v02enc: Storing Secrets in Code Repositories
01.09.2024 administration code linux security
As already mentioned in my last post, I am currently in the process of re-implementing my personal infrastructure. In the past, I just committed confidential configuration values to the repositories that contain my infrastructure code. In order to improve the situation, I wanted to switch over to some kind of encrypted secrets storage. This, however, proved to be more work than expected.
Protect SSH with WireGuard
21.07.2024 administration linux security
I am currently in the process of re-implementing my personal infrastructure. One thing I always wanted to try is to protect the SSH server with WireGuard. While there are already quite a lot tutorials on how to set up WireGuard in general and a few on how to put SSH behind WireGuard, they all seemed somewhat complex as they tried to cater for different setup scenarios. This tutorial here is not like that. We just want to connect as a client to a central SSH server. Period. So let us start.
OpenWRT: Build Your Own LTE Router
01.09.2023 administration hardware linux
Within the next months I want to connect a remote location to the internet which only has a power connection but no telephone access whatsoever. I already thought about buying some ready-made LTE router when I learned that OpenWRT supports tethered LTE network access via iPhones.
Nextcloud Encryption Recovery Tools: The Next Level
Some years ago I had an extensive look into the server-side encryption and also published a paper about several cryptographic vulnerabilities that I found in the implementation. Since then it has become a bit quiet about the developed scripts...
calc.pw: Reimplementation Kick-Off
07.04.2022 calcpw code hardware raspberry security update
About a decade ago I presented a hardware-based password calculator called calc.pw which generates passwords based on a single strong password and a service-dependent information, thus allowing you to use individual passwords for each of your services without having to care for a password database. I even presented it at a few conferences.
In the meantime much better microcontrollers have become available and my understanding of cryptography and password generation have improved as well. That is why I have kicked-off the reimplementation of calc.pw! 😃
PineBook Pro: How to install Manjaro on a LUKS-encrypted NVMe SSD
06.08.2021 administration linux security
Last year I got myself a PineBook Pro to have a look into ARM-based devices and ARM development in general. Thanks to the optional NVMe adapter board I was able to add an SSD to the device as well. One of the first things I always do after receiving new hardware is to fully re-install the operating system, because you should never trust a default installation. I used the manjaro-arm-installer as Manjaro currently seems to provide the best support for the Rockchip hardware.
Unfortunately, the installer did not provide the type of installation that I wanted to have.
How to create simple encrypted remote backups
30.03.2021 administration linux security
Every once in while I get asked if a certain backup scheme is a good idea and oftentimes the suggested backup solution is beyond what I would use myself. Duplicity, its simplification Duply or the not-so-dissimilar contenders Borg and Restic are among those solutions that are mentioned most often, with solutions like Bacula and its offspring Bareos coming much later.
Unfortunately, I would not trust any of these tools further than I could throw a harddrive containing a backup created with them.
Cryptographic Vulnerabilities within the Nextcloud Server Side Encryption
16.11.2020 publicity security update
Nearly a year ago I wrote that I had an extensive look into the server side encryption that is provided by the Default Encryption Module of Nextcloud. I also mentioned that I have written some helpful tools and an elaborate description for people that have to work with its encryption.
What I did not write about at that time was that I had also discovered several cryptographic vulnerabilities.
Dropbox: Use the API in 5 Simple Steps
A few weeks ago I wrote about the new cryptographic basis of the Shared-Secrets service. What I did not write about was that one user asked if a file-sharing option could be added. I declined because sharing files is nothing that the service is meant to be there for. But I tried whether sharing files would be possible.
