On 05/13/2017 08:29 AM, Kevin A. McGrail wrote:
On 5/12/2017 7:32 PM, Dave Jones wrote:
One thing we need to specify in more detail is the way we are going
to encrypt things in the sysadmins repo.  We don't want to put the
encryption details on the wiki per se since it's public.
The only thing I envision in the repo encrypted is passwords.

How exactly do you want them to be stored? I am not familiar with doing this.


For example, the PowerDNS API key is in the pdns.local.conf file.
I believe documenting the location of the API key in the Wiki is sufficient.

The local firewall allows port 8081 inbound from any source and the conf file is restricting which IPs the daemon will respond to. I would like to restrict the PowerDNS web server/API to specific source IPs matching the conf file for dual layers of protection.
Good idea!
We still shouldn't document publicly the PowerDNS API key but where should we document that? It will be in many scripts on servers that need to update DNS records so that will be a form of documentation if we reference the scripts on the wiki.
I don't think there are many servers that update the DNS records. If there are, we can talk more but I believe it's just a local script on that one box when we get it working.

Local scripts would be great then we could restrict the API to localhost
and remove port 8081 from the firewall for better security.

I was under the impression when you told me "there were things all over the place that updated DNS" this could be from other servers too.

In my opinion, referencing scripts and config files on the wiki is good enough for documenting sensitive information.

Agreed but there are some items like root level passwords to old boxes, a shared signing key, etc. that can be at least temporarily stored in svn encrypted.

For example, there is a box called incoming. I have the root password. But I'd prefer to not use it and switch to sudo and add accounts for you two.


This would be good to use something like a LastPass shared note. I use LastPass extensively for personal and work (LastPass Enterprise).

Regards,

KAM

Reply via email to