[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

FTPMaster key backup/recovery procedure


since we just had to generate a new FTPMaster key we also thought about
backup/recovery a little. While the key is in a usual backup already,
this procedure is added for the case when all the existing copies on
.debian.org machines are affected.

There are two parts. One is a pre-generated revocation certificate, the
other the secret key part. For easy writing i refer to them as "the
secret" from here on.

This procedure uses an implementaion of "Shamir's secret sharing
scheme", we are using the package libgfshare-bin for it. The secret got
encrypted using GnuPGs symmetric encryption and a multi-kb long
passphrase. This passphrase was then splitted using the SSSS method.

The encrypted secret and one part of the passphrase has then been sent
to the various Debian Developers who kindly volunteered to help with
this procedure.

If they ever have to use those parts to regain the secret, enough
parts of the splitted passphrase have to be copied into one directory
and the combine utility from libgfshare-bin run on it. This will result in
the passphrase file, which can then be used with gpg --decrypt.

For the revocation cert we generated 12 shares of which 7 are needed to
recover it. The secret key part has 14 shares and 9 are needed to
recover it.

The revocation cert is stored with:
Debian uid	Name
sho	        Samuel Hocevar
don	        Don Armstrong
neilm	    Neil McGovern
djpig	    Frank Lichtenheld
jimmy	    Jimmy Kaplowitz
killer	    Kalle Kivimaa
noodles	    Jonathan McDowell
rra	        Russ Allbery
marga	    Margarita Manterola
thijs	    Thijs Kinkhorst
meike	    Meike Reichle
miriam	    Miriam Ruiz

The secret key part is stored with:
Debian uid	Name
luk	        Luk Claes
maxx	    Martin Wuertele
myon	    Christoph Berg
93sam	    Steve McIntyre
bdale	    Bdale Garbee
sgran	    Stephen Gran
dannf	    Dann Frazier
weasel	    Peter Palfrader
enrico	    Enrico Zini
wouter	    Wouter Verhelst
mhy	        Mark Hymers
bzed	    Bernd Zeimetz
stew	    Mike O'Connor

This information is also available from http://ftp-master.debian.org/keys.html

bye, Joerg
Could you please add me to the mirrors@debian.org alias. I'm not receiving
enough spam.
  -- Andrew Pollock

Attachment: pgpEB3dIDd44H.pgp
Description: PGP signature

Reply to: