From 736216e6e840988d58c410f1a63ec00defbf90a4 Mon Sep 17 00:00:00 2001
From: Giles Westwood <g.westwood@orcid.org>
Date: Fri, 22 May 2020 09:26:48 +0000
Subject: [PATCH] private-key-cron-21: sample cronjob

---
 README.md           | 6 ++++++
 etc/cron.d/subspace | 3 +++
 2 files changed, 9 insertions(+)
 create mode 100644 etc/cron.d/subspace

diff --git a/README.md b/README.md
index 50c042be..78829e1f 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,12 @@ $ sudo docker rm subspace
 $ sudo docker create ... (see above)
 ```
 
+### Security
+
+Subspace generates a public private keypair for each user and stores them on the server in a file. Anyone with sudo access to the subspace server can therefore read other peoples keys.
+
+To mitigate this you can add the cron in etc/cron.d/subspace which will delete the private keys after they are generated. That does mean the user will have to regenerate a key if they lose their current one.
+
 ## Contributors ✨
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
diff --git a/etc/cron.d/subspace b/etc/cron.d/subspace
new file mode 100644
index 00000000..83842df2
--- /dev/null
+++ b/etc/cron.d/subspace
@@ -0,0 +1,3 @@
+# don't store private keys on the subspace server once they're generated and make sure our config in general is not world readable
+*/10 * * * * root chmod 640 /data/config.json; chmod -R 750 /data/wireguard; perl -pi -e 's/PrivateKey = .*/PrivateKey = YOU MUST MAKE A NEW PROFILE IF YOU LOST YOUR KEY/' /data/wireguard/client/*.conf
+