1
0
mirror of https://github.com/drduh/YubiKey-Guide.git synced 2024-12-22 21:58:06 +00:00

Bump Debian version, license year

This commit is contained in:
drduh 2020-02-12 09:38:36 -08:00
parent 2fc50760db
commit 2c2cec316c
2 changed files with 33 additions and 9 deletions

View File

@ -1,6 +1,6 @@
The MIT License (MIT) The MIT License (MIT)
Copyright (c) 2016-2019 drduh Copyright (c) 2016-2020 drduh
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

View File

@ -86,7 +86,7 @@ Depending on your threat model and/or level of inherent trust in your own system
To use Debian, download the latest image: To use Debian, download the latest image:
```console ```console
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-10.2.0-amd64-xfce.iso $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-10.3.0-amd64-xfce.iso
$ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS $ curl -LfO https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS
@ -97,18 +97,17 @@ Verify the signature of the hashes file with GPG:
```console ```console
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Nov 16 18:49:18 2019 PST gpg: Signature made Sat Feb 8 18:02:16 2020 PST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key gpg: Can't check signature: No public key
$ gpg --keyserver hkps://keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B $ gpg --keyserver hkps://keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key 0xDA87E80D6294BE9B: 5 signatures not checked due to missing keys
gpg: key 0xDA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported gpg: key 0xDA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1 gpg: Total number processed: 1
gpg: imported: 1 gpg: imported: 1
$ gpg --verify SHA512SUMS.sign SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat Nov 16 18:49:18 2019 PST gpg: Signature made Sat Feb 8 18:02:16 2020 PST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown] gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
@ -125,8 +124,8 @@ $ gpg --keyserver hkps://keyserver.ubuntu.com:443 --recv DF9B9C49EAA9298432589D7
Ensure the SHA512 hash of the live image matches the one in the signed file. Ensure the SHA512 hash of the live image matches the one in the signed file.
```console ```console
$ grep $(sha512sum debian-live-10.2.0-amd64-xfce.iso) SHA512SUMS $ grep $(sha512sum debian-live-10.3.0-amd64-xfce.iso) SHA512SUMS
SHA512SUMS:b253e347bf04c4e16b4c948b88bfba58f6084717f8ca290d5ea320837f63cf69b46734b7127dabd114ad88022075020982434fcf31463b82c6225671e7116a4d debian-live-10.2.0-amd64-xfce.iso SHA512SUMS:c6adede144eb32b7316b65342f7445cb13b95ef17551d47ce1a8468d3954710f5f68c979c1086aa1b94262c8bfd86679eb38b01731c7b9aaeaca690455f1ff7f debian-live-10.3.0-amd64-xfce.iso
``` ```
See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information. See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify) for more information.
@ -148,7 +147,7 @@ sd 2:0:0:0: [sdb] Write cache: disabled, read cache: enabled, doesn't support DP
sdb: sdb1 sdb2 sdb: sdb1 sdb2
sd 2:0:0:0: [sdb] Attached SCSI removable disk sd 2:0:0:0: [sdb] Attached SCSI removable disk
$ sudo dd if=debian-live-10.2.0-amd64-xfce.iso of=/dev/sdb bs=4M; sync $ sudo dd if=debian-live-10.3.0-amd64-xfce.iso of=/dev/sdb bs=4M; sync
465+1 records in 465+1 records in
465+1 records out 465+1 records out
1951432704 bytes (2.0 GB, 1.8 GiB) copied, 42.8543 s, 45.5 MB/s 1951432704 bytes (2.0 GB, 1.8 GiB) copied, 42.8543 s, 45.5 MB/s
@ -161,7 +160,7 @@ $ dmesg | tail -n2
sd2 at scsibus4 targ 1 lun 0: <TS-RDF5, SD Transcend, TS3A> SCSI4 0/direct removable serial.0000000000000 sd2 at scsibus4 targ 1 lun 0: <TS-RDF5, SD Transcend, TS3A> SCSI4 0/direct removable serial.0000000000000
sd2: 15193MB, 512 bytes/sector, 31116288 sectors sd2: 15193MB, 512 bytes/sector, 31116288 sectors
$ doas dd if=debian-live-10.2.0-amd64-xfce.iso of=/dev/rsd2c bs=4m $ doas dd if=debian-live-10.3.0-amd64-xfce.iso of=/dev/rsd2c bs=4m
465+1 records in 465+1 records in
465+1 records out 465+1 records out
1951432704 bytes transferred in 139.125 secs (14026448 bytes/sec) 1951432704 bytes transferred in 139.125 secs (14026448 bytes/sec)
@ -1570,6 +1569,31 @@ Primary key fingerprint: 011C E16B D45B 27A5 5BA8 776D FF3E 7D88 647E BCDB
Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15 Subkey fingerprint: 07AA 7735 E502 C5EB E09E B8B0 BECF A3C1 AE19 1D15
``` ```
Use a [shell function](https://github.com/drduh/config/blob/master/zshrc) to make encrypting files easier:
```
secret () {
output=~/"${1}".$(date +%s).enc
gpg --encrypt --armor --output ${output} -r 0x0000 -r 0x0001 -r 0x0002 "${1}" && echo "${1} -> ${output}"
}
reveal () {
output=$(echo "${1}" | rev | cut -c16- | rev)
gpg --decrypt --output ${output} "${1}" && echo "${1} -> ${output}"
}
```
```console
$ secret document.pdf
document.pdf -> document.pdf.1580000000.enc
$ reveal document.pdf.1580000000.enc
gpg: anonymous recipient; trying secret key 0xFF3E7D88647EBCDB ...
gpg: okay, we are the anonymous recipient.
gpg: encrypted with RSA key, ID 0x0000000000000000
document.pdf.1580000000.enc -> document.pdf
```
# Rotating keys # Rotating keys
PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys. PGP does not provide forward secrecy - a compromised key may be used to decrypt all past messages. Although keys stored on YubiKey are difficult to steal, it is not impossible - the key and PIN could be taken, or a vulnerability may be discovered in key hardware or random number generator used to create them, for example. Therefore, it is good practice to occassionally rotate sub-keys.