[tahoe-lafs-trac-stream] [Tahoe-LAFS] #4177: Manage shared secrets required to interact with the infrastructure

Tahoe-LAFS trac at tahoe-lafs.org
Mon May 19 09:13:30 UTC 2025 

#4177: Manage shared secrets required to interact with the infrastructure
--------------------------------+---------------------------
 Reporter:  btlogy              |          Owner:
     Type:  enhancement         |         Status:  new
 Priority:  normal              |      Milestone:  undecided
Component:  dev-infrastructure  |        Version:  n/a
 Keywords:                      |  Launchpad Bug:
--------------------------------+---------------------------
 ==== Scope ====

 While it is preferable to avoid them wherever possible, some recent
 changes have been highlighting a common need: sometime, shared secrets are
 required to integrate with some 3rd party services (e.g. GH deploy SSH key
 for CircleCI or API token for Upptime).

 More specifically:

 - #4162: requires a dedicated Hetzner account (not an org.) to manage the
 DNS zone.
 - #4175: requires a GH Personal Access Token which is tight to a single GH
 user account (not an org.)!

 Like any account, those shared accounts should be protected with 2FA/MFA,
 likely a TOTP, which makes it more difficult to share in the first place.

 SOPS (implemented in the [https://github.com/tahoe-lafs/infrastructure
 infrastructure] repository) already offers a solution to share some
 secrets (especially those consumed by the managed systems). But it lacks
 support for TOTP.

 Today, such secrets are either treated as individual ones and not actually
 shared, or shared by means that are not formalized (e.g. 1Password).

 This issue propose to:

 - add (Docker and Nix?) support for [https://www.passwordstore.org/ pass]
 with OTP extension,
 - store the shared secrets in a new repository (public or internal?),
 - use the relevant PGP keys to encrypt them.

 ==== Value ====

 - Avoid dependency on single member for feature used by the community
 (e.g. breaking CI when an individual key expires)
 - Mitigate bus-factor to make the community more resilient and flexible -
 see

 ==== Requirements ====

 - A group of contributors with push permissions and identified by their
 PGP key, should be able to MAC encrypted credentials (usernames,
 passwords, OTPs, ...);
 - Any contributor with read permissions would be able to list the
 credentials and see some metadata and which group is sharing it.

 ==== Additional information ====

 If working, this solution could help making progress in the following
 issue(s):

 - #4142

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/4177>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list