Skip to content

Keypair Rotation

Jump to bottom
Aaron D Borden edited this page Sep 27, 2019 · 25 revisions

This document describes what secret credentials we maintain and how to rotate them.

Ansible Vault

TODO maintain one key per environment, with playbook level vault encrypted with all keys.

SSH root keys

The root ssh keys allow access to the ubuntu user. These keys are only used for the initial provision of the jumpbox. After that, operators use their personal keys to access all hosts.

  1. Generate a new SSH key. When prompted, set a 16+ character password. For the comment, use the key name (datagov-environment-vX).

    $ ssh-keygen -f ~/.ssh/datagov-environment-vX

  2. Upload the private and public keys to the shared Drive. Share the password with teammates over a secure channel.

  3. For BSP environments (production and staging), create a Service Now ticket to update the SSH key in the CloudFormation templates. Attach the public key to the ticket. BSP does not need the private key.

  4. For AWS Sandbox environments, import the key in the AWS Console. Update the keypair name in datagov-infrastructure-live.

Clone this wiki locally