# Security

# GPG

# Create template for your keys

nvim gpg.template

Key-Type: eddsa
Key-Curve: Ed25519
Key-Usage: sign
Subkey-Type: ecdh
Subkey-Curve: Curve25519
Subkey-Usage: encrypt
Name-Real: dude
Name-Email: dude@domain.tld
Expire-Date: 0
%commit

# Generate a Ed25519 key

gpg --batch --generate-key gpg.template

# Enlist keys

gpg --list-secret-keys

You can use this key for pass now.

# gopass

Aliased to p.

# Init

gopass init <gpg-id>

# Generate password with special symbols and copy it to clipboard

p generate -s mail/protonmail.com 80

# Import your passwords to pass

pass-import

You can use gopass for fuzzy matchings (aliased to p) or GUI qtpass (binded to Win+p).

# Tomb

Quickstart

To create a 100MB tomb:

mkdir -p ~/.secrets && cd ~/.secrets

tomb dig -s 100 mrpoppybutthole.tomb
tomb forge mrpoppybutthole.tomb.key
tomb lock secret.tomb -k mrpoppybutthole.tomb.key

To open it, do tomb open mrpoppybutthole.tomb -k mrpoppybutthole.tomb.key

# Mount .ssh and .password-store from tomb

cd /run/media/ksevelyar/mrpoppybutthole
v bind-hooks

Change content to:

.ssh            .ssh
.password-store .password-store
.gnupg          .gnupg

and move this dirs to tomb.

Create empty folders:

mkdir -p ~/.password-store ~/.gnupg ~/ssh

Open tomb tomb open mrpoppybutthole.tomb -k mrpoppybutthole.tomb.key.

Done, now your ssh keys and passwords should be served from tomb.

Also, with tomb you can bury your key inside jpeg.

Run tomb close to unmount tomb.

# Opened ports

firewall-desktop

# Show listening ports

sudo lsof -Pni | grep -i listen

# sshd

Autostart disabled, use sudo systemctl start sshd

The port is 9922. Use mosh --ssh="ssh -p 9922" user@host or legacy ssh user@host -p 9922 to connect.

In case your sshd is runninng you will see it in polybar with amount of active connects:

polybar

The same for x11vnc.

# Check your ssh keys

bash -c 'for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq'

Today, the RSA is the most widely used public-key algorithm for SSH key. But compared to Ed25519, it’s slower and even considered not safe if it’s generated with the key smaller than 2048-bit length.

upgrade-your-ssh-key-to-ed25519

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519

# Fail2Ban

Currently integrated with sshd.

# hardened kernel

You can switch to the hardened kernel with one line: sysctl.nix

# Monitor