fschl
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
dotfiles/README.org

103 lines
3.9 KiB
Org Mode
Raw Blame History

* fschl dotfiles
Things that make my linux life more comfortable, portable and secure.
For debian, or debian-based distros. using i3wm.org on the desktop.
** Questions this repos tries to answer
- How long does it take for you to set up a machine?
- Do you have backups?
- Are you using a password manager?
- How do you transport your secrets?
- Can you get things done without *your* computer?
- Rescue+Recover friends laptops/computers
- panic-ops using a friends laptop
*** Firefox/Thunderbird customization
- goto ~.mozilla/firefox/<user-profile>/~
- ~mkdir chrome/ && cp ~/dotfiles/userChrome.css ./chrome/~
- open Firefox: ~about:config~ and set ~toolkit.legacyUserProfileCustomizations.stylesheets~ to *true*
*** Security
**** SSH Hardening
- https://blog.g3rt.nl/upgrade-your-ssh-keys.html
- https://stribika.github.io/2015/01/04/secure-secure-shell.html
- https://wiki.mozilla.org/Security/Guidelines/OpenSSH#OpenSSH_client
- see ~/etc/ssh/ssh_config~ and ~.ssh/config~
**** SSH key generation
#+BEGIN_SRC bash
# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
# Fallback for really old systems (why do you still have those??)
# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 8192 -f ~/.ssh/id_rsa_host_$(date +%Y-%m-%d) -C "Key to HOST for user-xyz"
#+END_SRC
**** GnuPG
- https://wiki.mozilla.org/Security/Key_Management
- https://keyring.debian.org/creating-key.html
- https://wiki.debian.org/Subkeys
~~/.gnupg/gpg.conf~:
#+BEGIN_SRC bash
personal-digest-preferences SHA512 SHA384
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 AES256 ZLIB BZIP2 ZIP Uncompressed
keyid-format 0xlong
#+END_SRC
**** Managing logins & passphrases
- use a secure, cross-platform, *cloudless* password manager, e.g keepassXC
**** Backup Secure Keys
- get 2 USB thumb drives
- on each, create 2 partitions (ext4, you will never use them on any windows device anyway)
- https://wiki.archlinux.org/index.php/Dm-crypt/Device_Encryption
Nowadays it's mere chance to find a USB thumb drive with less than 4GB storage.
Though, you want a dedicated drive to transport your password database, ssh keys and GPG keys.
Those don't require more than a couple MB. So what to do with the remaining space?
Scenarios:
- You visit friends, only have your keys with you and you have to check your mails, assist a colleague
in some network/ops emergency or just securely look up some confidential information.
- A family member calls: their HDD just died and you are asked to quickly help out on recovery.
Boot into a safe environment, having all your credentials available in a secure manner.
Have a bootable forensics toolbox around to quickly get going in a familiar setup.
Solution: multi-boot!
**** Thumb Drive Setup
3 partitions: boot+isos, luks encrypted, unencrypted partition for non-sensitive data
** TODO [0/5]
- [ ] explain setup, ideas, practises
- [ ] add HOWTO
- [ ] Check new bootable USB solution: https://ventoy.net/en/index.html
- [ ] move to ansible for easier modularization of setup
- [ ] OR: give GUIX a shot
** Moving to Arch
- official repository setup: https://wiki.archlinux.org/title/Official_repositories#multilib
- ~multiplib~ is required for wine
- Sound troubleshooting: https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture/Troubleshooting#HDMI
- Skype, VSCode: use ~yay~
Reference in New Issue View Git Blame Copy Permalink