1 files changed, 194 insertions, 0 deletions

diff --git a/doc/servers.mdwn b/doc/servers.mdwn
new file mode 100644
index 0000000..3e82c7e
--- /dev/null
+++ b/doc/servers.mdwn
@@ -0,0 +1,194 @@
+There are currently not enough keysafe servers. We need at least 3 for
+keysafe to work. Please contact <id@joeyh.name> if you would like to run a
+keysafe server.
+
+## Server categories
+
+Keysafe's server list puts servers in three categories:
+
+1. **Recommended**: Servers that meet all best practices for security and
+   are run by a well-known, trusted entity.
+
+   Keysafe prefers to store data only on Recommended servers when possible.
+
+2. **Alternate**: Servers that are not secured well enough to be
+   Recommended.
+
+   Keysafe will store data on Alternate servers if it has to, but will
+   avoid storing enough data to allow the key to be recovered using only
+   the data stored on Alternate servers.
+
+   For example, with 2 of 3 shares needed to restore a key, keysafe can
+   store 1 share on an Alternate server, and the other 2 shares on two
+   Recommended servers.
+
+3. **Untrusted**: Servers that are not secured well or are run by an untrusted
+   entity.
+   
+   Keysafe will never store data on Untrusted servers. 
+   
+   If a server becomes untrusted and keysafe stored data on it in the past,
+   keysafe will warn the user about this problem.
+   
+   The only time keysafe will use untrusted servers is if it's restoring a
+   key, and cannot find enough shares on Recommended/Alternate
+   servers, and has to fall back to downloading from an Untrusted server.
+
+## Server list
+
+### Recommended
+
+#### hlmjmeth356s5ekm.onion
+
+	-----BEGIN PGP SIGNED MESSAGE-----
+	Hash: SHA1
+	
+	The keysafe server hlmjmeth356s5ekm.onion is provided and administered by
+	Purism. It is located in the EU (Cyprus).
+	
+	We intend to run this server for at least 10 years (through 2027),
+	or failing that, to transition any data stored on it to another
+	server that is of similar or higher security.
+	
+	Our warrant canary is <https://puri.sm/warrant-canary/>,
+	and is updated quarterly.
+	-----BEGIN PGP SIGNATURE-----
+	Version: GnuPG v1
+	
+	iQIcBAEBAgAGBQJYF8U4AAoJECPPLj0lRRT30CkP/Rn2TAeriNWO9wZcr0OHyX7B
+	TJcgLy3pZXbGn6T6qmJqg3K22fTKJ7CX0dfIM+WLI9FfBtnT95q1rnzywhBGPXzj
+	eD3g7r3QinIfMLBQTKyc9Ik5132uenD5h72ggVl3D+kuWv622IhaAaiVkuHc5KoR
+	3/S+ImkcS/gz83UNTXnWdMs0V8+eqAjpWeYQS8Ih28AECI9f+xUUH//V9Ii/4Usv
+	E3Y0hbqj8kSi4/Q6IwmFiJTKZ1FpccKhl6GIYUSLwJMJDHoI46M/AaZy0Xx9pLcU
+	niSELai/7/0fY4N0TY2CbZUgH7FEhi0k8cCsGF7yTA6dqya8deKQKdUdDllcHayv
+	+GOAqijiSTPrRox4TPMMdurPXTsJxeJuxVdS75Lw2cFk+JaaIVS/3XEyeuGpaVKW
+	wSTltyFkMx9ur5cCPT2rxoRN78HuqgiHda/Jd4c2pny7GwpUEYAznQQaBYEl2jlQ
+	/Go3ZudpnWfBRRe7znazhA6mIatPY61GrNIebVlET6/NCw9sZFRjHXY3pMw1u/TY
+	4eP0UQpBUed4/sot5vsZVwbn8e6eFh0S4HTdl5x1G8jN8nUZVdJJjOtACrONW+TG
+	CLSNDkMgQ5slBmtZm+MzL2VYkFHCMmPerNXY1DhHjMyfLpQEIN+bho+mIyc5h/W/
+	Br5jFZujcQ0u7GzqvaDB
+	=RmK4
+	-----END PGP SIGNATURE-----
+
+### Alternate
+
+#### keysafe.joeyh.name
+
+	-----BEGIN PGP SIGNED MESSAGE-----
+	Hash: SHA256
+	
+	  keysafe.joeyh.name is provided by me, Joey Hess.
+	
+	  I intend to run this server for at least 10 years (through 2027),
+	  or failing that, to transition any data stored on it to another
+	  server that is of similar or higher security.
+	
+	  It is a Digital Ocean VPS, located in Indonesia. I can't tell if the
+	  hosting provider is accessing the contents of the server, and so
+	  this server is not securely hosted enough to be Recommended.
+	-----BEGIN PGP SIGNATURE-----
+	
+	iQIcBAEBCAAGBQJXx0qFAAoJEMkQ2SIlEuPHyGMQALSLL7LZEpTi+zf2kPYGoBMQ
+	3z3FDB9B6SaF4uN3r+XlAw2Vzas2KVLCbNkO+np7tLzC0qdY5dBLDI7+ZJXiKi2v
+	iqxKICl0E8+ih8JOe0JWfoysO974I1DesEI7X6VUewwNpd35OgCuIL5RmknKrX4I
+	x7gUfsONiojUKgOT0yMErUfw3VNYB0Kbzw4Xic66eIkFl5z6APMknjqvOC1196v9
+	BW0rSM+OsthB9xkj7ULKQv+1LrxmwNu0+FL62qNKGObbXHayfLBGm8TT9Y7etQYD
+	3zRDiUfa0m2aYu7ZRx5HSIgExVVd3YosDUFA4xsIb6N4wBbP1zS2TG2Zo5o/+3gt
+	BerkQL/xkMWhIMVCYp1hWc47MenHk1MJU5EhS+duL/fnlqW2HcFanM+fOv+/ZWt6
+	da2mdjSR95Ekq22BXN9eHO54AFJKLWYNdT9E5W2rlwqUoC4dqsqYGT3XWnAaKHC/
+	he9+B/wdEf7165Qy+MKo/36Ib7pfhPQv4hip2cuMP9w0E6JoKZusBV5AdxRvGAGf
+	GvUhvNog6v9/t+cqUp6dSTT2WVllkXJ/5deGJYLzZMJjZS3cZ75ZKr8OD5oQxr+m
+	7oL6BDvxha7Q4qHo/RZgxyd/qZ7zWHTT6Tn6qNCBGUi4b6Etb0kEd5Os66WoLCSK
+	lhmhvShr0WRqB8fWYPkc
+	=SNGN
+	-----END PGP SIGNATURE-----
+</pre>
+
+#### thirdserver
+
+  Provided by Marek Isalski at [Faelix](http://www.faelix.net/).
+  Currently located in UK, but planned move to CH.  
+  Vetting to Recommended level in progress.
+
+## Detailed requirements
+
+### Alternate
+
+* Keysafe port only exposed via tor hidden service.
+* Dedicated to only running keysafe, no other services. (Other than tor and 
+  ssh for admin)
+* The set of people who administer the server, and procedures for giving
+  others access is well-defined.
+* Noone who has access to the server also has access to any Recommended
+  server.
+* Commitment to either keep the server running long-term (ie, 10+ years),
+  or transition the data to a replacement server that meets these
+  requirements and that must not contain any related shards.
+* No other open ports (other than ssh).
+* Ssh authentication only by ssh key, not password.
+* Either off-server backup, or replication of shards to additional disks.
+  (rsync to additional local disks would work perfectly well and avoids
+  the complications of RAID)
+* Any off-server backup is strongly encrypted.
+  (There's a trade-off here; any backup widens the attack surface.
+  It may be better to run some servers without backups and adjust the
+  number of shards needed to recover keys; a server losing its data
+  need not be catastrophic.)
+* Any backup should take care to not leak information about what objects
+  were present on the server at multiple times in the past. That would 
+  let an attacker who can access the backups make guesses about shares
+  belong with other shares stored on other servers in the same time period.
+  See [[details]] for how that makes it somewhat easier for an attacker.
+
+  keysafe --backup-server can be used to generate encrypted files to back up,
+  in a way that is designed to avoid these problems.
+
+* Similarly, the filesystem and storage system should not allow rolling back
+  to old snapshots.
+
+### Recommended
+
+* Everything in Alternate, to start with.
+* Run by a well known and trustworthy entity.
+* Noone who has access to the server also has access to any other
+  Recommended or Alternate server.
+* Warrant canary.
+* Hardware is hosted in-house. A VM at a cloud provider is right out
+  because the provider could be made to give access to it without the
+  server operator knowing about it. Which would bypass the warrant canary.
+* The keysafe data store and any swap partitions are encrypted,
+  and have to be manually unlocked when the server is booted.
+
+## Server scaling
+
+Each key takes a minimum of 64 KiB to store, perhaps more for gpg keys
+with lots of signatures. So 10 GiB of disk is sufficient for 160 thousand
+users, which is enough for a small keysafe server.
+
+The keysafe server uses very little memory and CPU. It does rate limiting
+with client-side proof-of-work to prevent it being abused for
+general-purpose data storage.
+
+There is some disk IO overhead, because keysafe updates the mtime and ctime
+of all shards stored on the server, as frequently as every 30 minutes.
+Once a large number of shards are stored, this could become a significant
+source of disk IO.
+
+## Server setup
+
+It's early days still, but keysafe's server code works well enough.
+
+* `git clone git://keysafe.branchable.com/ keysafe`
+* Be sure to verify the gpg signature of the git repository!
+* You will need to install keysafe from source; see its INSTALL file.
+  Use `make install` to install it, including a systemd service file.
+* `systemctl enable keysafe.service`
+* Install tor and set up a tor hidden service. Keysafe listens on port 4242
+  by default, so use that port.
+* Configure the server to meet all the requirements for Alternate or
+  Required.
+* Once ready, email id@joeyh.name to get added to keysafe's server list.
+
+Here's a the [[code/propellor]] config for my own keysafe server:
+<http://source.propellor.branchable.com/?p=source.git;a=blob;f=joeyconfig.hs;h=15a00f7c2dffa15ed275fdd44e84e2edcc226559;hb=b9f87f0c08d94c5d43224a2c6bbacb332ebfc1b6#l460>
+--[[Joey]]