> From: [email protected] [mailto:[email protected]] > On Behalf Of Elizabeth Schwartz > > my boss had a sealed envelope with *all* the root > and network passwords. (in a solo shop, *someone* should ALWAYS have > an envelope like this at all times!!!)
No, no, no, no, no! Although there are some security risks of envelope being stolen etc, that's not my main objection. My main objection is this: If you and your boss are authorized to have this information, then you should share it always, encrypted, all the time. The documentation is just as sensitive as the password list. Put all your documentation in a secured repository somewhere (could be a file server, svn, or whatever) and store it on your hard drive in encrypted format (maybe using WDE, or TrueCrypt, or whatever you like) and sync to each other regularly. Hypothetical: Servers all die. In your documentation is the "startup procedure" so the systems that are dependent on other systems (DHCP, DNS, AD, NIS, LDAP, NFS Filesystems, iSCSI storage, etc) come up in the right order, with the right timing, lest they don't come up correctly. But that documentation is stored in one of the offline servers. Your boss has the root pass, which is a good start, but simply insufficient. All the documentation that's needed to recover from disaster should be available in the event of a disaster, and the passwords are just one tiny subset of that documentation. You can't allow it to stagnate (irrelevant old versions stored offline). This means while everything's normal, it must automatically (or semi-automatically) get updated and replicated to offline accessible storage areas (such as your laptop) and must be encrypted... I've worked through several incantations of this solution. Originally truecrypt & svn. Now I'm using encfs and dropbox. Always share with my boss and colleague. Nobody's scared to update the documentation as they see fit, because we all have replicated copies in real-time and backup copies and old versions. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
