Create a Guide: Setting up 1password for your Open Source Project

[ExperimentsInHonesty]

Overview

We need a guide for team leads to setup 1 pass, so that we can have all the teams using it.

Action Items

• 1Password Admins
  Document the steps and upload any screen shots. Don't worry too much about the wording. We can review the draft after its up. Feel free to write the HfLA specific version, we can edit it to be more generic later.
• Revise, and identify what might be missing
  • Missing screen shots
  • Missing keyperson removal process
• UI
  • Create initial mockup of this in guidepage format
  • Get signoff
• Developer
  • Create MVP version of this doc and link to toolkit
  • Get signoff
  • Submit PR and ask for visual and code reviewers
  • This guide issue needs to be updated on our Guide Tracking sheet

Resources/Instructions

https://hackforla-team.1password.com/

[johnr54321]

Background: 1password community edition is the place maintain our secrets. Please don't keep them in places that people can get access to. (E.G. inside your repo.) Generally, 1 password should be used for shared passwords of root accounts. You can keep your own passwords in 1pass, but please put them in a private vault and not the team vault. Generally, people who have access to these root account passwords should be those that are trusted and have put some time in on the team or are the 1st people to setup the project. (E.G. Dev Lead, Product Lead, etc.). Here is how you should request access for your product:

Steps
1.) Talk to your team lead (dev or product) and have them contact the administrator.
2.) The team lead should include the names, emails, and positions and team info of the people that need access
3.) They will send email requests to sign up to whomever the relevant participants are.
4.) Once you get the email, please setup your own 1password account with the Hack for LA organization. It's fine if you already have 1password for a different organization on the same email address. There are two secrets you'll get a copy of that you'll need to keep to remain safe: a.) Your Secret Key b.) Your Master Password. You'll always need your master password to login to devices. (for mobile apps, the bio metrics may suffice.) However, you'll need your secret key every time you sign in from a different browser or device.
5.) After you sign up, contact the teamlead / admin to confirm your account and give you access to the appropriate teams' information.

[ExperimentsInHonesty]

Title: How to keep open source project passwords safe

Why your open source project needs a password management system
On volunteer open source projects the following constraints are important to keep in mind when setting up a password management system:

• Volunteers will come and go;
• Volunteers will need access to resource passwords;
• Passwords need to be kept safe (not in google docs, inside a code repository or other insecure locations).

What type of passwords should be stored in your password management system?

• all the project passwords
• your personal passwords (optional)

Where to store the passwords in the system

• Team vault:
  • shared passwords of root accounts
• Private vault:
  • personal passwords

Who should have access to root passwords?
People who have access to root account passwords should be those that are trusted and have put some time in on the team or are the 1st people to setup the project. (e.g., Dev Lead, Product Lead, etc.)

What password management system is suitable for an volunteer open source project?

• Hack for LA uses 1password for open source projects on all our projects
• Article that covers other options. If you have experience with these password management systems on other open source volunteer projects, please join the #ops channel and tell us about it. We appreciate understanding the benefits/limitations of what is available on the market.

Steps

1. Talk to your team lead (dev or product) and have them contact your organization's 1pass Administrator.

2. The team lead should include the names, emails, and positions and team info of the people that need access

3. The Administrator will send email requests to sign up to whomever the relevant participants are.

4. Once you get the email, please setup your own 1password account with the organization. It's fine if you already have 1password for a different organization on the same email address. There are two secrets you'll get a copy of that you'll need to keep to remain safe:

   • Your Secret Key
   • Your Master Password.
     • You'll always need your master password to login to devices. (for mobile apps, the bio metrics may suffice.) However, you'll need your secret key every time you sign in from a different browser or device.

5. After you sign up, contact the team lead / admin to confirm your account and give you access to the appropriate teams' information.

Hack for LA's admins can be reached by sending a message in the slack channel #ops to @bonnie and @john Ritchey, letting them know you are the team lead and are ready to start the process (i.e., you have the details from step 2 ready).

[johnr54321]

Two things:

1. I don’t think we should suggest hack for la projects an option to use other password managers. (No backup in case we lose everyone)
2. You misspelled people under who should have access

[ExperimentsInHonesty]

@johnr54321 I changed it above to say:

What password management system is suitable for an volunteer open source project?

• Hack for LA uses 1password for open source projects on all our projects
• Article that covers other options. If you have experience with these password management systems on other open source volunteer projects, please join the #ops channel and tell us about it. We appreciate understanding the benefits/limitations of what is available on the market.

Is that better? It should be generic enough that its a public facing guide, while still being useful for our members.

[johnr54321]

Sounds good! Thanks!

[ExperimentsInHonesty]

@johnr54321 I am going to send this to UI to mockup, but I think we will need screen shots and a how to remove people set of instructions too. I will ask the next person I work on this with to make screen shots and add them to this issue.

[johnr54321]

Maybe invite the UI lead from the website team to 1Password to document? We just need to change the content in them so we aren't giving away people's security information.

[IAgbaje]

• This guide issue needs to be updated on our Guide Tracking sheet