Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/field/permanently_destroying_data.diviner
@title Permanently Destroying Data | @title Permanently Destroying Data | ||||
@group fieldmanual | @group fieldmanual | ||||
How to permanently destroy data and manage leaked secrets. | How to permanently destroy data and manage leaked secrets. | ||||
Overview | Overview | ||||
======== | ======== | ||||
Phabricator intentionally makes it difficult to permanently destroy data, but | Phorge intentionally makes it difficult to permanently destroy data, but | ||||
provides a command-line tool for destroying objects if you're certain that | provides a command-line tool for destroying objects if you're certain that | ||||
you want to destroy something. | you want to destroy something. | ||||
**Disable vs Destroy**: Most kinds of objects can be disabled, deactivated, | **Disable vs Destroy**: Most kinds of objects can be disabled, deactivated, | ||||
closed, or archived. These operations place them in inactive states and | closed, or archived. These operations place them in inactive states and | ||||
preserve their transaction history. | preserve their transaction history. | ||||
(NOTE) Disabling (rather than destroying) objects is strongly recommended | (NOTE) Disabling (rather than destroying) objects is strongly recommended | ||||
unless you have a very good reason to want to permanently destroy an object. | unless you have a very good reason to want to permanently destroy an object. | ||||
Destroying Data | Destroying Data | ||||
=============== | =============== | ||||
To permanently destroy an object, run this command from the command line: | To permanently destroy an object, run this command from the command line: | ||||
``` | ``` | ||||
phabricator/ $ ./bin/remove destroy <object> | phorge/ $ ./bin/remove destroy <object> | ||||
``` | ``` | ||||
The `<object>` may be an object monogram or PHID. For instance, you can use | The `<object>` may be an object monogram or PHID. For instance, you can use | ||||
`@alice` to destroy a particular user, or `T123` to destroy a particular task. | `@alice` to destroy a particular user, or `T123` to destroy a particular task. | ||||
(IMPORTANT) This operation is permanent and can not be undone. | (IMPORTANT) This operation is permanent and can not be undone. | ||||
CLI Access Required | CLI Access Required | ||||
=================== | =================== | ||||
In almost all cases, Phabricator requires operational access from the CLI to | In almost all cases, Phorge requires operational access from the CLI to | ||||
permanently destroy data. One major reason for this requirement is that it | permanently destroy data. One major reason for this requirement is that it | ||||
limits the reach of an attacker who compromises a privileged account. | limits the reach of an attacker who compromises a privileged account. | ||||
The web UI is generally append-only and actions generally leave an audit | The web UI is generally append-only and actions generally leave an audit | ||||
trail, usually in the transaction log. Thus, an attacker who compromises an | trail, usually in the transaction log. Thus, an attacker who compromises an | ||||
account but only gains access to the web UI usually can not do much permanent | account but only gains access to the web UI usually can not do much permanent | ||||
damage and usually can not hide their actions or cover their tracks. | damage and usually can not hide their actions or cover their tracks. | ||||
Another reason that destroying data is hard is simply that it's permanent and | Another reason that destroying data is hard is simply that it's permanent and | ||||
can not be undone, so there's no way to recover from mistakes. | can not be undone, so there's no way to recover from mistakes. | ||||
Leaked Secrets | Leaked Secrets | ||||
============== | ============== | ||||
Sometimes you may want to destroy an object because it has leaked a secret, | Sometimes you may want to destroy an object because it has leaked a secret, | ||||
like an API key or another credential. For example, an engineer might | like an API key or another credential. For example, an engineer might | ||||
accidentally send a change for review which includes a sensitive private key. | accidentally send a change for review which includes a sensitive private key. | ||||
No Phabricator command can rewind time, and once data is written to Phabricator | No Phorge command can rewind time, and once data is written to Phorge | ||||
the cat is often out of the bag: it has often been transmitted to external | the cat is often out of the bag: it has often been transmitted to external | ||||
systems which Phabricator can not interact with via email, webhooks, API calls, | systems which Phorge can not interact with via email, webhooks, API calls, | ||||
repository mirroring, CDN caching, and so on. You can try to clean up the mess, | repository mirroring, CDN caching, and so on. You can try to clean up the mess, | ||||
but you're generally already too late. | but you're generally already too late. | ||||
The `bin/remove destroy` command will make a reasonable attempt to completely | The `bin/remove destroy` command will make a reasonable attempt to completely | ||||
destroy objects, but this is just an attempt. It can not unsend email or uncall | destroy objects, but this is just an attempt. It can not unsend email or uncall | ||||
the API, and no command can rewind time and undo a leak. | the API, and no command can rewind time and undo a leak. | ||||
**Revoking Credentials**: If Phabricator credentials were accidentally | **Revoking Credentials**: If Phorge credentials were accidentally | ||||
disclosed, you can revoke them so they no longer function. See | disclosed, you can revoke them so they no longer function. See | ||||
@{article:Revoking Credentials} for more information. | @{article:Revoking Credentials} for more information. | ||||
Preventing Leaks | Preventing Leaks | ||||
================ | ================ | ||||
Because time can not be rewound, it is best to prevent sensitive data from | Because time can not be rewound, it is best to prevent sensitive data from | ||||
leaking in the first place. Phabricator supports some technical measures that | leaking in the first place. Phorge supports some technical measures that | ||||
can make it more difficult to accidentally disclose secrets: | can make it more difficult to accidentally disclose secrets: | ||||
**Differential Diff Herald Rules**: You can write "Differential Diff" rules | **Differential Diff Herald Rules**: You can write "Differential Diff" rules | ||||
in Herald that reject diffs before they are written to disk by using the | in Herald that reject diffs before they are written to disk by using the | ||||
"Block diff with message" action. | "Block diff with message" action. | ||||
These rules can reject diffs based on affected file names or file content. | These rules can reject diffs based on affected file names or file content. | ||||
This is a coarse tool, but rejecting diffs which contain strings like | This is a coarse tool, but rejecting diffs which contain strings like | ||||
`BEGIN RSA PRIVATE KEY` may make it more difficult to accidentally disclose | `BEGIN RSA PRIVATE KEY` may make it more difficult to accidentally disclose | ||||
certain secrets. | certain secrets. | ||||
**Commit Content Herald Rules**: For hosted repositories, you can write | **Commit Content Herald Rules**: For hosted repositories, you can write | ||||
"Commit Hook: Commit Content" rules in Herald which reject pushes that contain | "Commit Hook: Commit Content" rules in Herald which reject pushes that contain | ||||
commit which match certain rules (like file name or file content rules). | commit which match certain rules (like file name or file content rules). |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0