Greg,
Dave Jones brings up a good point about longevity of encrypted things
for the foundation. Could infra maintain a key that can be added to
things for a backdoor?
See below for a snapshot of the relevant thread for background.
Regards,
KAM
KAM:
What you should do is use the pub key at
http://people.apache.org/~kmcgrail/ and encrypt a file with the
password. <soapbox>Ideally, you already have a key for me that chains
to a circle of trust so you know for sure it's me. They actually have
key signing parties and stuff for this. I've found it to be a PITA and
doesn't make me feel better that the key is valid. It's not like we are
trained in verifying fake IDs so it's nothing but an illusion of
trust.</soapbox>
Dave: My concern is I can sign it with your (Kevin's) key and even
Brian's key so the two of you can open it but what happens if another 5
or 10 years go by and we 3 are no longer volunteering as SA sysadmins?
The next generation of sysadmins won't be able to open these files.
There has to be a better way where we use an encrypted file with a
master password that we share and is recorded in a save place for the
future.
I use LastPass for this and I have my master password in an envelope in
a safe for my wife to open in the event I am no longer on this planet. I
have instructed her to take this envelope to any of my techie friends
and they would know how to help her get access of all of my online
accounts. We need something like this for this team.
KAM: The first consideration is that the method above with SVN is
considered acceptable to the foundation and exists already. It long
predates me and has a strong encryption pedigree. It also doesn't rely
on a service being in business since it uses all open source software
and files that you can mirror today.
What I have done that is similar to what you describe is that my
passphrase for my private key is in my safe. So should I leave this
mortal coil, the data is all recoverable.
Also, we are trying to move away from master passwords as much as
possible. Sharing of root credentials should be avoided as just a
general security mantra.
KAM: Do you feel strongly enough about it to debate it with infra and
see what their thoughts are?
Dave: Not that strongly. I will be glad to go along with the existing
standards. Seems like there should be an escrow-ed key from the
foundation or something that we would also sign with for the future.