Confirmed users
529
edits
Security/Guidelines/Key Management: Difference between revisions
Jump to navigation
Jump to search
Security/Guidelines/Key Management (view source)
Revision as of 21:09, 23 October 2014
, 23 October 2014→SSH
(→SSH) |
|||
| Line 87: | Line 87: | ||
$ ssh-keygen -t ecdsa -b 384 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz" | $ ssh-keygen -t ecdsa -b 384 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz" | ||
</source> | </source> | ||
=== Protection | === Protection of User Keys === | ||
As SSH keys are rarely renewed the minimum recommended settings are higher than other keys. If you follow a strict key renewal period of '''less than 2 years''', it is reasonable to use RSA 2048 bits or ECDSA 224 bits keys. | As SSH keys are rarely renewed the minimum recommended settings are higher than other keys. If you follow a strict key renewal period of '''less than 2 years''', it is reasonable to use RSA 2048 bits or ECDSA 224 bits keys. | ||
| Line 94: | Line 93: | ||
* Never copied to another system than your own workstation/personal physical disks/tokens. | * Never copied to another system than your own workstation/personal physical disks/tokens. | ||
=== | === Protection of Machine Keys === | ||
When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | ||
* The recommended settings are identical to the user keys. | * The recommended settings are identical to the user keys. | ||
* The keys must be accessible only by the admin user (root) and/or the system user requiring access. | * The keys must be accessible only by the admin user (root) and/or the system user requiring access. | ||
When non-user keys are generated, a copy of their fingerprint and a description of their usage should be recorded in your team's inventory (e.g. a wiki page, Mozilla inventory, etc.) | When non-user keys are generated, a copy of their fingerprint and a description of their usage should be recorded in your team's inventory (e.g. a wiki page, Mozilla inventory, etc.) | ||
== PGP/GnuPG == | == PGP/GnuPG == | ||