From b031ee08767bb432d301316df03d197f47feb61d Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 19:35:27 -0400 Subject: [PATCH 01/24] docker.md: remove execute bits --- tooling/docker.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 tooling/docker.md diff --git a/tooling/docker.md b/tooling/docker.md old mode 100755 new mode 100644 From de045df427439d60156e91da64728b4963f6a5c7 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 19:47:44 -0400 Subject: [PATCH 02/24] encryption.md document skeleton --- tooling/README.md | 1 + tooling/encryption.md | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 tooling/encryption.md diff --git a/tooling/README.md b/tooling/README.md index 95d8146..2ab7b48 100644 --- a/tooling/README.md +++ b/tooling/README.md @@ -7,5 +7,6 @@ Cheat sheets, links, procedures, and reference documents related to external too ### Index - [Computer Setup](./computer-setup.md) - options for keeping your work and personal life separate on your computer. - [Docker](./docker.md) - docker reference and quick-start guide. +- [Encryption](./encryption.md) - techniques for securely working with sensitive data on Linux. - [Tool Install Guide](./tool-install-guide.md) - install common tooling on your machine. - [Ubuntu Virtual Machine Setup Guide](./vm-setup.md) - setup an Ubuntu virtual machine you can use for testing, and quickly restore to known-good states. diff --git a/tooling/encryption.md b/tooling/encryption.md new file mode 100644 index 0000000..0770996 --- /dev/null +++ b/tooling/encryption.md @@ -0,0 +1,33 @@ +# Encryption +Various techniques for securely working with sensitive data on Linux. + + + + + + + +
+

+

+Contents +
+

+ + +1. [See Also](#see-also) + + +

+

+ + +## See Also +Internal resources. +- [./Tooling](./README.md) ⤴ +- [../Engineering](../README.md) ⤴⤴ + +--- +> **_Legal Notice_** +> This document was created in collaboration with a large language model, machine learning algorithm, or weak artificial intelligence (AI). This notice is required in some countries. + From 42b98ceb71c863f1a0b6706e5deb2faa234aaa8a Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:14:11 -0400 Subject: [PATCH 03/24] Asymmetric encryption intro --- tooling/encryption.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 0770996..dfda01e 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -13,6 +13,7 @@ Various techniques for securely working with sensitive data on Linux.

+1. [Asymmetric Encryption](#asymmetric-encryption) 1. [See Also](#see-also) @@ -22,6 +23,11 @@ Various techniques for securely working with sensitive data on Linux. +## Asymmetric Encryption +Asymmetric encryption uses a pair of keys to encrypt and decrypt data, a public key that can be shared with anyone and a private key that needs to be kept secret. The public key is used to encrypt secret data, resulting in cyphertext that can be sent over the Internet. The recipient uses their private key to decrypt it. This is useful for securely sharing data with others. + +To securely share secrets with others, for example to send service account credentials with a colleague on your team who does not use a [password manager](https://bitwarden.com), you can use PGP. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From c130863d1be8fac9f300ecadff2004c4a75d9af5 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:16:26 -0400 Subject: [PATCH 04/24] Create a PGP key pair --- tooling/encryption.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index dfda01e..70a36b7 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -14,6 +14,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Asymmetric Encryption](#asymmetric-encryption) + 1. [Create a PGP Key Pair](#create-a-pgp-key-pair) 1. [See Also](#see-also) @@ -28,6 +29,41 @@ Asymmetric encryption uses a pair of keys to encrypt and decrypt data, a public To securely share secrets with others, for example to send service account credentials with a colleague on your team who does not use a [password manager](https://bitwarden.com), you can use PGP. +### Create a PGP Key Pair +Before you can send or receive PGP messages, you need to create a key pair. You can do this with [GnuPG](https://gnupg.org). +1. Install `gpg` if you don't already have it. + - On Debian-family Linux: + ```bash + sudo apt-get install -y gpg + ``` + - On macOS, you can install it using [Homebrew](https://brew.sh): + ```bash + brew install gnupg + ``` + - On Windows, you can install it using [Chocolatey](https://chocolatey.org): + ```powershell + choco install gpg + ``` +1. Use your [password manager](https://bitwarden.com) to generate a strong, unique passphrase for your key pair. You will need this passphrase to decrypt messages. +1. Generate a new key pair. + > When you run this next command, it will ask you for a passphrase to protect your key...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before running this command. + ```bash + gpg --batch --gen-key < Date: Wed, 25 Sep 2024 22:17:01 -0400 Subject: [PATCH 05/24] View your key pairs --- tooling/encryption.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 70a36b7..c938790 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -15,6 +15,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Asymmetric Encryption](#asymmetric-encryption) 1. [Create a PGP Key Pair](#create-a-pgp-key-pair) + 1. [View Your Key Pair](#view-your-key-pair) 1. [See Also](#see-also) @@ -64,6 +65,12 @@ Before you can send or receive PGP messages, you need to create a key pair. You ``` On the last step, be sure to press `o` for "okay" to generate the key pair. +### View Your Key Pair +You can see what key pairs you have on your computer using this command. +```bash +gpg --list-keys +``` + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From ea33230f84b79f73ad9bdb4db275202e9016e7c9 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:18:14 -0400 Subject: [PATCH 06/24] Share your public key --- tooling/encryption.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index c938790..36eef1a 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -16,6 +16,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Asymmetric Encryption](#asymmetric-encryption) 1. [Create a PGP Key Pair](#create-a-pgp-key-pair) 1. [View Your Key Pair](#view-your-key-pair) + 1. [Share Your Public Key](#share-your-public-key) 1. [See Also](#see-also) @@ -71,6 +72,16 @@ You can see what key pairs you have on your computer using this command. gpg --list-keys ``` +### Share Your Public Key +You need to share your public key to receive encrypted messages. This command will print it out: +```bash +gpg --armor --export someone@example.com +``` +You can then copy and paste the output into an email or IM, including the `-----BEGIN PGP PUBLIC KEY BLOCK-----` and `-----END PGP PUBLIC KEY BLOCK-----` lines. Alternatively, you can save it to a file and attach that to your message. +```bash +gpg --armor --export someone@example.com > public-key.asc +``` + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From 26fd2dd717c9894a36cf785d5e2a6879166ab4e7 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:18:49 -0400 Subject: [PATCH 07/24] Import a public key --- tooling/encryption.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 36eef1a..f3a4686 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -17,6 +17,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Create a PGP Key Pair](#create-a-pgp-key-pair) 1. [View Your Key Pair](#view-your-key-pair) 1. [Share Your Public Key](#share-your-public-key) + 1. [Import a Public Key](#import-a-public-key) 1. [See Also](#see-also) @@ -82,6 +83,24 @@ You can then copy and paste the output into an email or IM, including the `----- gpg --armor --export someone@example.com > public-key.asc ``` +### Import a Public Key +If someone sends you their public key, you can import it using this command: +```bash +gpg --import public-key.asc +``` +Or, if you are copying and pasting it from an email or IM, you can do this: +```bash +gpg --import < Date: Wed, 25 Sep 2024 22:19:31 -0400 Subject: [PATCH 08/24] Encrypt a message --- tooling/encryption.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index f3a4686..028e75f 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -18,6 +18,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [View Your Key Pair](#view-your-key-pair) 1. [Share Your Public Key](#share-your-public-key) 1. [Import a Public Key](#import-a-public-key) + 1. [Encrypt a Message](#encrypt-a-message) 1. [See Also](#see-also) @@ -101,6 +102,25 @@ You will see their name, email, and key here: gpg --list-keys ``` +### Encrypt a Message +You can encrypt a message using someone's public key. This command will encrypt a file: +```bash +gpg --encrypt --recipient someone@example.com message.txt +``` +This will create a new file in the current directory called `message.txt.gpg` which you can send to the recipient. + +You can encrypt any file, such as an archive. +```bash +gpg --encrypt --recipient someone@example.com archive.tar.gz +``` +This would create `archive.tar.gz.gpg`. + +You can also encrypt text directly: +```bash +echo 'Hello, World!' | gpg --encrypt --armor --recipient someone@example.com +``` +This will print out the encrypted message, which you can copy and paste into an email or IM. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From 608010d10316b498d128837d72919bc2d43602e3 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:20:26 -0400 Subject: [PATCH 09/24] Decrypt a message --- tooling/encryption.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 028e75f..4e46c0c 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -19,6 +19,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Share Your Public Key](#share-your-public-key) 1. [Import a Public Key](#import-a-public-key) 1. [Encrypt a Message](#encrypt-a-message) + 1. [Decrypt a Message](#decrypt-a-message) 1. [See Also](#see-also) @@ -121,6 +122,26 @@ echo 'Hello, World!' | gpg --encrypt --armor --recipient someone@example.com ``` This will print out the encrypted message, which you can copy and paste into an email or IM. +### Decrypt a Message +If someone sends you a PGP message, you can decrypt it using your private key and passphrase. + +To decrypt a file: +```bash +gpg --decrypt message.txt.gpg +``` +Or an archive: +```bash +gpg --decrypt archive.tar.gz.gpg +``` +This will leave the file in the current directory. + +To decrypt text directly: +> When you run this command, it will ask you for your passphrase to decrypt the message...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before running this command. +```bash +echo '-----BEGIN PGP MESSAGE-----' | gpg --decrypt +``` +This will print out the message in your terminal. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From c7cdbb2e2b32dd9081d2fdbede5c525cd4e6cfee Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:21:30 -0400 Subject: [PATCH 10/24] Start symmetric encryption section --- tooling/encryption.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 4e46c0c..71a0edc 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -20,6 +20,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Import a Public Key](#import-a-public-key) 1. [Encrypt a Message](#encrypt-a-message) 1. [Decrypt a Message](#decrypt-a-message) +1. [Symmetric Encryption](#symmetric-encryption) 1. [See Also](#see-also) @@ -142,6 +143,9 @@ echo '-----BEGIN PGP MESSAGE-----' | gpg --decrypt ``` This will print out the message in your terminal. +## Symmetric Encryption +Symmetric encryption uses the same key to encrypt and decrypt data. This is useful for encrypting data at rest, such as a backup file or a database dump. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From c3d598523cc68a7c83df0ced9ec3c27fe9317b16 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:22:19 -0400 Subject: [PATCH 11/24] Symmetric encryption --- tooling/encryption.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 71a0edc..6b10170 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -21,6 +21,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Encrypt a Message](#encrypt-a-message) 1. [Decrypt a Message](#decrypt-a-message) 1. [Symmetric Encryption](#symmetric-encryption) + 1. [Encrypt](#encrypt) 1. [See Also](#see-also) @@ -146,6 +147,19 @@ This will print out the message in your terminal. ## Symmetric Encryption Symmetric encryption uses the same key to encrypt and decrypt data. This is useful for encrypting data at rest, such as a backup file or a database dump. +### Encrypt +You can compress and encrypt a file using a symmetric key like this: +```bash +gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 --compression bzip2 --bzip2-compress-level 9 example.txt +``` +This will leave a file called `example.txt.gpg` in the current directory. + +You can encrypt an archive like this. We will leave off the compression this time. +```bash +gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 example.tar.gz +``` +The output file would be `example.tar.gz.gpg`. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From 0eebf16c3e4a383f0535533af4767f080be8c253 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:22:29 -0400 Subject: [PATCH 12/24] Symmetric decryption --- tooling/encryption.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index 6b10170..eae0d74 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -22,6 +22,7 @@ Various techniques for securely working with sensitive data on Linux. 1. [Decrypt a Message](#decrypt-a-message) 1. [Symmetric Encryption](#symmetric-encryption) 1. [Encrypt](#encrypt) + 1. [Decrypt](#decrypt) 1. [See Also](#see-also) @@ -160,6 +161,13 @@ gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode ``` The output file would be `example.tar.gz.gpg`. +### Decrypt +Decryption is trivial with `gpg`. +```bash +gpg --output example.tar.gz --decrypt example.tar.gz.gpg +``` +You don't have to specify the cipher or digest algorithms, or the compression level, because `gpg` will figure that out from the encrypted file. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From bf4e23fcba79390b0b6b8203a9dd55a7bce673a0 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:23:52 -0400 Subject: [PATCH 13/24] Link to some external resources --- tooling/encryption.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tooling/encryption.md b/tooling/encryption.md index eae0d74..56bbe6d 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -173,7 +173,10 @@ Internal resources. - [./Tooling](./README.md) ⤴ - [../Engineering](../README.md) ⤴⤴ +External resources. +- [Bitwarden](https://bitwarden.com) - password manager +- [GnuPG](https://gnupg.org) - the GNU Privacy Guard encryption, decryption, and signing tool + --- > **_Legal Notice_** > This document was created in collaboration with a large language model, machine learning algorithm, or weak artificial intelligence (AI). This notice is required in some countries. - From e09c3a956ca8c46826be1a0fcb64e5895fdc23ee Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:29:00 -0400 Subject: [PATCH 14/24] Add PGP and symmetric encryption sections to index on tooling page --- tooling/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tooling/README.md b/tooling/README.md index 2ab7b48..f45cde1 100644 --- a/tooling/README.md +++ b/tooling/README.md @@ -8,5 +8,7 @@ Cheat sheets, links, procedures, and reference documents related to external too - [Computer Setup](./computer-setup.md) - options for keeping your work and personal life separate on your computer. - [Docker](./docker.md) - docker reference and quick-start guide. - [Encryption](./encryption.md) - techniques for securely working with sensitive data on Linux. + - [PGP](./encryption.md#asymmetric-encryption) - securely share secrets. + - [Symmetric Encryption](./encryption.md#symmetric-encryption) - securely store secrets. - [Tool Install Guide](./tool-install-guide.md) - install common tooling on your machine. - [Ubuntu Virtual Machine Setup Guide](./vm-setup.md) - setup an Ubuntu virtual machine you can use for testing, and quickly restore to known-good states. From e090ab0697880d8d6d52343f47f037c537d177cb Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 22:31:39 -0400 Subject: [PATCH 15/24] RAM disk documentation skeleton --- tooling/README.md | 1 + tooling/encryption.md | 4 ++++ tooling/ramdisk.md | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 tooling/ramdisk.md diff --git a/tooling/README.md b/tooling/README.md index f45cde1..ddccce8 100644 --- a/tooling/README.md +++ b/tooling/README.md @@ -10,5 +10,6 @@ Cheat sheets, links, procedures, and reference documents related to external too - [Encryption](./encryption.md) - techniques for securely working with sensitive data on Linux. - [PGP](./encryption.md#asymmetric-encryption) - securely share secrets. - [Symmetric Encryption](./encryption.md#symmetric-encryption) - securely store secrets. +- [RAMdisk](./ramdisk.md) - work with files in memory for speed or privacy. - [Tool Install Guide](./tool-install-guide.md) - install common tooling on your machine. - [Ubuntu Virtual Machine Setup Guide](./vm-setup.md) - setup an Ubuntu virtual machine you can use for testing, and quickly restore to known-good states. diff --git a/tooling/encryption.md b/tooling/encryption.md index 56bbe6d..d35982b 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -148,6 +148,9 @@ This will print out the message in your terminal. ## Symmetric Encryption Symmetric encryption uses the same key to encrypt and decrypt data. This is useful for encrypting data at rest, such as a backup file or a database dump. +> [!TIP] +> For particularly sensitive documents, you may wish to work with them in a [RAMdisk](./ramdisk.md) to avoid writing them to disk at all. + ### Encrypt You can compress and encrypt a file using a symmetric key like this: ```bash @@ -172,6 +175,7 @@ You don't have to specify the cipher or digest algorithms, or the compression le Internal resources. - [./Tooling](./README.md) ⤴ - [../Engineering](../README.md) ⤴⤴ +- [RAMdisk](./ramdisk.md) - work with files in memory for speed or privacy. External resources. - [Bitwarden](https://bitwarden.com) - password manager diff --git a/tooling/ramdisk.md b/tooling/ramdisk.md new file mode 100644 index 0000000..cb2ba0c --- /dev/null +++ b/tooling/ramdisk.md @@ -0,0 +1,32 @@ +# RAMdisk +You can mount some of your computer's memory to your filesystem in order to perform read/write intensive tasks very, very quickly such as processing large JSON files, or to [work with sensitive documents](./encryption.md) that you don't want to risk writing to disk. This is called a RAM disk. + + + + + + + +
+

+

+Contents +
+

+ + +1. [See Also](#see-also) + + +

+

+ + +## See Also +Internal resources. +- [./Tooling](./README.md) ⤴ +- [../Engineering](../README.md) ⤴⤴ + +--- +> **_Legal Notice_** +> This document was created in collaboration with a large language model, machine learning algorithm, or weak artificial intelligence (AI). This notice is required in some countries. From b90221d71b15057cccd3b0370b23aa1e08f4554b Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 23:00:27 -0400 Subject: [PATCH 16/24] RAM disk setup --- tooling/ramdisk.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tooling/ramdisk.md b/tooling/ramdisk.md index cb2ba0c..4dd07ec 100644 --- a/tooling/ramdisk.md +++ b/tooling/ramdisk.md @@ -13,6 +13,7 @@ You can mount some of your computer's memory to your filesystem in order to perf

+1. [Preparation](#preparation) 1. [See Also](#see-also) @@ -22,6 +23,26 @@ You can mount some of your computer's memory to your filesystem in order to perf +## Preparation +Make a folder to mount the RAM disk to. +```bash +sudo mkdir -p /mnt/ram +``` +Take ownership of that folder. +```bash +sudo chown "$USER:$USER" /mnt/ram +``` +Put a file there so you can tell whether or not a RAM disk is mounted. +```bash +echo 'WARNING: If you can see this, there is currently no RAM disk mounted!' > /mnt/ram/STOP.txt +``` + +Optionally, install `wipe` if you want to delete the contents of your RAM disk immediately instead of waiting for the system to overwrite it. +```bash +sudo apt-get update +sudo apt-get install -y wipe +``` + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From a29f6670a00f3f8a928cb68ef38fedd4746a8cc6 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 23:01:01 -0400 Subject: [PATCH 17/24] RAM disk creation --- tooling/ramdisk.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tooling/ramdisk.md b/tooling/ramdisk.md index 4dd07ec..e3ad0da 100644 --- a/tooling/ramdisk.md +++ b/tooling/ramdisk.md @@ -14,6 +14,7 @@ You can mount some of your computer's memory to your filesystem in order to perf 1. [Preparation](#preparation) +1. [Creation](#creation) 1. [See Also](#see-also) @@ -43,6 +44,17 @@ sudo apt-get update sudo apt-get install -y wipe ``` +## Creation +Mount a 16 GB RAM disk. +```bash +sudo mount -o size=16G -t tmpfs none /mnt/ram +``` +Verify your `STOP.txt` file is gone. +```bash +ls -la /mnt/ram +``` +Now you can work there. + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From afe4f1d2c01f3665598cc505999939ab6d86d913 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 23:01:33 -0400 Subject: [PATCH 18/24] RAM disk destruction --- tooling/ramdisk.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tooling/ramdisk.md b/tooling/ramdisk.md index e3ad0da..d4603e9 100644 --- a/tooling/ramdisk.md +++ b/tooling/ramdisk.md @@ -15,6 +15,7 @@ You can mount some of your computer's memory to your filesystem in order to perf 1. [Preparation](#preparation) 1. [Creation](#creation) +1. [Destruction](#destruction) 1. [See Also](#see-also) @@ -55,6 +56,20 @@ ls -la /mnt/ram ``` Now you can work there. +## Destruction +Optionally, you can overwrite the contents of your RAM disk immediately instead of waiting on your system to do it after unmounting. +```bash +wipe -fr /mnt/ram/* +``` +Unmount the RAM disk. +```bash +sudo umount /mnt/ram +``` +Verify your `STOP.txt` file is back. +```bash +ls -la /mnt/ram +``` + ## See Also Internal resources. - [./Tooling](./README.md) ⤴ From d4cd036ed3d5da9a2ba1b6a9a49f873c91db061f Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 23:02:11 -0400 Subject: [PATCH 19/24] Link to encryption doc --- tooling/ramdisk.md | 1 + 1 file changed, 1 insertion(+) diff --git a/tooling/ramdisk.md b/tooling/ramdisk.md index d4603e9..ca6a152 100644 --- a/tooling/ramdisk.md +++ b/tooling/ramdisk.md @@ -74,6 +74,7 @@ ls -la /mnt/ram Internal resources. - [./Tooling](./README.md) ⤴ - [../Engineering](../README.md) ⤴⤴ +- [Encryption](./encryption.md) --- > **_Legal Notice_** From 8a7e3d5d73d8ea043e5d7044a8a934402b4ed143 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Wed, 25 Sep 2024 23:02:28 -0400 Subject: [PATCH 20/24] Explain how to delete cleartext secrets --- tooling/encryption.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tooling/encryption.md b/tooling/encryption.md index d35982b..3ca21d8 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -125,6 +125,16 @@ echo 'Hello, World!' | gpg --encrypt --armor --recipient someone@example.com ``` This will print out the encrypted message, which you can copy and paste into an email or IM. +You can securely delete your secrets with `shred`... +```bash +shred -uvz example.txt +``` +...or `wipe`... +```bash +wipe -fr example-dir +``` +...if you want. You may need to install them. + ### Decrypt a Message If someone sends you a PGP message, you can decrypt it using your private key and passphrase. @@ -164,6 +174,16 @@ gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode ``` The output file would be `example.tar.gz.gpg`. +You can securely delete your secrets with `shred`... +```bash +shred -uvz example.txt +``` +...or `wipe`... +```bash +wipe -fr example-dir +``` +...if you want. You may need to install them. + ### Decrypt Decryption is trivial with `gpg`. ```bash From dfa3436b4195b3ecd2e4ef1bd4947a87b41018ce Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Thu, 26 Sep 2024 15:28:12 -0400 Subject: [PATCH 21/24] Write about signing messages --- tooling/encryption.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tooling/encryption.md b/tooling/encryption.md index 3ca21d8..6b35a3c 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -107,17 +107,28 @@ gpg --list-keys ``` ### Encrypt a Message -You can encrypt a message using someone's public key. This command will encrypt a file: +You can sign and encrypt a message to someone's public key. This command will encrypt a file: ```bash -gpg --encrypt --recipient someone@example.com message.txt +gpg --encrypt --sign --recipient someone@example.com message.txt ``` This will create a new file in the current directory called `message.txt.gpg` which you can send to the recipient. +> [!TIP] +> Signing your PGP message enables the recipient to verify that it came from you and was not tampered with. This is good practice, but it is not strictly necessary. Just leave off `--sign` if you don't want to sign the message. +> ```bash +> gpg --encrypt --recipient someone@example.com message.txt +> ``` +> This will leave the same encrypted `message.txt.gpg` file in the current directory, just without your signature embedded. + You can encrypt any file, such as an archive. ```bash -gpg --encrypt --recipient someone@example.com archive.tar.gz +gpg --encrypt --sign --recipient someone@example.com archive.tar.gz +``` +This would create `archive.tar.gz.gpg`. You can change the name of the output file if you want. +```bash +gpg --encrypt --sign --recipient someone@example.com --output cyphertext.tar.gz.gpg cleartext.tar.gz ``` -This would create `archive.tar.gz.gpg`. +This would create `cyphertext.tar.gz.gpg`. You can also encrypt text directly: ```bash From b671da8d7c70f15e2583232a83d136ae14ff0a2c Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Thu, 26 Sep 2024 15:40:00 -0400 Subject: [PATCH 22/24] Add info about encrypting to multiple people --- tooling/encryption.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tooling/encryption.md b/tooling/encryption.md index 6b35a3c..58508fa 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -120,7 +120,13 @@ This will create a new file in the current directory called `message.txt.gpg` wh > ``` > This will leave the same encrypted `message.txt.gpg` file in the current directory, just without your signature embedded. -You can encrypt any file, such as an archive. +You can sign and encrypt a message to two or more recipients. Just add them in there! +```bash +gpg --encrypt --sign --recipient someone@example.com --recipient someone.else@example.com message.txt +``` +You will get the same `message.txt.gpg` file in the current directory, but both recipients will be able to decrypt it. + +You can encrypt any file, not just text, such as an archive. ```bash gpg --encrypt --sign --recipient someone@example.com archive.tar.gz ``` From a0ccd089cfcb302743dc3fc5681f18e20d8c9d4d Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Thu, 26 Sep 2024 15:57:09 -0400 Subject: [PATCH 23/24] You need to use the "--output" flag if you don't want a bunch of garbage in your terminal --- tooling/encryption.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tooling/encryption.md b/tooling/encryption.md index 58508fa..dabb5b6 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -155,18 +155,20 @@ wipe -fr example-dir ### Decrypt a Message If someone sends you a PGP message, you can decrypt it using your private key and passphrase. -To decrypt a file: +> [!TIP] +> When you run any of these commands, it will ask you for your passphrase to decrypt the message...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before pressing `Enter` on any of these commands. + +To decrypt a file, you always need to specify the output file unless you want it to print to your terminal. ```bash -gpg --decrypt message.txt.gpg +gpg --output message.txt --decrypt message.txt.gpg ``` -Or an archive: +Decrypt an archive: ```bash -gpg --decrypt archive.tar.gz.gpg +gpg --output archive.tar.gz --decrypt archive.tar.gz.gpg ``` -This will leave the file in the current directory. +These will leave the file in the current directory. To decrypt text directly: -> When you run this command, it will ask you for your passphrase to decrypt the message...and you will not be able to click outside the dialogue box. So, if you use a password manager, copy your passphrase to your clipboard before running this command. ```bash echo '-----BEGIN PGP MESSAGE-----' | gpg --decrypt ``` From 4e156c2e7ee64b145de208d187afc404f0eabe21 Mon Sep 17 00:00:00 2001 From: Zach Butler Date: Thu, 26 Sep 2024 20:26:09 -0400 Subject: [PATCH 24/24] A word --- tooling/encryption.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tooling/encryption.md b/tooling/encryption.md index dabb5b6..92612e9 100644 --- a/tooling/encryption.md +++ b/tooling/encryption.md @@ -142,7 +142,7 @@ echo 'Hello, World!' | gpg --encrypt --armor --recipient someone@example.com ``` This will print out the encrypted message, which you can copy and paste into an email or IM. -You can securely delete your secrets with `shred`... +When you are done, you can securely delete your secrets with `shred`... ```bash shred -uvz example.txt ``` @@ -193,7 +193,7 @@ gpg --quiet --symmetric --cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode ``` The output file would be `example.tar.gz.gpg`. -You can securely delete your secrets with `shred`... +When you are done, you can securely delete your secrets with `shred`... ```bash shred -uvz example.txt ```