On Mon, Feb 11, 2019 at 09:35:36PM +0100, Jelle van der Waa wrote:
For security@archlinux.org the Security Team wants to setup a way for reporters to securely mail encrypted issues to our email address. To limit the bus factor we want to send those emails to multiple receivers and then handle and/or forward the information appropriately. Schleuder providers an solution to this issue by decryping the sent email and re-encrypting it to the Arch Security team members.
Since this requires a GPG key to be on the server, we want to implement this securely and hook up a nitrokey pro 2 to a separate Hetzner dedicated server. This server serves the sole purpose of hosting the security mail address. Installing by Hetzner costs 18 euro’s (excl. VAT).
Options:
* Cheapest Hetzner server 34 euro / month and 40 euro setup fees. * Hetzner auction server ~ 25 / month and no setup fees. * Different dedicated server hoster which allows custom usb devices.
Benefits:
* Key can’t be recovered by an attacker who has access to the server. * Receivers don’t need a shared private key but only their own. * Separate server so no other software can influence/impact. Downsides:
Downsides:
* Nitrokey is out of our control, but we trust Hetzner already (ie. they could easily hook up a malicious USB/BMC device already and gain root privileges). * Server dies, the Nitrokey has to be moved to the new server.
Questions:
* How to update the key, handle key expiration? * Do we backup the key? Let someone have a separate nitrokey?
Setup: * Levente (anthraxx) volunteered to aquire, setup key (+revocation) and get it to Hetzner.
-- Jelle van der Waa
Seems like I've missed a discussion on IRC. Please don't read my next lines as stab into your back. First of all I don't understand the problem you want to solve with this solution. In the past we had people who monitor the security@archlinux.org address and I had always the feeling that they did their job good and had no problem with doing it. I always thought that there are not so much mails with security@archlinux.org as recipient. So either my observation was wrong or things has changed.. Let's say the workload has increased. Then I am fully with you and I can understand your problem. On the technical aspects I like your idea, but I can understand Florians point of view as well. Maybe the problem could be already solved via creating a security landing page with a few developer mail addresses and their GPG keys. But here is another argument for the server: We could use it as isolated machine for automatically signing ISO images and Arch Linux images. chris / shibumi