[arch-devops] security at archlinux.org address

Jelle van der Waa jelle at vdwaa.nl
Mon Feb 11 20:35:36 UTC 2019


For security at archlinux.org the Security Team wants to setup a way for
reporters to securely mail encrypted issues to our email address. To
limit the bus factor we want to send those emails to multiple receivers
and then handle and/or forward the information appropriately. Schleuder
providers an solution to this issue by decryping the sent email and
re-encrypting it to the Arch Security team members.

Since this requires a GPG key to be on the server, we want to implement
this securely and hook up a nitrokey pro 2 to a separate Hetzner
dedicated server. This server serves the sole purpose of hosting the
security mail address. Installing by Hetzner costs 18 euro’s (excl.
VAT).

Options:

* Cheapest Hetzner server 34 euro / month and 40 euro setup fees.
* Hetzner auction server ~ 25 / month and no setup fees.
* Different dedicated server hoster which allows custom usb devices.

Benefits:

* Key can’t be recovered by an attacker who has access to the server.
* Receivers don’t need a shared private key but only their own.
* Separate server so no other software can influence/impact.  Downsides:

Downsides:

* Nitrokey is out of our control, but we trust Hetzner already (ie. they
  could easily hook up a malicious USB/BMC device already and gain root
  privileges).
* Server dies, the Nitrokey has to be moved to the new server.

Questions:

* How to update the key, handle key expiration?
* Do we backup the key? Let someone have a separate nitrokey?  

Setup:
* Levente (anthraxx) volunteered to aquire, setup key (+revocation) and
  get it to Hetzner.

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190211/528f2767/attachment.sig>


More information about the arch-devops mailing list