<SiFuh_>
ukky: For my laptop (OpenBSD) I use the yubikey with One Time Password to log in as a user or access super user. But for my hard disk, I manually type in a password to access it. I prefer opensource because anything closed source you can't really trust that it is secure.
guido_rokepo has joined #crux
<cruxbot>
[opt.git/3.7]: samba: update to 4.18.4
<cruxbot>
[opt.git/3.7]: iwd: update to 2.7
<cruxbot>
[opt.git/3.7]: fuse3: update to 3.15.1
ppetrov^ has joined #crux
ppetrov^ has quit [Quit: Leaving]
<ukky>
SiFuh_: I agree, and use same manual login as you. My system has all partitions encrypted, with exception of boot and UEFI partitions. Even swap partition is encrypted. To decrypt root FS, manual password is required, all other partitions are auto-decrypted with random key file stored on root FS.
<SiFuh_>
ukky: For your swap is it randomnly generated at each boot cycle?
<SiFuh_>
Line 73 to 109 there is a script you can use in /etc/rc/ to encrypt swap on every boot cycle with a randomnly generated password
<ukky>
No, swap is decrypted with the same key as other non-root-FS partitions. It is just the key was once randomly generated, 1024 bytes in size. It could be use case scenario to generate new random key for swap upon every boot.
<SiFuh_>
I see
<ukky>
I think even what I have is already paranoid enough.
<SiFuh_>
ukky: I also did one without using dracut at all. But the problem is you can see the key to unlock the partition in dmesg.
<SiFuh_>
You didn't need to type in the password at all. The kernel did that for you
<SiFuh_>
I don't use it myself at all. I was just trying to prove to jaeger it could be down without an initrd image
<SiFuh_>
down/done*
<ukky>
I wrote my own initramfs init script to handle encrypted partitions. Basically, I have conf file in /etc which describes disk encryption type and sequence for mounting.
<SiFuh_>
That's cool
<ukky>
In my case /etc/fstab is not used (can be empty)
<SiFuh_>
Ahh, I know that style. I saw an Arch document on that a few years back
<SiFuh_>
The beauty with opensource is there are a million ways to do similar things
<ukky>
At work I even had separate encrypted /etc partition, but then had to decrypt it and allow auto-boot to enable remote work.
<SiFuh_>
I have my system setup so that if you plug in anything USB or remove anything USB the system locks. You need to have password access to gain entry. Then I have little shell scripts for each of my externa drives and USB sticks that I can run. So for example CHLAMYDIA.sh -m will mount CHLAMYDIA and -u flag will umount it. Does fsck if needed.
<ukky>
Your paranoidal score is higher than mine :-)
<SiFuh_>
Wouldn't say paranoid, just don't like people poking around where they don't belong. I'd prefer more security focused
<ukky>
But I might have extra paranoidal points for setting up iptables in a way that would block internet access to specific processes if VPN gets disconnected, i.e. they can only access internet via VPN.
<ppetrov^>
SiFuh_, interesting name for the script
<ukky>
You can setup SELinux to have even more secure system. But it is PITA to setup, and very hard to use for everyday work.
<SiFuh_>
ppetrov^: Short version. I would copy something to a hard disk and hand to my father. His memory is bad and he was using windows. Windows would auto scan USB drives. But since I had a collection of computer viruses in a folder, I would have to shout "DON'T SCAN", to make sure he wouldn't infect his computer. So my USB sticks started getting names of virus' and diseases, so that when my father would plug it
<SiFuh_>
in it would trigger his memory to not scan. Been doing it for decades. Every machine and every drive and every disk is named this way.
<SiFuh_>
ukky: Smart move to stop internet access for certain things when the VPN fails.
<ppetrov^>
SiFuh_, very ingenious solution
<SiFuh_>
ppetrov^: If the virus starts with M then it has multimedia on the drive. If it starts with D it has data... and so on :-P
<SiFuh_>
I laughed at a job interview in Kyrgyzstan. The guy asked why I brought no resume or papers. I said "This is the modern world, here plug herpes in" and I handed him my flash drive. For a second there was a look on his face like I had said herpes but no, he must be hearing things. Then he plugged it in and HERPES popped up and I heard a little chuckle. He never asked about it though ;-)
<SiFuh_>
In Malaysia the Tamil guys downstairs wanted my Wi-Fi password. I was sick to death of them leeching off of me. I asked "You want Syphilis?" And they walked away.
<SiFuh_>
My rotuer was named Syphilis
<ppetrov^>
you should name your network "I steal passwords"
<SiFuh_>
Mine is Aurora in Russian
<ppetrov^>
a friend has his as "Skynet"
<SiFuh_>
Hehehe
<ppetrov^>
SiFuh_, Аврора?
<SiFuh_>
Yes
<SiFuh_>
And my blue tooth is КГБ
<ppetrov^>
hmm, it works with cyrillic?
<SiFuh_>
Yes
<ppetrov^>
Куул
<SiFuh_>
Very
<SiFuh_>
You know Куул in Kyrgyz means 'to listen'?
<ppetrov^>
really?
<ppetrov^>
this is similar to Finnish
<ppetrov^>
kuuluu
<SiFuh_>
Wouldn't be surprised. With the exception to Japanese, prety much all languages have links between other languages
<ppetrov^>
hehh
<ppetrov^>
Finnish is not an indo-european language
<ppetrov^>
its Uralic
<ppetrov^>
believe me, there's no connection between Finnish and Bulgarian for example
<SiFuh_>
Chinese and Russian are not related yet words link
<ppetrov^>
i am not talking about individual words
<SiFuh_>
Manding in West Africa is very close to Mandarin of China.
<ppetrov^>
for the record, it is olut in finnish, just like ök in swedish
<SiFuh_>
Kyrgyz is SOV language like Japanese. English is a SVO language
<ppetrov^>
however, finns call the telephone "puhelin", electricity is sähkö
<SiFuh_>
I am aware. I know how to order beer anywhere in the world :-P
<ppetrov^>
that's the spåirit
<SiFuh_>
:-P
<SiFuh_>
I was trying to think why Finland keeps popping into my mind as something from a few days ago. I just remember. Itchy Boots (Youtube channel) she is dutch, but in one episode she said she was from Finland. I think it was the episode she was talking to Malaysian immigration.
<ocb>
ukky: i would love to see your initramfs script if you have some notes written already. i also write my own initramfs. next step is to add mini ssh server to allow remote disk decryption over ssh.
<ukky>
ocb: please share your email and I will send the script, with /etc/config to you directly. I will not send initramfs_list file, as it is different subject.
SiFuh_ has quit [Remote host closed the connection]
SiFuh has joined #crux
<cruxbot>
[contrib.git/3.7]: docker-buildx: updated to version 0.11.1
<ocb>
ukky: my irc nick [ at ] l25.fi
<ocb>
ukky: this is how i make mine, although i did change some minor things; https://oshi.at/qKMR
guido_rokepo has quit [Quit: guido_rokepo]
<ukky>
ocb: I will prepare files and send them soon. Are you okay with uncompressed files, I am too lazy to pack them?
ukky has quit [Ping timeout: 240 seconds]
<ocb>
ukky: thanks got them!
mechaniputer has joined #crux
mechaniputer has quit [Client Quit]
ukky has joined #crux
ppetrov^ has quit [Quit: Leaving]
<cruxbot>
[contrib.git/3.7]: python3-rpds-py: initial import, version 0.8.8
<cruxbot>
[contrib.git/3.7]: python3-referencing: initial import, version 0.29.1
<cruxbot>
[contrib.git/3.7]: python3-maturin: initial import, version 1.1.0
<cruxbot>
[contrib.git/3.7]: python3-jsonschema-specifications: initial import, version 2023.6.1
<cruxbot>
[contrib.git/3.7]: python3-jsonschema: updated to version 4.18.0; new dependencies python3-referencing and python3-jsonschema-specifications