summaryrefslogtreecommitdiff
path: root/doc/security.mdwn
diff options
context:
space:
mode:
authorJoey Hess2014-04-19 16:32:17 -0400
committerJoey Hess2014-04-19 16:32:17 -0400
commit8415efa7bb54d702cf3f63fac6daae8cd78d42c5 (patch)
tree533daffdbf6d1f0c799d5ca9d8468cff3d7c0938 /doc/security.mdwn
parentf0c5d0bb5fa8686c7af41080574dce3a9c67bc9f (diff)
break out page on security
Diffstat (limited to 'doc/security.mdwn')
-rw-r--r--doc/security.mdwn36
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/security.mdwn b/doc/security.mdwn
new file mode 100644
index 00000000..5576bf06
--- /dev/null
+++ b/doc/security.mdwn
@@ -0,0 +1,36 @@
+Propellor's security model is that the hosts it's used to deploy are
+untrusted, and that the central git repository server is untrusted too.
+
+The only trusted machine is the laptop where you run `propellor --spin`
+to connect to a remote host. And that one only because you have a ssh key
+or login password to the host.
+
+Since the hosts propellor deploys are not trusted by the central git
+repository, they have to use git:// or http:// to pull from the central
+git repository, rather than ssh://.
+
+So, to avoid a MITM attack, propellor checks that any commit it fetches
+from origin is gpg signed by a trusted gpg key, and refuses to deploy it
+otherwise.
+
+That is only done when privdata/keyring.gpg exists. To set it up:
+
+ gpg --gen-key # only if you don't already have a gpg key
+ propellor --add-key $MYKEYID
+
+In order to be secure from the beginning, when `propellor --spin` is used
+to bootstrap propellor on a new host, it transfers the local git repositry
+to the remote host over ssh. After that, the remote host knows the
+gpg key, and will use it to verify git fetches.
+
+Since the propoellor git repository is public, you can't store
+in cleartext private data such as passwords, ssh private keys, etc.
+
+Instead, `propellor --spin $host` looks for a
+`~/.propellor/privdata/$host.gpg` file and if found decrypts it and sends
+it to the remote host using ssh. This lets a remote host know its own
+private data, without seeing all the rest.
+
+To securely store private data, use: `propellor --set $host $field`
+The field name will be something like 'Password "root"'; see PrivData.hs
+for available fields.