spamassassin-sysadmins mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. McGrail" <kevin.mcgr...@mcgrail.com>
Subject Encryption and Backups was Re: Onboarding, Documentation, etc.
Date Sat, 13 May 2017 13:29:10 GMT
On 5/12/2017 7:32 PM, Dave Jones wrote:
> One thing we need to specify in more detail is the way we are going
> to encrypt things in the sysadmins repo.  We don't want to put the
> encryption details on the wiki per se since it's public.
The only thing I envision in the repo encrypted is passwords.

> For example, the PowerDNS API key is in the pdns.local.conf file. 
I believe documenting the location of the API key in the Wiki is sufficient.

> The local firewall allows port 8081 inbound from any source and the 
> conf file is restricting which IPs the daemon will respond to.  I 
> would like
> to restrict the PowerDNS web server/API to specific source IPs 
> matching the conf file for dual layers of protection. 
Good idea!
> We still shouldn't document publicly the PowerDNS API key but where 
> should we document that?  It will be in many scripts on servers that 
> need to update DNS records so that will be a form of documentation if 
> we reference the scripts on the wiki.
I don't think there are many servers that update the DNS records. If 
there are, we can talk more but I believe it's just a local script on 
that one box when we get it working.
> In my opinion, referencing scripts and config files on the wiki is 
> good enough for documenting sensitive information.

Agreed but there are some items like root level passwords to old boxes, 
a shared signing key, etc. that can be at least temporarily stored in 
svn encrypted.

For example, there is a box called incoming.  I have the root password.  
But I'd prefer to not use it and switch to sudo and add accounts for you 
two.

Regards,

KAM


Mime
View raw message