Rotate boyska's access keys
In this context, user=boyska
-
user: change email account passphrase -
user: change gitlab.tails.boum.org passphrase -
user: generate new gitlab SSH key (that is: the ssh key which is used to push to gitlab), and make sure the old one is disabled in gitlab -
user: generate new infra key (that is: the ssh key which is used to have access to Tails server) -
user: revoke their tails-rm@puscii.nl application code -
user: revoke their tails-core@puscii.nl application code -
user: send new infra key, gpg-signed, to sysadmins -
sysadmins: apply the new infra ssh key and remove the old one -
user: make sure the old ssh key doesn't have access to anything anymore
OpenPGP
-
user: generate new encryption subkey on the previous GPG key -
user: generate new signing subkey -
user: make sure the old encryption/signing subkeys will expire soon. They expire in January. Is it soon enough? I'm ticking this assuming that's a reasonable tradeoff -
user: send the new public subkeys to one schleuder list using x-add-key
. Notice: if you use Thunderbird, you'd better do this before you import your new secret subkeys in Thunderbird. Otherwise, the emails will be signed with a signature that Schleuder doesn't know, which cannot work. -
user: send a test message to the same list, making sure it has been signed with the new key -
user: send the new, complete, public key to keys.openpgp.org
-
sysadmin: if the above has all been ticked, and if it's easy, force a refresh of all keys on all lists. So the user's key will be updated without need for the user to apply the x-add-key
for each list they are subscribed to -
user: wait a week to check if this "new gnupg subkey" thing actually worked. With schleuder and OpenPGP and bells and whistles, you never know! -
user: remove previous signing subkeys from the keyring, to make sure I don't sign with the old key anymore. keep the old encryption subkeys, otherwise I'm losing access to data!
Final
-
convert this checklist into a process! → https://gitlab.tails.boum.org/tails/summit/-/wikis/Security_policies/Emergency_rotation
@sysadmin-team, wdyt?
Edited by boyska