From f7a159d685c4af26c4c811a6e1599b8037ac602f Mon Sep 17 00:00:00 2001 From: "tlimoncelli@stackoverflow.com" Date: Thu, 21 Jan 2016 11:06:11 -0500 Subject: [PATCH] README.md: Add process for updating expired keys. HT @chishaku --- README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/README.md b/README.md index cd32e4a..bfa2568 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ Table of Contents * [How to remove a user from the system?](#how-to-remove-a-user-from-the-system) * [Enabling Blackbox For a Repo](#enabling-blackbox-for-a-repo) * [Set up automated users or "role accounts"](#set-up-automated-users-or-role-accounts) +* [Replace expired keys](#replace-expired-keys) * [Some common errors](#some-common-errors) * [Using Blackbox without a repo](#using-blackbox-without-a-repo) * [How to submit bugs or ask questions?](#how-to-submit-bugs-or-ask-questions) @@ -681,6 +682,58 @@ rm -rf /tmp/NEWMASTER Also shred any other temporary files you may have made. +Replace expired keys: +========================================= + +If any one admin's key expires, you can no longer encrypt files. You will need to replace the key +and re-encrypt. + +* Step 0: You see this error: + +``` +$ blackbox_edit_end modified_file.txt +--> Error: can't re-encrypt because a key has expired. +``` + +* Step 1. Administrator removes expired user: + +Warning: This process will erase any unencrypted files that you were in the process of editing. Copy them elsewhere and restore the changes when done. + +``` +blackbox_removeadmin expired_user@example.com +# This next command overwrites any changed unencrypted files. See warning above. +blackbox_update_all_files +git commit -m "Re-encrypt all files" +gpg --homedir=keyrings/live --delete-key expired_user@example.com +git commit -m 'Cleaned expired_user@example.com from keyring' keyrings/live/* +git push +``` + +* Step 2. Expired user adds an updated key: + +``` +git pull +blackbox_addadmin updated_user@example.com +git commit -m'NEW ADMIN: updated_user@example.com keyrings/live/pubring.gpg keyrings/live/trustdb.gpg keyrings/live/blackbox-admins.txt +git push +``` + +* Step 3. Administrator re-encrypts all files with the updated key of the expired user: + +``` +git pull +gpg --import keyrings/live/pubring.gpg +blackbox_update_all_files +git commit -m "Re-encrypt all files" +git push +``` + +* Step 4: Clean up: + +Any files that were temporarily copied in the first step so as to not be overwritten can now be copied back and re-encrypted with the `blackbox_edit_end` command. + +(Thanks to @chishaku for finding a solution to this problem!) + Some common errors: ========================================= @@ -696,6 +749,10 @@ removed from the blackbox-admins.txt file. to re-encrypt the file with the new key. +`Error: can't re-encrypt because a key has expired.` -- A user's key +has expired and can't be used to encrypt any more. Follow the +[Replace expired keys](#replace-expired-keys) tip. + Using Blackbox without a repo ===========================