Hi, since we just had to generate a new FTPMaster key we also thought about backup/recovery a little. While the key is in a usual backup already, this procedure is added for the case when all the existing copies on .debian.org machines are affected. There are two parts. One is a pre-generated revocation certificate, the other the secret key part. For easy writing i refer to them as "the secret" from here on. This procedure uses an implementaion of "Shamir's secret sharing scheme", we are using the package libgfshare-bin for it. The secret got encrypted using GnuPGs symmetric encryption and a multi-kb long passphrase. This passphrase was then splitted using the SSSS method. The encrypted secret and one part of the passphrase has then been sent to the various Debian Developers who kindly volunteered to help with this procedure. If they ever have to use those parts to regain the secret, enough parts of the splitted passphrase have to be copied into one directory and the combine utility from libgfshare-bin run on it. This will result in the passphrase file, which can then be used with gpg --decrypt. For the revocation cert we generated 12 shares of which 7 are needed to recover it. The secret key part has 14 shares and 9 are needed to recover it. The revocation cert is stored with: Debian uid Name sho Samuel Hocevar don Don Armstrong neilm Neil McGovern djpig Frank Lichtenheld jimmy Jimmy Kaplowitz killer Kalle Kivimaa noodles Jonathan McDowell rra Russ Allbery marga Margarita Manterola thijs Thijs Kinkhorst meike Meike Reichle miriam Miriam Ruiz The secret key part is stored with: Debian uid Name luk Luk Claes maxx Martin Wuertele myon Christoph Berg 93sam Steve McIntyre bdale Bdale Garbee sgran Stephen Gran dannf Dann Frazier weasel Peter Palfrader enrico Enrico Zini wouter Wouter Verhelst mhy Mark Hymers bzed Bernd Zeimetz stew Mike O'Connor This information is also available from http://ftp-master.debian.org/keys.html -- bye, Joerg Could you please add me to the mirrors@debian.org alias. I'm not receiving enough spam. -- Andrew Pollock
Attachment:
pgpEB3dIDd44H.pgp
Description: PGP signature