Skip to content

evaluate password management options

during the org/meetings/2017Montreal/Notes/BusFactor session, one of the things that was discussed was the password management system that is (was?) stored in SVN. Specifically:

  • We need a better password management solution than the one we have in corporate SVN right now.
  • We should look over if the password's in this database should be rotated.
  • Figure out if the passwords for paypal have been rotated by Jon et al and ensure that it will be put in the password database. We should also look into the "paypal dongle" or 2-step authentication?

I have some experience reviewing password managers, so I might be able to provide some advice here if someone expands on the requirements and problems with the current approach.

Here are the known password managers currently in use:

  • TPA has a tor-passwords repository which uses weasel's pwstore
  • administration also store passwords in SVN
  • Puppet generates passwords on the fly using a puppet-specific token (this might get replaced by trocla eventually, see #30009 (closed))
  • Tor browser team's "military-grade post-quantum encrypted point-to-point subspace transmission"
  • each worker probably has their own individual password managers, brains, and post-it notes on screens (hopefully no!) which we don't exactly know about

Possible replacements:

  • password-store AKA pass AKA OpenPGP encrypted files in a git repository, replacement for pwstore
  • trocla - already used in Puppet, see #30009 (closed)
  • hiera-eyaml - pluggable encryption for Hiera keys (includes optional GPG support, PKCS#7 by default)
  • arver - "tool to manage luks devices and maintain the access of users"
  • rotx - very new player, interesting cleanroom implementation
  • bitwarden - open core, client/server model, would be more fit as a organisation-wide service

Next steps:

  • replace pwstore with password-store (#41522 (closed))
  • replace hkdf() by trocla in Puppet (#30009 (closed))
  • move root passwords to trocla (#33332)?
  • move LUKS passwords to Arver or keep in pwstore?
  • consider deploying an organisation-wide password manager (testing vaultwarden in #41541 (closed))
Edited by anarcat