[Listwork] [SSL] New SMTP TLS and HTTPS certs needed - should we create a crypted fs for them?
Chris
chrisc at indymedia.org
Fri Sep 29 13:55:33 PDT 2006
Hi
The cert expired today:
https://lists.indymedia.org/
I could just get a new one and set it up for apache and
postfix.
But I'd rather we create a small crypted loopback
filesystem we could mount at say /crypt/ and then generate
and store the certs there.
The disadvantage of this would be that postfix and apache
would have to be manually started after a power down.
The advantage would be that if somone were to sniff all
the traffic to the box and then at a later data physically
get hold of it they wouldn't be able to decrypt all the
past email and crypted web traffic. This is important,
more important than uptime IMHO.
The partition can be small -- no need for it to be a
physical partition.
What has been done for traven is a really long passphrase
which the admins have in gpg encrypted files. When the
server has been booted it's simply a matter of sshing in
and running a sudo command (eg sudo uptime) then then
decrypting the passphrease and piping it, and then
starting the services.
This can almost all be put in to a script -- then all
someone with sudo would need to do it run one command
locally, type their gpg passphrase and this would decrypt
the partition and start the services.
See:
https://docs.indymedia.org/view/Sysadmin/TravenEncryptedPartitions
I really think we should do this... Does anyone fancy
setting it up and documenting it... (if needs be I could
have a go at it but it might take me a few days to get it
sorted...)?
Chris
More information about the listwork
mailing list