On Mon, 22 Jan 2007, Chris Zakelj wrote: > Silly question I can't seem to find the answer for: > When reinstalling a system rather than doing upgrades, how does one > properly migrate encrypted info? Does the keygen process on a first
The short anser is "cp" or "tar" or "rdist" or something like that. > boot create a key that renders the previous hashes (passwords being the > most obvious) useless, or are those independent of the keys being Yes, new ssh keys. They are based on random numbers. Think about it: what would be the secret if it gen'ed the same thing today as last year? Now passwd hashes such as those in /etc/master.passwd have nothing to do with keygen or ssh. Given the same password, the same salt and the same algorithm (and its various specs), the stored hash will be the same, I believe this is true across operating systems and architectures. > generated? If I need to bring the old keys over, where do they live? The question is "keys for what?" The most obvious is ssh, but there are other systems, some of which gen their own keys. (locate keygen for hints). You would want to save for each user the contents of $USER/.ssh and other crypto places (~/.pgp and related), if you intend to overwrite the /home area. Don't forget /root. If you have distinct human users on the machine, you can really wreck their lives by skunking directories like ~/.ssh and ~/.pgp. For host-wide ssh, for sshd, the goods are in /etc/ssh/*, for ssl in /etc/ssl/*, that's a typical pattern. Even sendmail is getting crypto-ish these days, I hear -- but better to save all of /etc somewhere, and restore it later. The utility "mergemaster" in ports is intended to do just the inverse task -- i.e. it manages existing /etc and /var during upgrades, but you might look at it for a philosophical lesson, see how it works. Mergemaster is all shell script (about 1K lines), maybe you could hack it to work backwards for you. Short answer: use tar on AT LEAST /etc and /root. There may be material in /var you want, too. Like mail spools and various chrooted environments like the one for the nameserver. After the rebuild (reinstall?) untar that stuff somewhere temporary, get a pot of coffee, and start manually restoring things. Dave _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
