Confirmed users
502
edits
Security/Guidelines/Key Management: Difference between revisions
Jump to navigation
Jump to search
Security/Guidelines/Key Management (view source)
Revision as of 22:00, 23 October 2014
, 23 October 2014no edit summary
Gdestuynder (talk | contribs) |
Gdestuynder (talk | contribs) No edit summary |
||
| Line 16: | Line 16: | ||
</tr></table> | </tr></table> | ||
= Data | = Data classification = | ||
== Key material == | == Key material == | ||
Key material identifies the cryptographic secrets that compose a key. All key material must be treated as restricted data, meaning that only individual with specific training and need-to-know should have access to key material. | Key material identifies the cryptographic secrets that compose a key. All key material must be treated as restricted data, meaning that only individual with specific training and need-to-know should have access to key material. | ||
| Line 79: | Line 79: | ||
= Handling = | = Handling = | ||
== X509 | == X509 certificates and keys== | ||
== SSH == | == SSH == | ||
=== Generation === | === Generation === | ||
| Line 89: | Line 89: | ||
</source> | </source> | ||
=== Protection of | === Protection of user keys === | ||
As SSH keys are rarely renewed the minimum recommended settings are higher than other keys. If you follow a strict key renewal period of '''less than 2 years''', it is reasonable to use RSA 2048 bits or ECDSA 224 bits keys. | As SSH keys are rarely renewed the minimum recommended settings are higher than other keys. If you follow a strict key renewal period of '''less than 2 years''', it is reasonable to use RSA 2048 bits or ECDSA 224 bits keys. | ||
| Line 96: | Line 96: | ||
* Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused. | * Use SSH forwarding or SSH tunneling if you need to jump between hosts. '''DO NOT''' maintain unnecessary agent forwarding when unused. | ||
==== SSH | ==== SSH agent forwarding ==== | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
| Line 133: | Line 133: | ||
This will automatically forward the SSH connection over ssh.mozilla.com when you connect to a mozilla.com SSH server. | This will automatically forward the SSH connection over ssh.mozilla.com when you connect to a mozilla.com SSH server. | ||
=== Protection of | === Protection of machine keys === | ||
When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | When SSH keys are necessary for automation between systems, it is reasonable to use passphrase-less keys. | ||
* The recommended settings are identical to the user keys. | * The recommended settings are identical to the user keys. | ||