As part of our continuing efforts to ensure our systems are inline with current industry security standards/norms, we are in the process of rotating the GPG key that encrypts Log Delivery data (for those who wish to have it configured).
Starting March 1 March 4, 2015, we will be using a new GPG key (with higher-bit encryption) to encrypt customer Log Delivery data (for those who have enabled encryption).
All customers who choose to have their Log Deliveries GPG-encrypted MUST rotate to the new GPG key on March 1 March 4, 2015 in order to continue to be able to decrypt their log deliveries.
Q & A
Why are you doing this?
The current key that we distribute to customers is outdated and is long overdue for an update to use today’s current security encryption standards. In summary: to make your Log Delivery data more secure.
Is my current data at risk?
Not at all. We are simply beefing up the defenses (so-to-speak).
How do I start using the new key?
- Download the new public GPG key and save it locally
- Add the new LDS public GPG key to your keyring.
$ gpg --import <filename>
- Confirm new key is loaded in your keyring.
$ gpg --list-keys --fingerprint 24A638E8
pub 1024D/24A638E8 2015-01-28
Key fingerprint = 4D95 B8F6 541A 1E97 6DF3 0EF1 9DBE 6BF4 24A6 38E8
uid Akamai Log Delivery Service (Service address only. Do not reply.)
sub 2048g/9335B0C0 2015-01-28
Can I use the old GPG key after March 1 March 4, 2015?
The short answer: unfortunately, no.
The long answer: Our system is currently designed to use 1 key for our customer Log Delivery data. The cutover will be a one-time occurrence for all customers at the same time. GPG keys are meant to represent the sender (in this case, the Log Delivery System as-a-whole), so public GPG keys for individual Log Delivery setups would require substantial overhead to implement.
Can I use the new GPG key previous toMarch 1 March 4, 2015?
Again, no. Our system currently does not support specific GPG key encryption of customer data. You should use the old GPG key up until March 1 March 4, 2015, then start using the new key on March 1 March 4, 2015.
Can I be exempt from the rotation?
Unfortunately, no (for the same reasons as stated above).
What if I (after the migration) request a redelivery of data that was originally delivered pre-migration? Which key should I use?
ANY encrypted delivery conducted on/after March 1 March 4, 2015 will use the new GPG key, even if it’s a redelivery of older data. Please use the new GPG key to decrypt your data.
Does this mean that anybody with access to this new public key will have the ability to decrypt my log data?
Absolutely not! They would also need to know your private GPG signing key in order to decrypt the message (which we hope/assume you are keeping secure). Check out the Resources section below an overview of how Public Key Encryption works and why distributing a public key is safe.
- The new key to be used starting March 1 March 4, 2015: https://community.akamai.com/docs/DOC-1456
- A good high-level overview of how GPG encryption works: http://aplawrence.com/Basics/gpg.html
- A deeper technical explanation on how to set up GPG encryption on the receiving end of your log deliveries: http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.3