Differential D25007 Diff 23 src/docs/user/field/permanently_destroying_data.diviner

Changeset View

Standalone View

src/docs/user/field/permanently_destroying_data.diviner

	@title Permanently Destroying Data			@title Permanently Destroying Data
	@group fieldmanual			@group fieldmanual

	How to permanently destroy data and manage leaked secrets.			How to permanently destroy data and manage leaked secrets.

	Overview			Overview
	========			========

	Phabricator intentionally makes it difficult to permanently destroy data, but			Phorge intentionally makes it difficult to permanently destroy data, but
	provides a command-line tool for destroying objects if you're certain that			provides a command-line tool for destroying objects if you're certain that
	you want to destroy something.			you want to destroy something.

	Disable vs Destroy: Most kinds of objects can be disabled, deactivated,			Disable vs Destroy: Most kinds of objects can be disabled, deactivated,
	closed, or archived. These operations place them in inactive states and			closed, or archived. These operations place them in inactive states and
	preserve their transaction history.			preserve their transaction history.

	(NOTE) Disabling (rather than destroying) objects is strongly recommended			(NOTE) Disabling (rather than destroying) objects is strongly recommended
	unless you have a very good reason to want to permanently destroy an object.			unless you have a very good reason to want to permanently destroy an object.


	Destroying Data			Destroying Data
	===============			===============

	To permanently destroy an object, run this command from the command line:			To permanently destroy an object, run this command from the command line:

	```			```
	phabricator/ $ ./bin/remove destroy <object>			phorge/ $ ./bin/remove destroy <object>
	```			```

	The `<object>` may be an object monogram or PHID. For instance, you can use			The `<object>` may be an object monogram or PHID. For instance, you can use
	`@alice` to destroy a particular user, or `T123` to destroy a particular task.			`@alice` to destroy a particular user, or `T123` to destroy a particular task.

	(IMPORTANT) This operation is permanent and can not be undone.			(IMPORTANT) This operation is permanent and can not be undone.


	CLI Access Required			CLI Access Required
	===================			===================

	In almost all cases, Phabricator requires operational access from the CLI to			In almost all cases, Phorge requires operational access from the CLI to
	permanently destroy data. One major reason for this requirement is that it			permanently destroy data. One major reason for this requirement is that it
	limits the reach of an attacker who compromises a privileged account.			limits the reach of an attacker who compromises a privileged account.

	The web UI is generally append-only and actions generally leave an audit			The web UI is generally append-only and actions generally leave an audit
	trail, usually in the transaction log. Thus, an attacker who compromises an			trail, usually in the transaction log. Thus, an attacker who compromises an
	account but only gains access to the web UI usually can not do much permanent			account but only gains access to the web UI usually can not do much permanent
	damage and usually can not hide their actions or cover their tracks.			damage and usually can not hide their actions or cover their tracks.

	Another reason that destroying data is hard is simply that it's permanent and			Another reason that destroying data is hard is simply that it's permanent and
	can not be undone, so there's no way to recover from mistakes.			can not be undone, so there's no way to recover from mistakes.


	Leaked Secrets			Leaked Secrets
	==============			==============

	Sometimes you may want to destroy an object because it has leaked a secret,			Sometimes you may want to destroy an object because it has leaked a secret,
	like an API key or another credential. For example, an engineer might			like an API key or another credential. For example, an engineer might
	accidentally send a change for review which includes a sensitive private key.			accidentally send a change for review which includes a sensitive private key.

	No Phabricator command can rewind time, and once data is written to Phabricator			No Phorge command can rewind time, and once data is written to Phorge
	the cat is often out of the bag: it has often been transmitted to external			the cat is often out of the bag: it has often been transmitted to external
	systems which Phabricator can not interact with via email, webhooks, API calls,			systems which Phorge can not interact with via email, webhooks, API calls,
	repository mirroring, CDN caching, and so on. You can try to clean up the mess,			repository mirroring, CDN caching, and so on. You can try to clean up the mess,
	but you're generally already too late.			but you're generally already too late.

	The `bin/remove destroy` command will make a reasonable attempt to completely			The `bin/remove destroy` command will make a reasonable attempt to completely
	destroy objects, but this is just an attempt. It can not unsend email or uncall			destroy objects, but this is just an attempt. It can not unsend email or uncall
	the API, and no command can rewind time and undo a leak.			the API, and no command can rewind time and undo a leak.

	Revoking Credentials: If Phabricator credentials were accidentally			Revoking Credentials: If Phorge credentials were accidentally
	disclosed, you can revoke them so they no longer function. See			disclosed, you can revoke them so they no longer function. See
	@{article:Revoking Credentials} for more information.			@{article:Revoking Credentials} for more information.


	Preventing Leaks			Preventing Leaks
	================			================

	Because time can not be rewound, it is best to prevent sensitive data from			Because time can not be rewound, it is best to prevent sensitive data from
	leaking in the first place. Phabricator supports some technical measures that			leaking in the first place. Phorge supports some technical measures that
	can make it more difficult to accidentally disclose secrets:			can make it more difficult to accidentally disclose secrets:

	Differential Diff Herald Rules: You can write "Differential Diff" rules			Differential Diff Herald Rules: You can write "Differential Diff" rules
	in Herald that reject diffs before they are written to disk by using the			in Herald that reject diffs before they are written to disk by using the
	"Block diff with message" action.			"Block diff with message" action.

	These rules can reject diffs based on affected file names or file content.			These rules can reject diffs based on affected file names or file content.
	This is a coarse tool, but rejecting diffs which contain strings like			This is a coarse tool, but rejecting diffs which contain strings like
	`BEGIN RSA PRIVATE KEY` may make it more difficult to accidentally disclose			`BEGIN RSA PRIVATE KEY` may make it more difficult to accidentally disclose
	certain secrets.			certain secrets.

	Commit Content Herald Rules: For hosted repositories, you can write			Commit Content Herald Rules: For hosted repositories, you can write
	"Commit Hook: Commit Content" rules in Herald which reject pushes that contain			"Commit Hook: Commit Content" rules in Herald which reject pushes that contain
	commit which match certain rules (like file name or file content rules).			commit which match certain rules (like file name or file content rules).