholder, you would still need to have someone with knowledge of the password for the private keys - the password must be entered manually when you arm keyholder. After that it remains usable until the machine is rebooted or the keyholder agent is restarted.

We use puppet too, though we are still stuck with version 3.

Let me know if you still need help with this.

In the meantime I have migrated to puppet 4, if that matters. I'm still interested and I could use pointers how to start implementing this.

Change 468556 had a related patch set uploaded (by Nikerabbit; owner: Nikerabbit):
[translatewiki@master] Add keyholder

Change 468556 merged by jenkins-bot:
[translatewiki@master] Add keyholder

Nikerabbit closed this task as Resolved.Oct 19 2018, 12:17 PM
Nikerabbit claimed this task.