The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
Someone will still have to feed the box of drives the robot picks from, and also fix the robot when it breaks. So we're probably all good, just gotta train one layer of abstraction deeper…
Someone will still have to feed the box of drives the robot picks from, and also fix the robot when it breaks. So we're probably all good, just gotta train one layer of abstraction deeper…
But then you have robots who fix robots. And then even further, you have other robots that redesign and create new robots. Didn't anyone else watch Screamers?
While I agree that being insensitive is an issue, so is being oversensitive.
Considering that robotic tape libraries have been a thing for, like, a really long time, I'm genuinely curious why a robotic SAN library doesn't exist yet. I mean, maybe not for sale, but in an expected-failure environment like Google's with their server rooms running at 80 F, you've gotta wonder if they have such a thing.
Considering that robotic tape libraries have been a thing for, like, a really long time, I'm genuinely curious why a robotic SAN library doesn't exist yet. I mean, maybe not for sale, but in an expected-failure environment like Google's with their server rooms running at 80 F, you've gotta wonder if they have such a thing.
I assume it's easier and cheaper to have a a fuckton of hotspares and pay a kid minimum wage to swap disks.
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Considering that robotic tape libraries have been a thing for, like, a really long time, I'm genuinely curious why a robotic SAN library doesn't exist yet. I mean, maybe not for sale, but in an expected-failure environment like Google's with their server rooms running at 80 F, you've gotta wonder if they have such a thing.
I assume it's easier and cheaper to have a a fuckton of hotspares and pay a kid minimum wage to swap disks.
This is trufax. I just imagine that if anyone was going to do something that sexy, it'd be Google.
Considering that robotic tape libraries have been a thing for, like, a really long time, I'm genuinely curious why a robotic SAN library doesn't exist yet. I mean, maybe not for sale, but in an expected-failure environment like Google's with their server rooms running at 80 F, you've gotta wonder if they have such a thing.
I assume it's easier and cheaper to have a a fuckton of hotspares and pay a kid minimum wage to swap disks.
This is trufax. I just imagine that if anyone was going to do something that sexy, it'd be Google.
now, if you could get a robot that could rack, stack, and cable in addition to swapping drives then you might be onto something
lights-out indeed
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
can you quit bitching about how my system doesn't have a label yet and how you think I've configured the OS wrong or how I should have a crossover cable to set up a sql cluster (wtf?) and just SET UP MY DAMN LUNS
Who the hell is this guy? I mean, I am, as one of my jobs, the SAN administrator. When we got the thing, I had no idea what I was doing, nor did I understand how the networking was setup. We even had a stupid major failure (but didn't lose any data) due to not replacing disks and having a fundamental misunderstanding of how the RAID was actually setup (vs. how it appeared to be setup in the GUI). But I learned, and I set up our new SAN box entirely with no outside help. I'm no expert, but I'm pretty proud of where I am with that 10% of my job.
And I can't think of any good reason why you'd need a crossover cable for anything when setting up LUNs from a server. The only bad reason I can think of is that the SAN box doesn't have it's own dedicated switch, so they're just hooking servers up to the SAN directly? That would be reeeeeeaallly dumb, but I guess it would work.
I've come to the conclusion that 98% of the people on this planet do not have a functioning brain and don't understand logic or sequence of events (this happens, so that happens).
And it makes me realize that someone who can take something, break it down into pieces, and do work with it, is worth their weight in fucking gold. The rest of the planet capitalizes on that 2% that can actually think critically in their day to day work.
These people don't even have to be high up the chain, they're probably not, they're probably at the lowest, and the rest excel by putting their boot on the other's face and using them as a stepping stone.
So agreed. For my younger staff, I'm trying to teach into them an undying fire of "need to know" - you need to know how everything works that you're touching to some degree to understand possible implications of changes or efficiencies that can be gained.
can you quit bitching about how my system doesn't have a label yet and how you think I've configured the OS wrong or how I should have a crossover cable to set up a sql cluster (wtf?) and just SET UP MY DAMN LUNS
Who the hell is this guy? I mean, I am, as one of my jobs, the SAN administrator. When we got the thing, I had no idea what I was doing, nor did I understand how the networking was setup. We even had a stupid major failure (but didn't lose any data) due to not replacing disks and having a fundamental misunderstanding of how the RAID was actually setup (vs. how it appeared to be setup in the GUI). But I learned, and I set up our new SAN box entirely with no outside help. I'm no expert, but I'm pretty proud of where I am with that 10% of my job.
And I can't think of any good reason why you'd need a crossover cable for anything when setting up LUNs from a server. The only bad reason I can think of is that the SAN box doesn't have it's own dedicated switch, so they're just hooking servers up to the SAN directly? That would be reeeeeeaallly dumb, but I guess it would work.
I've come to the conclusion that 98% of the people on this planet do not have a functioning brain and don't understand logic or sequence of events (this happens, so that happens).
And it makes me realize that someone who can take something, break it down into pieces, and do work with it, is worth their weight in fucking gold. The rest of the planet capitalizes on that 2% that can actually think critically in their day to day work.
These people don't even have to be high up the chain, they're probably not, they're probably at the lowest, and the rest excel by putting their boot on the other's face and using them as a stepping stone.
Not only do those 98% not know how to think critically - they get pissed when you try to teach them or make them. It's like ...F you IT guy, I need to get back to this brainless app on my phone - so don't try to tell me how you can't give me exclusive access to this Public Folder in Outlook.
Considering that robotic tape libraries have been a thing for, like, a really long time, I'm genuinely curious why a robotic SAN library doesn't exist yet. I mean, maybe not for sale, but in an expected-failure environment like Google's with their server rooms running at 80 F, you've gotta wonder if they have such a thing.
Most every robotic tape library I've used has also shit the bed in a major way. With that many moving parts, it's inevitable. But..... in my head I'm thinking something similar to that machine in Patriot Games where that guy was trying to crack a password. He had this machine that looked like it was moving disks all over the place. I'll try to find a video of it later.
So either that or I'd be cool with Johnny 5.
While I agree that being insensitive is an issue, so is being oversensitive.
I'm at work. Working on scripts, documentation, project list for last year and next year. I would be fine if this is how the whole day goes. My morning has basically been various people confirming fixes from yesterday, so I'm on cloud 9 for the moment.
It's exactly like Christmas Eve, except that of the either working both, I'm the only person who was working both days.
I'm here, same as Christmas Eve. Unlike Christmas Eve, though, I'm not the only one here, so my HDMI port didn't, uh, get utilized today. Probably going to bust out the 2015 user audit on the last day of the year. That'll be fun.
I'm continuing an upgrade of our wireless system. Spent 3 hours with Dell on it yesterday, and it's still fucking up. Was here until after 7:00 last night. It shouldn't be this hard to upgrade a controller, but it is (and always has been) with this system.
While I agree that being insensitive is an issue, so is being oversensitive.
I started my day by printing out my offer letter and assorted legal cruft for my new job, signing, and scanning it.
Suck it MEGACORP, I'm using your resources to leave you :P
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
I started my day by printing out my offer letter and assorted legal cruft for my new job, signing, and scanning it.
Suck it MEGACORP, I'm using your resources to leave you :P
This is the best.
When I left my shitboss I took a whole 8 hour day to wipe the computer with one of those NSA level wiper utilities so he couldn't restore deleted data from it.
I'm continuing an upgrade of our wireless system. Spent 3 hours with Dell on it yesterday, and it's still fucking up. Was here until after 7:00 last night. It shouldn't be this hard to upgrade a controller, but it is (and always has been) with this system.
Jesus... this whole situation is a mess. Now I'm on a call with the original Dell tech, an escalation Dell tech, and two Aruba escalation techs. 4 of the 5 are on a call; 1 cannot because he's on a cell working remotely from home. 3 of us are in a webex session, which is then connecting into a GoToMeeting session with the two Aruba techs.
We've got a PuTTY telnet, PuTTY SSH, command prompt, and GUI session all running at the same time, with each of us 5 having to at some point take control to enter information in.
Fucking 5 hours of this shit for a simple firmware upgrade to fix a set of NTP vulnerabilities.
While I agree that being insensitive is an issue, so is being oversensitive.
It took Dell/Aruba 7 months to sort out our wireless issues. 7 months.
The original setup designed by an aruba dude ended up being way over engineered, so we had too much signal in our shop/warehouse area, which caused interference.
They then promised one specific model of AP that would be firmware upgraded to allow for mesh networking, thus not needing ethernet to be run literally 3 stories up a pillar in the middle of nowhere in the shop, and to posts outside. That was over a year ago. It hasn't happened yet.
We have a bunch of wifi voip phones in that shop area, because running ethernet to their locations was not practical. They would drop 25% of the packets, making voice calls useless. This was caused by a combination of interference from the over engineered network, and compatability issues with the chipset on the USB wifi adapters on the phones that Aruba recommended. We had to switch them out and update the firmware on the phones.
7 months after we turned on wifi in the shop, it was finally working. We ended up replacing 3 high power AP's with 2 medium power AP's and that solved some of the problems as there was less interference from them fighting. A couple firmware updates took care of some others. It is working now to probably 90% of the original spec/want. But we still have issues with devices not connecting to the closer/better signal AP at like -50db signal and instead connecting to one that's like 300 feet away at -115db and getting speeds at like 1mbit which means the device is basically useless unless you reboot it and pray it connects to the right AP after.
I'll never do an aruba setup again. It has been a miserable experience.
It took Dell/Aruba 7 months to sort out our wireless issues. 7 months.
The original setup designed by an aruba dude ended up being way over engineered, so we had too much signal in our shop/warehouse area, which caused interference.
They then promised one specific model of AP that would be firmware upgraded to allow for mesh networking, thus not needing ethernet to be run literally 3 stories up a pillar in the middle of nowhere in the shop, and to posts outside. That was over a year ago. It hasn't happened yet.
We have a bunch of wifi voip phones in that shop area, because running ethernet to their locations was not practical. They would drop 25% of the packets, making voice calls useless. This was caused by a combination of interference from the over engineered network, and compatability issues with the chipset on the USB wifi adapters on the phones that Aruba recommended. We had to switch them out and update the firmware on the phones.
7 months after we turned on wifi in the shop, it was finally working. We ended up replacing 3 high power AP's with 2 medium power AP's and that solved some of the problems as there was less interference from them fighting. A couple firmware updates took care of some others. It is working now to probably 90% of the original spec/want. But we still have issues with devices not connecting to the closer/better signal AP at like -50db signal and instead connecting to one that's like 300 feet away at -115db and getting speeds at like 1mbit which means the device is basically useless unless you reboot it and pray it connects to the right AP after.
I'll never do an aruba setup again. It has been a miserable experience.
Over engineered, more like severely under engineered. This is a major pet peeve of mine when it comes to design for enterprise wireless. Everyone always puts these damn things at 100% power output, and then it doesn't work. Wireless communication is a two-way street. Your client devices have to be heard by the access point. If your receive level is at -60db and your noise floor is at -90db or below (my personal experience is that 30 SNR is the sweet spot), that only tells you one side of the story. The other side of the story has to be told, which is that your client devices have to be heard by the access point, using the same channel. But client devices are always smaller, less powerful, typically don't have external antennas (which hampers them severely when doing EIRP calculations, as antennas help with both send and receive levels, but aren't calculated on the receive side for conforming to EIRP standards), and rely on the AP to have a big enough ear to hear them. If you have your power output jacked all the way up to 100%, your client devices are going to attach to an AP on the fringe of its signal, but drop transmissions back to the AP, almost constantly.
For this reason, you should almost always back off your power levels anywhere from 60-80% of the maximum (really, the lower the better), and order more units to expand coverage. This will have many benefits:
1. Less interference, as you've noticed.
2. Lower noise floors, in general.
3. Client devices won't attach to access points they have no business trying to connect to.
Going to lower powered AP's is definitely the right way to go, and I'm glad you did. But if they have internal power settings, I'd suggest knocking them down a bit, and see if you keep having an issue with clients connecting to the AP that's further away. Most likely this will be a failed experiment, but it's worth trying. My guess is that the culprit is that the software in your AP/controller isn't kicking SU's when their signal degrades. Fast AP switching is a sort of magic that is far from perfect, because if they depend on the client device to make intelligent decisions, you'll end up being pretty frustrated. Ubiquiti's Unifi product, as I've said before, didn't have this working initially, and it was very frustrating until they did.
You should be doing napkin math to figure out where to put APs without overlapping their zones too much. 100% power has never been an issue for me. But I also don't put APs everywhere.
I keep getting emails to my forum handle email and they were job offers. They are from some company in the uk. I emailed them politely to let them know they have the wrong email but I just got sent an azure verification... Checked out the website that hosts their email and it's a consulting firm but the site isnt filled out, I'm kind of curious, wondering if it's a scam. However, the microsoft email I got for azure verification is legit...
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
edited January 2016
Anyone here have any experience with "easy" "client-facing" decryption?
I think I've mentioned this before, but we have a setup here where it takes 2 people (From separate lists, so one from group 1 and one from group 2) to unlock a file necessary for certain processes around here. I've tried recovering this software after the old one broke (it's VB6) , and to be honest the system we had before was kind of a stopgap anyways.
Now, we want to look to see if there is a vendor solution or a pre-packaged dealie that can handle this requirement. But I'm not sure where to go with this. I'm not the best at hunting for new solutions.
We're basically looking for two factor authentication - a physical key and a password. Ideally it would be a physical key and 2 passwords.
Athenor on
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
Yeah I mean... that's a thing but it is unique enough to your business that you probably won't find something off the shelf.
I guess to help me understand it, you say you have two lists, but where does it pull this list from? Text file? Active Directory group? Each user has a password on each of those lists? And you need one from each group to be present to unlock the file in question?
Also what counts as the physical key? Something in the file?
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
From the previous program:
1) The lists are baked into the GPG backend. The private keys are stored in a folder on the destination server that can be accessed by any of the users. In order to generate new users, the file must be unlocked. In order to add or remove users, the file must be unlocked - and then re-encrypted from scratch. I'd love to tie into AD or something more dynamic.
2) List 1 is made up of account techs, usually 4-5. List 2 is made up of payroll clerks, again 3-4. The program had 2 fields - one for the techs, the other for the clerks. A valid user/pass had to be entered into both fields, which were labeled for what kind of person could unlock that field. Picture it like a nuclear key situation.
3) In our case, the physical keys are a set of 4 USB fobs that are clones of each other. They contain the program and the encrypted data, that then gets decrypted and delivered to the appropriate destination. The destination file is deleted when the system is re-locked.
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
0
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
1) The lists are baked into the GPG backend. The private keys are stored in a folder on the destination server that can be accessed by any of the users. In order to generate new users, the file must be unlocked. In order to add or remove users, the file must be unlocked - and then re-encrypted from scratch. I'd love to tie into AD or something more dynamic.
2) List 1 is made up of account techs, usually 4-5. List 2 is made up of payroll clerks, again 3-4. The program had 2 fields - one for the techs, the other for the clerks. A valid user/pass had to be entered into both fields, which were labeled for what kind of person could unlock that field. Picture it like a nuclear key situation.
3) In our case, the physical keys are a set of 4 USB fobs that are clones of each other. They contain the program and the encrypted data, that then gets decrypted and delivered to the appropriate destination. The destination file is deleted when the system is re-locked.
How do you keep them in sync with each other?
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
1) The lists are baked into the GPG backend. The private keys are stored in a folder on the destination server that can be accessed by any of the users. In order to generate new users, the file must be unlocked. In order to add or remove users, the file must be unlocked - and then re-encrypted from scratch. I'd love to tie into AD or something more dynamic.
2) List 1 is made up of account techs, usually 4-5. List 2 is made up of payroll clerks, again 3-4. The program had 2 fields - one for the techs, the other for the clerks. A valid user/pass had to be entered into both fields, which were labeled for what kind of person could unlock that field. Picture it like a nuclear key situation.
3) In our case, the physical keys are a set of 4 USB fobs that are clones of each other. They contain the program and the encrypted data, that then gets decrypted and delivered to the appropriate destination. The destination file is deleted when the system is re-locked.
How do you keep them in sync with each other?
The keys only get updated a few times a year. So... manual copy/paste, which can lead to fun times if a backup can't be located for a while... *cough*
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
If I were designing this system from scratch I would probably do it like so:
First solution:
Keyfobs contain the main encryption key. This way you never have to really 'update them'. Lists are tied to active directory group. This way you can validate the username and passwords easily. 2 factor.
Without the keyfob you can't even continue. The program and data can potentially be stored anywhere.
0
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
If I were designing this system from scratch I would probably do it like so:
First solution:
Keyfobs contain the main encryption key. This way you never have to really 'update them'. Lists are tied to active directory group. This way you can validate the username and passwords easily. 2 factor.
Without the keyfob you can't even continue. The program and data can potentially be stored anywhere.
This is what I think we want to aim towards. In fact, I think our program that we use for printing now supports this. The bigger question is the needing 2 lists / segregation of duties stuff. But.. we'll see. The original piece was only supposed to be temporary, but like anything "good enough"...
He/Him | "We who believe in freedom cannot rest." - Dr. Johnetta Cole, 7/22/2024
Posts
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
What is left after we kill ourselves as a species because 90% of us can't figure out technology made after 1973?
XBL:Phenyhelm - 3DS:Phenyhelm
With my knife.
XBL:Phenyhelm - 3DS:Phenyhelm
XBL:Phenyhelm - 3DS:Phenyhelm
I assume it's easier and cheaper to have a a fuckton of hotspares and pay a kid minimum wage to swap disks.
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
This is trufax. I just imagine that if anyone was going to do something that sexy, it'd be Google.
now, if you could get a robot that could rack, stack, and cable in addition to swapping drives then you might be onto something
lights-out indeed
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
So agreed. For my younger staff, I'm trying to teach into them an undying fire of "need to know" - you need to know how everything works that you're touching to some degree to understand possible implications of changes or efficiencies that can be gained.
Not only do those 98% not know how to think critically - they get pissed when you try to teach them or make them. It's like ...F you IT guy, I need to get back to this brainless app on my phone - so don't try to tell me how you can't give me exclusive access to this Public Folder in Outlook.
So either that or I'd be cool with Johnny 5.
It's exactly like Christmas Eve, except that of the either working both, I'm the only person who was working both days.
Heh. 'Working.'
I didn't have the last 2 days to take off for a 10 day vacation.
So I'm here.
Doing absolutely nothing I guess.
Well... definitely doing minimal amounts of work and taking my sweet time with it.
This is a clickable link to my Steam Profile.
I started my day by printing out my offer letter and assorted legal cruft for my new job, signing, and scanning it.
Suck it MEGACORP, I'm using your resources to leave you :P
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
This is the best.
When I left my shitboss I took a whole 8 hour day to wipe the computer with one of those NSA level wiper utilities so he couldn't restore deleted data from it.
We've got a PuTTY telnet, PuTTY SSH, command prompt, and GUI session all running at the same time, with each of us 5 having to at some point take control to enter information in.
Fucking 5 hours of this shit for a simple firmware upgrade to fix a set of NTP vulnerabilities.
The original setup designed by an aruba dude ended up being way over engineered, so we had too much signal in our shop/warehouse area, which caused interference.
They then promised one specific model of AP that would be firmware upgraded to allow for mesh networking, thus not needing ethernet to be run literally 3 stories up a pillar in the middle of nowhere in the shop, and to posts outside. That was over a year ago. It hasn't happened yet.
We have a bunch of wifi voip phones in that shop area, because running ethernet to their locations was not practical. They would drop 25% of the packets, making voice calls useless. This was caused by a combination of interference from the over engineered network, and compatability issues with the chipset on the USB wifi adapters on the phones that Aruba recommended. We had to switch them out and update the firmware on the phones.
7 months after we turned on wifi in the shop, it was finally working. We ended up replacing 3 high power AP's with 2 medium power AP's and that solved some of the problems as there was less interference from them fighting. A couple firmware updates took care of some others. It is working now to probably 90% of the original spec/want. But we still have issues with devices not connecting to the closer/better signal AP at like -50db signal and instead connecting to one that's like 300 feet away at -115db and getting speeds at like 1mbit which means the device is basically useless unless you reboot it and pray it connects to the right AP after.
I'll never do an aruba setup again. It has been a miserable experience.
Over engineered, more like severely under engineered. This is a major pet peeve of mine when it comes to design for enterprise wireless. Everyone always puts these damn things at 100% power output, and then it doesn't work. Wireless communication is a two-way street. Your client devices have to be heard by the access point. If your receive level is at -60db and your noise floor is at -90db or below (my personal experience is that 30 SNR is the sweet spot), that only tells you one side of the story. The other side of the story has to be told, which is that your client devices have to be heard by the access point, using the same channel. But client devices are always smaller, less powerful, typically don't have external antennas (which hampers them severely when doing EIRP calculations, as antennas help with both send and receive levels, but aren't calculated on the receive side for conforming to EIRP standards), and rely on the AP to have a big enough ear to hear them. If you have your power output jacked all the way up to 100%, your client devices are going to attach to an AP on the fringe of its signal, but drop transmissions back to the AP, almost constantly.
For this reason, you should almost always back off your power levels anywhere from 60-80% of the maximum (really, the lower the better), and order more units to expand coverage. This will have many benefits:
1. Less interference, as you've noticed.
2. Lower noise floors, in general.
3. Client devices won't attach to access points they have no business trying to connect to.
Going to lower powered AP's is definitely the right way to go, and I'm glad you did. But if they have internal power settings, I'd suggest knocking them down a bit, and see if you keep having an issue with clients connecting to the AP that's further away. Most likely this will be a failed experiment, but it's worth trying. My guess is that the culprit is that the software in your AP/controller isn't kicking SU's when their signal degrades. Fast AP switching is a sort of magic that is far from perfect, because if they depend on the client device to make intelligent decisions, you'll end up being pretty frustrated. Ubiquiti's Unifi product, as I've said before, didn't have this working initially, and it was very frustrating until they did.
I think I've mentioned this before, but we have a setup here where it takes 2 people (From separate lists, so one from group 1 and one from group 2) to unlock a file necessary for certain processes around here. I've tried recovering this software after the old one broke (it's VB6) , and to be honest the system we had before was kind of a stopgap anyways.
Now, we want to look to see if there is a vendor solution or a pre-packaged dealie that can handle this requirement. But I'm not sure where to go with this. I'm not the best at hunting for new solutions.
We're basically looking for two factor authentication - a physical key and a password. Ideally it would be a physical key and 2 passwords.
I guess to help me understand it, you say you have two lists, but where does it pull this list from? Text file? Active Directory group? Each user has a password on each of those lists? And you need one from each group to be present to unlock the file in question?
1) The lists are baked into the GPG backend. The private keys are stored in a folder on the destination server that can be accessed by any of the users. In order to generate new users, the file must be unlocked. In order to add or remove users, the file must be unlocked - and then re-encrypted from scratch. I'd love to tie into AD or something more dynamic.
2) List 1 is made up of account techs, usually 4-5. List 2 is made up of payroll clerks, again 3-4. The program had 2 fields - one for the techs, the other for the clerks. A valid user/pass had to be entered into both fields, which were labeled for what kind of person could unlock that field. Picture it like a nuclear key situation.
3) In our case, the physical keys are a set of 4 USB fobs that are clones of each other. They contain the program and the encrypted data, that then gets decrypted and delivered to the appropriate destination. The destination file is deleted when the system is re-locked.
Angry, thirsty people.
How do you keep them in sync with each other?
The keys only get updated a few times a year. So... manual copy/paste, which can lead to fun times if a backup can't be located for a while... *cough*
First solution:
Keyfobs contain the main encryption key. This way you never have to really 'update them'. Lists are tied to active directory group. This way you can validate the username and passwords easily. 2 factor.
Without the keyfob you can't even continue. The program and data can potentially be stored anywhere.
This is what I think we want to aim towards. In fact, I think our program that we use for printing now supports this. The bigger question is the needing 2 lists / segregation of duties stuff. But.. we'll see. The original piece was only supposed to be temporary, but like anything "good enough"...