Overview

This article is intended to present a cohesive strategy to keep your personal communications and data safe.

Another important aspect of security is identity. This article should include a section on participating in a web of trust using PKI to verify identities and secure communications. Modern network security is based on Public Key Cryptography, which allows for secure communication over an unsecured channel without the need for a shared secret.

We will be working with three different software products, each with it’s own cryptography system:

  • SSH is the standard way to securely log into remote computer accounts over the Internet. It can also provide various types of proxy tunnels between your local machine and the remote server.
  • TrueCrypt provides on-disk encryption and cross-platform encrypted containers. We will be using TrueCrypt to create a vault, a small, heavily encrypted file where you can keep copies of passwords and private records. This filesystem can then be synchronized a
  • GPG is way to secure internet communications such as email, providing both message encryption and identity verification (like a signet ring).

Creating strong passwords

These articles provide some strategies for securing your accounts and keys with strong passwords:

Create a vault (see below) to store a backup of your passwords.

SSH

  • SSH help page for Ubuntu: SSH
  • tip: $HOME/.ssh/config lets you setup aliases and connection options for commonly-used remote accounts
    • bash completion

Generating strong keys

SSH Agent

An SSH agent stores your SSH key in memory once you have unlocked it, so you only have to type your key password once.

  • For ?OSX, Leopard+ should have builtin keychain support, but I was never able to get it working on my laptop, perhaps because I had previously installed a 3rd-party keychain (see keychain agent in 10.5+ )
  • Ubuntu blog

Proxy Tricks

There are a number of interesting ways of using SSH’s proxy capabilities to work around network topology limitations. If you have a specific problem not covered here, search the web (and then add a section here of course!).

Using OpenSSH as a web proxy

Unless the server admin has disabled this functionality, OpenSSH allows you to route all of your web traffic through a secure tunnel using SOCKSv5. This could be useful for:

  • Accessing restricted intranet sites such as University databases (VPN replacement)
  • Hiding your communications from adversaries between you and the server.
  • Obfuscating your identity (this alone isn’t enough, it must be part of a larger strategy)

By default, OpenSSH can act as a SOCKSv5 web-proxy. This is a little-known feature. Here’s how to set it up with Firefox:

 @home # ssh -2 -D 3210 yourserver.net

now just configure Firefox (or other browser, or operating system) to use 127.0.0.1:3210 as a SOCKSv5 proxy. Now all of your web traffic goes through the SSH tunnel.

Source: http://staff.washington.edu/corey/fw/ssh-port-forwarding.html

Distributing Your Public Keys

Filesystem encryption

It is useful to keep a small encrypted filesystem backed up in multiple locations. You can store other passwords in here, using it as a password vault.

TrueCrypt is a strong cross-platform filesystem encryption tool. It is the most widely trusted for this purpose.

Working Notes

GPG

Generating/managing keys

  • In gnome

Encrypting/decrypting personal files

  • use a symmetric cypher:

    # encrypt: gpg -c filename.txt # decrypt: gpg filename.txt.gpg

  • Transparent enc/dec: