𝒍𝒆𝒎𝒂𝒏𝒏

Hey! Please contact me at my primary Fedi account: @lemann@lemmy.dbzer0.com

https://lemmy.one/u/lemann@lemmy.dbzer0.com

  • 8 Posts
  • 714 Comments
Joined 1 year ago
cake
Cake day: June 6th, 2023

help-circle



  • Flash drive hidden under the carpet and connected via a USB extension, holding the decryption keys - threat model is a robber making off with the hard drives and gear, where the data just needs to be useless or inaccessible to others.

    There’s a script in the initramfs which looks for the flash drive, and passes the decryption key on it to cryptsetup, which then kicks off the rest of the boot mounting the filesystems underneath the luks

    I could technically remove the flash drive after boot as the system is on a UPS, but I like the ability to reboot remotely without too much hassle.

    What I’d like to do in future would be to implement something more robust with a hardware device requiring 2FA. I’m not familiar with low level hardware security at all though, so the current setup will do fine for the time being!



  • If MIT AppInventor is still kicking around, you should be able to use it for this… although sadly you won’t have access to the source code since it’s a Scratch-like way to create apps.

    By default the Android voice assistant uses Google tech AFAIK, if you’re after a truly source-available solution then there’s ”Futo voice input" to handle STT, and “RHVoice” to handle TTS - though these would still need a HTTP API bridge to do what you want


  • I think so, assuming these malicious packages are all primitive enough to just look for the single file in a user’s home folder lol. The only downside here is needing to provide the keyfile location to ssh every time you want to connect… Although a system search would pretty much defeat that instantly as you mention

    SSH keyfiles can be encrypted, which requires a password entry each time you connect to a SSH server. Most linux distros that I’ve used automatically decrypt the SSH keyfile for you when you log in to a remote machine (using the user keyring db), or ask you for the keyfile password once and remember it for the next hour or so (using the ssh-agent program in the background).

    On Windows you can do something similar with Cygwin and ssh-agent, however it is a little bit of a hassle to set up. If you use WSL i’d expect the auto keyfile decryption to work comparably to Linux, without needing to configure anything