diff options
-rw-r--r-- | SETUP.md | 77 | ||||
-rw-r--r-- | USE.md | 32 |
2 files changed, 108 insertions, 1 deletions
diff --git a/SETUP.md b/SETUP.md new file mode 100644 index 0000000..01c67d5 --- /dev/null +++ b/SETUP.md @@ -0,0 +1,77 @@ +# Setting up a secure account + +Personal secrets should never leave your personal control. +Digital secrets should be kept on a cryptographically secure storage +and handled only with special tools +to not leak data e.g. via temporary files or virtual memory. + +Avoid smart file managers. + +Do *not* transfer secret data as-is on insecure media like a USB stick - +traces of the secrets can be left behind even after deletion! + + +## Storage + +A quite strong option is to keep secrets on a smartcard +accessed from a personal system with full disk encryption. + +A strong option is to keep secrets on a personal system with full disk encryption. + +A weaker option is to keep secrets on an encrypted disk partition +mounted only when needed and then unmounted again. + + +### Full disk encryption + +Setting up "Full disk encryption" is done when setting up the whole system. + + +### encrypted partition + +You need package `cryptsetup-run`. +Install it if not done already. + +Connect the device (if removable) +and locate its device name (first column): + + lsblk --paths --nodeps + +Make sure the device has no partitions mounted (last column): + + lsblk --paths + +Format selected device +(replacing PATH_TO_YOUR_DEVICE with your actual device path): + + luksformat -t ext4 PATH_TO_YOUR_DEVICE + +Locate the UUID of the formatted device +(replacing PATH_TO_YOUR_DEVICE with your actual device path): + + lsblk --fs --nodeps PATH_TO_YOUR_DEVICE + +Add/extend the file `etc/crypttab` with a line about the device +(replacing YOUR_UUID with your actual UUID): + +> mysecrets UUID=YOUR_UUID none luks,noauto + + +## Secrets + + +### PGP + + +### SSH + + +Monkeysphere + + +## See also + +[Cryptsetup FAQ] + +[Cryptsetup FAQ]: <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions> + "Cryptsetup Frequently Asked Questions" @@ -3,7 +3,33 @@ Accounts containing trust secrets need special care. -## GnuPG +## Storage + + +### Full disk encryption + + + +### encrypted partition + +You need package `cryptsetup-bin`. +Install it if not done already. + +Connect the device (if removable) +and locate its device name (first column): + + lsblk --paths --nodeps + +Mount the encrypted partition on the device: + + cryptdisks_start mysecrets + + +## Secrets + + +### PGP + ### Keysigning @@ -12,4 +38,8 @@ Accounts containing trust secrets need special care. [caff]: https://wiki.debian.org/caff "CA - Fire and Forget" + +### SSH + + ## Monkeysphere |