https://whynothugo.nl/tags/security/Recent content in Security on WhyNotHugoHugo -- gohugo.ioenSat, 09 Mar 2024 11:42:44 +0100https://whynothugo.nl/journal/2023/07/13/extending-an-expired-gpg-key/Thu, 13 Jul 2023 00:00:00 +0000https://whynothugo.nl/journal/2023/07/13/extending-an-expired-gpg-key/Slightly over a year ago, I set up a new hardware-backed GPG key on my yubikey device. Today I needed to sign a release, and noticed my key expired two days ago. It’s time to renew it. Possible approaches[permalink] When a key expires, there are three alternatives on how to address this: Generate a new key pair. This requires updating my public key everywhere (e.g.: on services that use my public key, in the README for projects where I sign releases, etc), which is somewhat of a nuisance.https://whynothugo.nl/journal/2022/07/11/using-a-yubikey-for-gpg/Mon, 11 Jul 2022 00:00:00 +0000https://whynothugo.nl/journal/2022/07/11/using-a-yubikey-for-gpg/I’ve written recently on how I use a Yubikey as a hardware security token for two factor authentication. One item I was missing was GPG, and this was mostly because setting up GPG is a bit tricker to set up and I simply hadn’t had the time. My previous key recently expired, so this is a good time to address that. This article explains the basics of how Yubikey + GPG works, and how to get started.https://whynothugo.nl/journal/2022/05/07/how-i-secure-my-setup-with-a-yubikey/Sat, 07 May 2022 00:00:00 +0000https://whynothugo.nl/journal/2022/05/07/how-i-secure-my-setup-with-a-yubikey/YubiKeys[permalink] I have a pair of YubiKey 5C NFC, which I use for authentication a lot. They’re small USB-C authentication devices which can generate multiple types of keys and are usable for different types of authentication. There's also a USB-A version if USB-C ports aren't your thing. The keys generated on-device cannot be extracted, which means that the only way to steal the keys is to physically steal the device itself.https://whynothugo.nl/journal/2021/11/26/the-issue-with-flatpaks-permissions-model/Fri, 26 Nov 2021 00:00:00 +0000https://whynothugo.nl/journal/2021/11/26/the-issue-with-flatpaks-permissions-model/There seems to be a lot of discussion of whether Flatpak is terrible or is great, whether it’s the future or whether it’s complete trash. I think Flatpak does a lot of very useful things, and requires more work in other aspects. I’m not sure what the The One True Package Manager™ will be, but I’m sure we can all learn some lessons from flatpak. Isolation[permalink] Flatpak itself does a pretty good job of isolating applications.https://whynothugo.nl/journal/2021/09/03/how-disk-encryption-works/Fri, 03 Sep 2021 00:00:00 +0000https://whynothugo.nl/journal/2021/09/03/how-disk-encryption-works/Note: this article avoids being too technical and is rather geared towards non-technical users. Without disk encryption[permalink] Historically, computers used to ask you for a username and password after you turned them on. This was mostly an authentication mechanism to prevent strangers sitting in front of your computer from using it. However, they could still open the computer, remove the disk, and access all your information without further obstacles. The password prompt was a soft protection, akin to a security guard outside the entrance to a room with an open window on the other side.https://whynothugo.nl/journal/2016/11/23/using-freeotp-with-battle.net/Wed, 23 Nov 2016 23:00:34 +0000https://whynothugo.nl/journal/2016/11/23/using-freeotp-with-battle.net/Some battlet.net users have requested, over and over to use other apps as a battle.net 2FA. These include FreeOTP, Authy, and possible others (Google Authenticator, AFAIK, cannot be used since it lacks the ability to configure the amount of digits). After some searching the web, I found out all the pieces of the puzzle are out there, but nobody built it entirely, so here goes! First of all, install bna using pip.https://whynothugo.nl/journal/2016/02/07/using-letsencrypt-with-hkpk/Sun, 07 Feb 2016 21:15:40 +0000https://whynothugo.nl/journal/2016/02/07/using-letsencrypt-with-hkpk/HKPK (RFC7469) is a standard that tells browser to cache a certain TLS certificate’s signature, and validate that future visits use that certificate (or a defined backup). I intended on enabling this on my servers, but since letsencrypt renews your certificates every few months, it would mean updating this setting on my nginx configuration. It also means that if something catastrophic happens (like a disk failure), the certificate would be lost, but browsers would still expect to see that same one.