aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2019-06-03 16:29:04 +0200
committerJonas Smedegaard <dr@jones.dk>2019-06-03 16:29:04 +0200
commitedce916b134b695edb92210fa2ddc48beb2aeb8e (patch)
treed667d8140d62977d35ede73ddb309e289294dfaa
parentbad93a72fe2b2ee19cd40dd51cfd17a2803ef08d (diff)
Updates to storage.
-rw-r--r--SETUP.md77
-rw-r--r--USE.md32
2 files changed, 108 insertions, 1 deletions
diff --git a/SETUP.md b/SETUP.md
new file mode 100644
index 0000000..01c67d5
--- /dev/null
+++ b/SETUP.md
@@ -0,0 +1,77 @@
+# Setting up a secure account
+
+Personal secrets should never leave your personal control.
+Digital secrets should be kept on a cryptographically secure storage
+and handled only with special tools
+to not leak data e.g. via temporary files or virtual memory.
+
+Avoid smart file managers.
+
+Do *not* transfer secret data as-is on insecure media like a USB stick -
+traces of the secrets can be left behind even after deletion!
+
+
+## Storage
+
+A quite strong option is to keep secrets on a smartcard
+accessed from a personal system with full disk encryption.
+
+A strong option is to keep secrets on a personal system with full disk encryption.
+
+A weaker option is to keep secrets on an encrypted disk partition
+mounted only when needed and then unmounted again.
+
+
+### Full disk encryption
+
+Setting up "Full disk encryption" is done when setting up the whole system.
+
+
+### encrypted partition
+
+You need package `cryptsetup-run`.
+Install it if not done already.
+
+Connect the device (if removable)
+and locate its device name (first column):
+
+ lsblk --paths --nodeps
+
+Make sure the device has no partitions mounted (last column):
+
+ lsblk --paths
+
+Format selected device
+(replacing PATH_TO_YOUR_DEVICE with your actual device path):
+
+ luksformat -t ext4 PATH_TO_YOUR_DEVICE
+
+Locate the UUID of the formatted device
+(replacing PATH_TO_YOUR_DEVICE with your actual device path):
+
+ lsblk --fs --nodeps PATH_TO_YOUR_DEVICE
+
+Add/extend the file `etc/crypttab` with a line about the device
+(replacing YOUR_UUID with your actual UUID):
+
+> mysecrets UUID=YOUR_UUID none luks,noauto
+
+
+## Secrets
+
+
+### PGP
+
+
+### SSH
+
+
+Monkeysphere
+
+
+## See also
+
+[Cryptsetup FAQ]
+
+[Cryptsetup FAQ]: <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
+ "Cryptsetup Frequently Asked Questions"
diff --git a/USE.md b/USE.md
index 95ee811..76aae9c 100644
--- a/USE.md
+++ b/USE.md
@@ -3,7 +3,33 @@
Accounts containing trust secrets need special care.
-## GnuPG
+## Storage
+
+
+### Full disk encryption
+
+
+
+### encrypted partition
+
+You need package `cryptsetup-bin`.
+Install it if not done already.
+
+Connect the device (if removable)
+and locate its device name (first column):
+
+ lsblk --paths --nodeps
+
+Mount the encrypted partition on the device:
+
+ cryptdisks_start mysecrets
+
+
+## Secrets
+
+
+### PGP
+
### Keysigning
@@ -12,4 +38,8 @@ Accounts containing trust secrets need special care.
[caff]: https://wiki.debian.org/caff
"CA - Fire and Forget"
+
+### SSH
+
+
## Monkeysphere