Skip to content

Latest commit

 

History

History
59 lines (43 loc) · 2.58 KB

create-keys.md

File metadata and controls

59 lines (43 loc) · 2.58 KB
Raw

Security Notes

Notes and BASH snippets regarding password generation.

If you are on an air-gapped system, you can't look up your favourite passphrase generation command on the internet - this file should help.

Create Password

Create a password from 32 pseudo-randomly generated bytes - expressed as a 44 character Base64 string:

LC_ALL=C head -c 32 /dev/urandom | base64

The use of LC_ALL=C is probably unnecessary - it prevents user settings (e.g. language settings) interfering with the command. Because in this case bytes are expressed in base 64, LC_ALL=C is

Create Several Strong Passwords

  • Step 1: Create many passwords and save in a single file, with one password per line.
  • Step 2: To use as an offline-key, symmetrically encrypt the keyfile
# Step 1: collect 32 pseudo random bytes, write as base64 string to a file, loop x 10
for i in {0..9}; do LC_ALL=C head -c 32 /dev/urandom | base64 >> /path/to/keys.txt; done

# As above, but output as hexstrings:
for i in {0..9}; do head -c 32 /dev/urandom | xxd -ps -c 256 >> /tmp/hexkeys.txt; done

# Step 2 - enter password when prompted. Use `armor` option for printing the encrypted file
gpg --symmetric -o encrypted-keys.gpg --armor /path/to/keys.txt

Strong passwords can form the basis of offline keyfiles.

Key Backup

Offline keys can be stored (offline, of course) in a LUKS encrypted USB drive that has never been opened on an online computer, with a paper copy (ASCII armor encrypted as shown above) as additional backup.

If the passphrase used to encrypt the keyfile is strong, multiple copies of the key media (paper, USB) can be lodged in multiple semi-trusted environments - e.g. a Solicitor's safe, or a bank vault. This guards against fire, theft and other disasters - it mitigates having the key(s) in a single location.

The password used to backup the keyfile should itself be backed up by means of a secret sharing scheme - for example the main passphrase could be distributed carefully using Shamir's Secret Sharing Scheme.

Create an Encrypted Recovery File

# Archive and encrypt with default GPG algorithm 
tar -cz recovery | gpg --symmetric -o recovery.tgz.gpg

# Archive and encrypt using Twofish cipher algorithm
tar -cz recovery | gpg --symmetric --cipher-algo TWOFISH -o recovery.tgz.gpg

Generate Passwords Using All Printable Characters

head /dev/urandom | tr -cd [:graph:] | head -c 32; echo
tr -cd [:graph:] < /dev/urandom | head -c 32; echo