Merge pull request #34 from salah3x/master

Add a table of contents to each guide
This commit is contained in:
Andrew Grimberg 2020-05-11 09:13:28 -07:00 committed by GitHub
commit 6c293acc00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 259 additions and 0 deletions

View File

@ -4,6 +4,69 @@ Updated: 2018-01-24
*Status: CURRENT, BETA*
### Table of contents
- [Kernel developer PGP guide](#kernel-developer-pgp-guide)
- [Table of contents](#table-of-contents)
- [Target audience](#target-audience)
- [Structure](#structure)
- [Checklist priority levels](#checklist-priority-levels)
- [The role of PGP in Linux Kernel development](#the-role-of-pgp-in-linux-kernel-development)
- [Trusting the developers, not infrastructure](#trusting-the-developers-not-infrastructure)
- [PGP tools](#pgp-tools)
- [Checklist](#checklist)
- [Considerations](#considerations)
- [Installing GnuPG](#installing-gnupg)
- [Making sure you always use GnuPG v.2](#making-sure-you-always-use-gnupg-v2)
- [Configure gpg-agent options](#configure-gpg-agent-options)
- [Set up a refresh cronjob](#set-up-a-refresh-cronjob)
- [Protecting your master PGP key](#protecting-your-master-pgp-key)
- [Checklist](#checklist-1)
- [Considerations](#considerations-1)
- [Understanding the "Master" (Certify) key](#understanding-the-%22master%22-certify-key)
- [Ensure your passphrase is strong](#ensure-your-passphrase-is-strong)
- [Create a separate Signing subkey](#create-a-separate-signing-subkey)
- [RSA vs. ECC subkeys](#rsa-vs-ecc-subkeys)
- [Back up your master key for disaster recovery](#back-up-your-master-key-for-disaster-recovery)
- [Back up your whole GnuPG directory](#back-up-your-whole-gnupg-directory)
- [Prepare detachable encrypted storage](#prepare-detachable-encrypted-storage)
- [Back up your GnuPG directory](#back-up-your-gnupg-directory)
- [Remove the master key from your homedir](#remove-the-master-key-from-your-homedir)
- [Removing your master key](#removing-your-master-key)
- [If you don't have the "private-keys-v1.d" directory](#if-you-dont-have-the-%22private-keys-v1d%22-directory)
- [Move the subkeys to a dedicated crypto device](#move-the-subkeys-to-a-dedicated-crypto-device)
- [Checklist](#checklist-2)
- [Considerations](#considerations-2)
- [The benefits of smartcards](#the-benefits-of-smartcards)
- [Available smartcard devices](#available-smartcard-devices)
- [Configuring your smartcard device](#configuring-your-smartcard-device)
- [Quick setup](#quick-setup)
- [PINs don't have to be numbers](#pins-dont-have-to-be-numbers)
- [Moving the subkeys to your smartcard](#moving-the-subkeys-to-your-smartcard)
- [Verifying that the keys were moved](#verifying-that-the-keys-were-moved)
- [Verifying that the smartcard is functioning](#verifying-that-the-smartcard-is-functioning)
- [Other common GnuPG operations](#other-common-gnupg-operations)
- [Mounting your master key offline storage](#mounting-your-master-key-offline-storage)
- [Updating your regular GnuPG working directory](#updating-your-regular-gnupg-working-directory)
- [Extending key expiration date](#extending-key-expiration-date)
- [Using PGP with Git](#using-pgp-with-git)
- [Checklist](#checklist-3)
- [Considerations](#considerations-3)
- [Configure git to use your PGP key](#configure-git-to-use-your-pgp-key)
- [How to work with signed tags](#how-to-work-with-signed-tags)
- [How to verify signed tags](#how-to-verify-signed-tags)
- [Verifying at pull time](#verifying-at-pull-time)
- [Configure git to always sign annotated tags](#configure-git-to-always-sign-annotated-tags)
- [How to work with signed commits](#how-to-work-with-signed-commits)
- [Creating signed commits](#creating-signed-commits)
- [Configure git to always sign commits](#configure-git-to-always-sign-commits)
- [How to verify kernel developer identities](#how-to-verify-kernel-developer-identities)
- [Checklist](#checklist-4)
- [Considerations](#considerations-4)
- [Configure auto-key-retrieval using WKD and DANE](#configure-auto-key-retrieval-using-wkd-and-dane)
- [Web of Trust (WOT) vs. Trust on First Use (TOFU)](#web-of-trust-wot-vs-trust-on-first-use-tofu)
- [Learn to use keyservers (more) safely](#learn-to-use-keyservers-more-safely)
### Target audience
This document is aimed at Linux kernel developers, and especially subsystem

View File

@ -4,6 +4,76 @@ Updated: 2017-12-15
*Status: CURRENT*
### Table of contents
- [Linux workstation security checklist](#linux-workstation-security-checklist)
- [Table of contents](#table-of-contents)
- [Target audience](#target-audience)
- [Limitations](#limitations)
- [Structure](#structure)
- [Checklist priority levels](#checklist-priority-levels)
- [Choosing the right hardware](#choosing-the-right-hardware)
- [Checklist](#checklist)
- [Considerations](#considerations)
- [SecureBoot](#secureboot)
- [Firewire, thunderbolt, and ExpressCard ports](#firewire-thunderbolt-and-expresscard-ports)
- [TPM Chip](#tpm-chip)
- [Intel Management Engine (IME)](#intel-management-engine-ime)
- [Pre-boot environment](#pre-boot-environment)
- [Checklist](#checklist-1)
- [Considerations](#considerations-1)
- [UEFI and SecureBoot](#uefi-and-secureboot)
- [Distro choice considerations](#distro-choice-considerations)
- [Checklist](#checklist-2)
- [Considerations](#considerations-2)
- [SELinux and AppArmor](#selinux-and-apparmor)
- [Distro security bulletins](#distro-security-bulletins)
- [Timely and trusted security updates](#timely-and-trusted-security-updates)
- [Distros supporting UEFI and SecureBoot](#distros-supporting-uefi-and-secureboot)
- [Full disk encryption](#full-disk-encryption)
- [Distro installation guidelines](#distro-installation-guidelines)
- [Checklist](#checklist-3)
- [Considerations](#considerations-3)
- [Full disk encryption](#full-disk-encryption-1)
- [Choosing good passphrases](#choosing-good-passphrases)
- [Root, user passwords and the admin group](#root-user-passwords-and-the-admin-group)
- [Post-installation hardening](#post-installation-hardening)
- [Checklist](#checklist-4)
- [Considerations](#considerations-4)
- [Blacklisting modules](#blacklisting-modules)
- [Root mail](#root-mail)
- [Firewalls, sshd, and listening daemons](#firewalls-sshd-and-listening-daemons)
- [Automatic updates or notifications](#automatic-updates-or-notifications)
- [Watching logs](#watching-logs)
- [Rkhunter and IDS](#rkhunter-and-ids)
- [Personal workstation backups](#personal-workstation-backups)
- [Checklist](#checklist-5)
- [Considerations](#considerations-5)
- [Full encrypted backups to external storage](#full-encrypted-backups-to-external-storage)
- [Selective zero-knowledge backups off-site](#selective-zero-knowledge-backups-off-site)
- [Best practices](#best-practices)
- [Graphical environment](#graphical-environment)
- [Browsers](#browsers)
- [1: Use two different browsers _(ESSENTIAL)_](#1-use-two-different-browsers-essential)
- [Firefox for work and high security sites](#firefox-for-work-and-high-security-sites)
- [Chrome/Chromium for everything else](#chromechromium-for-everything-else)
- [2: Use firejail _(ESSENTIAL)_](#2-use-firejail-essential)
- [3: Fully separate your work and play environments via virtualization _(PARANOID)_](#3-fully-separate-your-work-and-play-environments-via-virtualization-paranoid)
- [Use Fido U2F for website 2-factor authentication](#use-fido-u2f-for-website-2-factor-authentication)
- [Password managers](#password-managers)
- [Checklist](#checklist-6)
- [Considerations](#considerations-6)
- [In-browser password manager](#in-browser-password-manager)
- [Standalone password manager](#standalone-password-manager)
- [Securing SSH and PGP private keys](#securing-ssh-and-pgp-private-keys)
- [Checklist](#checklist-7)
- [Considerations](#considerations-7)
- [Hibernate or shut down, do not suspend](#hibernate-or-shut-down-do-not-suspend)
- [SELinux on the workstation](#selinux-on-the-workstation)
- [Considerations](#considerations-8)
- [Further reading](#further-reading)
- [License](#license)
### Target audience
This document is aimed at teams of systems administrators who use Linux

View File

@ -4,6 +4,102 @@ Updated: 2018-01-22
*Status: CURRENT*
### Table of contents
- [Protecting code integrity with PGP](#protecting-code-integrity-with-pgp)
- [Table of contents](#table-of-contents)
- [Target audience](#target-audience)
- [Structure](#structure)
- [Checklist priority levels](#checklist-priority-levels)
- [Basic PGP concepts and tools](#basic-pgp-concepts-and-tools)
- [Checklist](#checklist)
- [Considerations](#considerations)
- [Extremely Basic Overview of PGP operations](#extremely-basic-overview-of-pgp-operations)
- [Encryption](#encryption)
- [Signatures](#signatures)
- [Combined usage](#combined-usage)
- [Understanding Key Identities](#understanding-key-identities)
- [Understanding Key Validity](#understanding-key-validity)
- [Web of Trust (WOT) vs. Trust on First Use (TOFU)](#web-of-trust-wot-vs-trust-on-first-use-tofu)
- [Installing OpenPGP software](#installing-openpgp-software)
- [Installing GnuPG](#installing-gnupg)
- [GnuPG 1 vs. 2](#gnupg-1-vs-2)
- [Making sure you always use GnuPG v.2](#making-sure-you-always-use-gnupg-v2)
- [Generating and protecting your master PGP key](#generating-and-protecting-your-master-pgp-key)
- [Checklist](#checklist-1)
- [Considerations](#considerations-1)
- [Understanding the "Master" (Certify) key](#understanding-the-%22master%22-certify-key)
- [Before you create the master key](#before-you-create-the-master-key)
- [Primary identity](#primary-identity)
- [Passphrase](#passphrase)
- [Algorithm and key strength](#algorithm-and-key-strength)
- [Generate the master key](#generate-the-master-key)
- [Back up your master key](#back-up-your-master-key)
- [Add relevant identities](#add-relevant-identities)
- [Pick the primary UID](#pick-the-primary-uid)
- [Generating PGP subkeys](#generating-pgp-subkeys)
- [Checklist](#checklist-2)
- [Considerations](#considerations-2)
- [Create the subkeys](#create-the-subkeys)
- [Upload your public keys to the keyserver](#upload-your-public-keys-to-the-keyserver)
- [Upload your public key to GitHub](#upload-your-public-key-to-github)
- [Set up a refresh cronjob](#set-up-a-refresh-cronjob)
- [Moving your master key to offline storage](#moving-your-master-key-to-offline-storage)
- [Checklist](#checklist-3)
- [Considerations](#considerations-3)
- [Back up your GnuPG directory](#back-up-your-gnupg-directory)
- [Prepare detachable encrypted storage](#prepare-detachable-encrypted-storage)
- [Back up your GnuPG directory](#back-up-your-gnupg-directory-1)
- [Remove the master key](#remove-the-master-key)
- [Removing your master key](#removing-your-master-key)
- [Remove the revocation certificate](#remove-the-revocation-certificate)
- [Move the subkeys to a hardware device](#move-the-subkeys-to-a-hardware-device)
- [Checklist](#checklist-4)
- [Considerations](#considerations-4)
- [The benefits of smartcards](#the-benefits-of-smartcards)
- [Available smartcard devices](#available-smartcard-devices)
- [Configuring your smartcard device](#configuring-your-smartcard-device)
- [PINs don't have to be numbers](#pins-dont-have-to-be-numbers)
- [Quick setup](#quick-setup)
- [Moving the subkeys to your smartcard](#moving-the-subkeys-to-your-smartcard)
- [Verifying that the keys were moved](#verifying-that-the-keys-were-moved)
- [Verifying that the smartcard is functioning](#verifying-that-the-smartcard-is-functioning)
- [Other common GnuPG operations](#other-common-gnupg-operations)
- [Mounting your master key offline storage](#mounting-your-master-key-offline-storage)
- [Updating your regular GnuPG working directory](#updating-your-regular-gnupg-working-directory)
- [Extending key expiration date](#extending-key-expiration-date)
- [Revoking identities](#revoking-identities)
- [Using PGP with Git](#using-pgp-with-git)
- [Checklist](#checklist-5)
- [Considerations](#considerations-5)
- [Understanding Git Hashes](#understanding-git-hashes)
- [Tree hashes](#tree-hashes)
- [Commit hashes](#commit-hashes)
- [Hashing function](#hashing-function)
- [Annotated tags and tag signatures](#annotated-tags-and-tag-signatures)
- [Signed commits](#signed-commits)
- [Signed pushes](#signed-pushes)
- [Configure git to use your PGP key](#configure-git-to-use-your-pgp-key)
- [How to work with signed tags](#how-to-work-with-signed-tags)
- [How to verify signed tags](#how-to-verify-signed-tags)
- [Verifying at pull time](#verifying-at-pull-time)
- [Configure git to always sign annotated tags](#configure-git-to-always-sign-annotated-tags)
- [How to work with signed commits](#how-to-work-with-signed-commits)
- [How to verify signed commits](#how-to-verify-signed-commits)
- [Verifying commits during git merge](#verifying-commits-during-git-merge)
- [If your project uses mailing lists for patch management](#if-your-project-uses-mailing-lists-for-patch-management)
- [Configure git to always sign commits](#configure-git-to-always-sign-commits)
- [Configure gpg-agent options](#configure-gpg-agent-options)
- [Bonus: Using gpg-agent with ssh](#bonus-using-gpg-agent-with-ssh)
- [Protecting online accounts](#protecting-online-accounts)
- [Checklist](#checklist-6)
- [Considerations](#considerations-6)
- [Two-factor authentication with Fido U2F](#two-factor-authentication-with-fido-u2f)
- [Get a token capable of Fido U2F](#get-a-token-capable-of-fido-u2f)
- [Enable 2-factor authentication on your online accounts](#enable-2-factor-authentication-on-your-online-accounts)
- [Configure TOTP failover, if possible](#configure-totp-failover-if-possible)
- [Further reading](#further-reading)
### Target audience
This document is aimed at developers working on free software projects. It

View File

@ -4,6 +4,36 @@ Updated: 2015-08-13
*Status: OUTDATED*
### Table of contents
- [Trusted Team Communication](#trusted-team-communication)
- [Table of contents](#table-of-contents)
- [Trusting email](#trusting-email)
- [OpenPGP vs S/MIME](#openpgp-vs-smime)
- [Main upsides of S/MIME](#main-upsides-of-smime)
- [Main downsides of S/MIME](#main-downsides-of-smime)
- [Main upsides of OpenPGP](#main-upsides-of-openpgp)
- [Main downsides of OpenPGP](#main-downsides-of-openpgp)
- [Understanding the OpenPGP Web of Trust](#understanding-the-openpgp-web-of-trust)
- [Using the Web of Trust in your team](#using-the-web-of-trust-in-your-team)
- [Spinning the web](#spinning-the-web)
- [Yes, but what if they are 12 timezones away?](#yes-but-what-if-they-are-12-timezones-away)
- [Keysigning parties](#keysigning-parties)
- [Sending trusted emails](#sending-trusted-emails)
- [When to sign](#when-to-sign)
- [When to encrypt](#when-to-encrypt)
- [Trusting IM sessions](#trusting-im-sessions)
- [One-on-one messaging](#one-on-one-messaging)
- [Group messaging](#group-messaging)
- [Trusting git commits](#trusting-git-commits)
- [Signed-off-by's](#signed-off-bys)
- [Signed tags and commits](#signed-tags-and-commits)
- [Releasing code trusted by the community](#releasing-code-trusted-by-the-community)
- [Securing infrastructure access](#securing-infrastructure-access)
- [Using PGP keys with SSH](#using-pgp-keys-with-ssh)
- [Checklist](#checklist)
- [License](#license)
Establishing trusted communication between members of your team is paramount
not only to avoid potential security problems associated with phishing and
impersonation, but also to make it possible to exchange sensitive information