Question for crypto (as in cryptographic) nerds, I am looking for an automated solution for on-prem backups that encrypts said backup. The plan is to take said encrypted backup and store it off sight. Prefer open source, and for further context consider this "home lab" although it does involve multiple servers with public IPs etc. I do not want to have the encryption key easily reachable like in plaintext in a config file.
Right now this is all happening manually, but automated would make this so much easier. It does not have to be a full end-to-end solution, even just the encrypting part being able to be automated would be fine as I could simply script around it. Thoughts and recommendations?
The tech, simply put, works like this: When you create an account for a website or app, your device generates a cryptographic public-private key pair. The site or app backend gets a copy of the public key, and your device keeps hold of the private key; that private key stays private to your gear. When you come to login, your device and the backend authentication system interact using their digital keys to prove you are who you say you are, and you get to login. If you don't have the private key or can't prove you have it, you can't login.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Listening to a #podcast about #cryptography in #golang, and it’s quite interesting. One bonus is that one of the guests has the most Italian accent I’ve ever heard, which makes it fun to listen to him speak.
if you want to help people access the full, uncensored internet via Tor, and you're a fedi admin, here's a way you can help. you may know about Tor Bridges and how they're used by people behind repressive governments that censor the internet to safely access the net. countries like China or Russia block the public list of Tor relays, for example.
WebTunnel is a Bridge method that uses a reverse proxy that you configure using your existing nginx (etc) web server that points to your server's local tor daemon. so your fedi instance can be a bridge to the Tor network for people who cannot connect to Tor normally. disobey.net is hosting one ^^
one thing to note is that it's important to disable nginx (etc) web server logs, since the people who use bridges are connecting to you as their first, trusted hop onto the tor network. something to keep in mind to maximize privacy and reduce your own liability.
Join us for welcoming returning presenter Sergi Rovira, with Axel Mertens, from Universitat Pompeu Fabra (UPF) and @CosicBe respectively, presenting Convolution-friendly Image Compression in FHE, Apr 25th, 2024 @ 4PM CEST.
Why must the #UX of any kind of #cryptography related tooling on our systems suck so much?
Today's task - manage CA certificates on our clusters' base-systems using #Ansible.
The canonical way on #RHEL systems seems to be, to use #p11kit's "trust" CLI.
"--help" says to use "trust list" - that sounds easy. I'll just compare those certificate serials against my desired state and then import the delta into the trust store…
But: the unique identifier of "trust list"'s output is a PKCS11 URI!
🆕 blog! “Lazy way to cause SHA-256 collisions for lazy evaluators”
Humans are lazy. That's why we have computers; to do the boring work for us. I recently downloaded a file. The website said the file should have a SHA-256 hash of: ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb So I ran sha256 filename on my machine. And then lazily compared the h…
Nice analysis by Bruno Blanchet that proves that HPKE with ML-KEM (or any other IND-CCA2 KEM) does provide IND-CCA2 security.
“Bruno models the base mode of HPKE, single shot API in CryptoVerif, and showed that if the KEM is IND-CCA2, then so is HPKE.
Since CryptoVerif is PQ-sound, that proves the security of the HPKE base mode, with the single shot API when the KEM is a post-quantum IND-CCA2 KEM.” via Karthikeyan Bhargavan on the CFRG mailing list
Mar 24, 1944: On this date, the poem The Life That I Have was issued by Special Operations Executive cryptographer Leo Marks to agent Violette Szabo. The poem was made famous by its inclusion in the 1958 movie about Szabo, Carve Her Name with Pride. (1/2)
🔐 Linux 6.9 Adds New RISC-V Vector-Accelerated Crypto Routines - Phoronix
「 RISC-V with Linux 6.9 implements support for more vector-accelerated crypto routines. Among the work is RISC-V vector accelerated AES-{ECB,CBC,CTR,XTS}, ChaCha20, GHASH, SHA-256, SHA-384, SHA-512, SM3, and SM4 algorithms 」
Yael Tauman Kalai, recipient of the 2022 ACM Prize in Computing, has developed groundbreaking methods for succinctly verifying the correctness of a computation. Recently she sat down with Leah Hoffmann to discuss how they work. Read it here via CACM's relaunched #OpenAccess website: https://cacm.acm.org/opinion/verifying-correctness/