Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 775AA200C76 for ; Sat, 13 May 2017 15:36:20 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6B325160BBB; Sat, 13 May 2017 13:36:20 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AE98D160BB7 for ; Sat, 13 May 2017 15:36:19 +0200 (CEST) Received: (qmail 67929 invoked by uid 500); 13 May 2017 13:36:18 -0000 Mailing-List: contact sysadmins-help@spamassassin.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: sysadmins@spamassassin.apache.org Delivered-To: mailing list sysadmins@spamassassin.apache.org Delivered-To: moderator for sysadmins@spamassassin.apache.org Received: (qmail 66116 invoked by uid 99); 13 May 2017 13:29:16 -0000 X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -5.002 X-Spam-Level: X-Spam-Status: No, score=-5.002 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Subject: Encryption and Backups was Re: Onboarding, Documentation, etc. To: sysadmins@spamassassin.apache.org References: <3b6b7a86-43cf-eebc-664b-8fe31d52f520@apache.org> From: "Kevin A. McGrail" Message-ID: <7f75fdad-9965-0bfd-b7f7-17cc8b8b4ad0@mcgrail.com> Date: Sat, 13 May 2017 09:29:10 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-PCCC-Virus-Scan: No X-KAM-Reverse-AUTH: Exempt - 127.0.0.1 is an Authorized Sender X-PCCC-Authorized-User-Relay: 127.0.0.1 X-PCCC-SA-Scanned: No: Auth User X-Scanned-By: MIMEDefang 2.79 on 38.124.232.10 archived-at: Sat, 13 May 2017 13:36:20 -0000 On 5/12/2017 7:32 PM, Dave Jones wrote: > One thing we need to specify in more detail is the way we are going > to encrypt things in the sysadmins repo. We don't want to put the > encryption details on the wiki per se since it's public. The only thing I envision in the repo encrypted is passwords. > For example, the PowerDNS API key is in the pdns.local.conf file. I believe documenting the location of the API key in the Wiki is sufficient. > The local firewall allows port 8081 inbound from any source and the > conf file is restricting which IPs the daemon will respond to. I > would like > to restrict the PowerDNS web server/API to specific source IPs > matching the conf file for dual layers of protection. Good idea! > We still shouldn't document publicly the PowerDNS API key but where > should we document that? It will be in many scripts on servers that > need to update DNS records so that will be a form of documentation if > we reference the scripts on the wiki. I don't think there are many servers that update the DNS records. If there are, we can talk more but I believe it's just a local script on that one box when we get it working. > In my opinion, referencing scripts and config files on the wiki is > good enough for documenting sensitive information. Agreed but there are some items like root level passwords to old boxes, a shared signing key, etc. that can be at least temporarily stored in svn encrypted. For example, there is a box called incoming. I have the root password. But I'd prefer to not use it and switch to sudo and add accounts for you two. Regards, KAM