Merge pull request #34 from salah3x/master
Add a table of contents to each guide
This commit is contained in:
commit
6c293acc00
|
@ -4,6 +4,69 @@ Updated: 2018-01-24
|
||||||
|
|
||||||
*Status: CURRENT, BETA*
|
*Status: CURRENT, BETA*
|
||||||
|
|
||||||
|
### Table of contents
|
||||||
|
|
||||||
|
- [Kernel developer PGP guide](#kernel-developer-pgp-guide)
|
||||||
|
- [Table of contents](#table-of-contents)
|
||||||
|
- [Target audience](#target-audience)
|
||||||
|
- [Structure](#structure)
|
||||||
|
- [Checklist priority levels](#checklist-priority-levels)
|
||||||
|
- [The role of PGP in Linux Kernel development](#the-role-of-pgp-in-linux-kernel-development)
|
||||||
|
- [Trusting the developers, not infrastructure](#trusting-the-developers-not-infrastructure)
|
||||||
|
- [PGP tools](#pgp-tools)
|
||||||
|
- [Checklist](#checklist)
|
||||||
|
- [Considerations](#considerations)
|
||||||
|
- [Installing GnuPG](#installing-gnupg)
|
||||||
|
- [Making sure you always use GnuPG v.2](#making-sure-you-always-use-gnupg-v2)
|
||||||
|
- [Configure gpg-agent options](#configure-gpg-agent-options)
|
||||||
|
- [Set up a refresh cronjob](#set-up-a-refresh-cronjob)
|
||||||
|
- [Protecting your master PGP key](#protecting-your-master-pgp-key)
|
||||||
|
- [Checklist](#checklist-1)
|
||||||
|
- [Considerations](#considerations-1)
|
||||||
|
- [Understanding the "Master" (Certify) key](#understanding-the-%22master%22-certify-key)
|
||||||
|
- [Ensure your passphrase is strong](#ensure-your-passphrase-is-strong)
|
||||||
|
- [Create a separate Signing subkey](#create-a-separate-signing-subkey)
|
||||||
|
- [RSA vs. ECC subkeys](#rsa-vs-ecc-subkeys)
|
||||||
|
- [Back up your master key for disaster recovery](#back-up-your-master-key-for-disaster-recovery)
|
||||||
|
- [Back up your whole GnuPG directory](#back-up-your-whole-gnupg-directory)
|
||||||
|
- [Prepare detachable encrypted storage](#prepare-detachable-encrypted-storage)
|
||||||
|
- [Back up your GnuPG directory](#back-up-your-gnupg-directory)
|
||||||
|
- [Remove the master key from your homedir](#remove-the-master-key-from-your-homedir)
|
||||||
|
- [Removing your master key](#removing-your-master-key)
|
||||||
|
- [If you don't have the "private-keys-v1.d" directory](#if-you-dont-have-the-%22private-keys-v1d%22-directory)
|
||||||
|
- [Move the subkeys to a dedicated crypto device](#move-the-subkeys-to-a-dedicated-crypto-device)
|
||||||
|
- [Checklist](#checklist-2)
|
||||||
|
- [Considerations](#considerations-2)
|
||||||
|
- [The benefits of smartcards](#the-benefits-of-smartcards)
|
||||||
|
- [Available smartcard devices](#available-smartcard-devices)
|
||||||
|
- [Configuring your smartcard device](#configuring-your-smartcard-device)
|
||||||
|
- [Quick setup](#quick-setup)
|
||||||
|
- [PINs don't have to be numbers](#pins-dont-have-to-be-numbers)
|
||||||
|
- [Moving the subkeys to your smartcard](#moving-the-subkeys-to-your-smartcard)
|
||||||
|
- [Verifying that the keys were moved](#verifying-that-the-keys-were-moved)
|
||||||
|
- [Verifying that the smartcard is functioning](#verifying-that-the-smartcard-is-functioning)
|
||||||
|
- [Other common GnuPG operations](#other-common-gnupg-operations)
|
||||||
|
- [Mounting your master key offline storage](#mounting-your-master-key-offline-storage)
|
||||||
|
- [Updating your regular GnuPG working directory](#updating-your-regular-gnupg-working-directory)
|
||||||
|
- [Extending key expiration date](#extending-key-expiration-date)
|
||||||
|
- [Using PGP with Git](#using-pgp-with-git)
|
||||||
|
- [Checklist](#checklist-3)
|
||||||
|
- [Considerations](#considerations-3)
|
||||||
|
- [Configure git to use your PGP key](#configure-git-to-use-your-pgp-key)
|
||||||
|
- [How to work with signed tags](#how-to-work-with-signed-tags)
|
||||||
|
- [How to verify signed tags](#how-to-verify-signed-tags)
|
||||||
|
- [Verifying at pull time](#verifying-at-pull-time)
|
||||||
|
- [Configure git to always sign annotated tags](#configure-git-to-always-sign-annotated-tags)
|
||||||
|
- [How to work with signed commits](#how-to-work-with-signed-commits)
|
||||||
|
- [Creating signed commits](#creating-signed-commits)
|
||||||
|
- [Configure git to always sign commits](#configure-git-to-always-sign-commits)
|
||||||
|
- [How to verify kernel developer identities](#how-to-verify-kernel-developer-identities)
|
||||||
|
- [Checklist](#checklist-4)
|
||||||
|
- [Considerations](#considerations-4)
|
||||||
|
- [Configure auto-key-retrieval using WKD and DANE](#configure-auto-key-retrieval-using-wkd-and-dane)
|
||||||
|
- [Web of Trust (WOT) vs. Trust on First Use (TOFU)](#web-of-trust-wot-vs-trust-on-first-use-tofu)
|
||||||
|
- [Learn to use keyservers (more) safely](#learn-to-use-keyservers-more-safely)
|
||||||
|
|
||||||
### Target audience
|
### Target audience
|
||||||
|
|
||||||
This document is aimed at Linux kernel developers, and especially subsystem
|
This document is aimed at Linux kernel developers, and especially subsystem
|
||||||
|
|
|
@ -4,6 +4,76 @@ Updated: 2017-12-15
|
||||||
|
|
||||||
*Status: CURRENT*
|
*Status: CURRENT*
|
||||||
|
|
||||||
|
### Table of contents
|
||||||
|
|
||||||
|
- [Linux workstation security checklist](#linux-workstation-security-checklist)
|
||||||
|
- [Table of contents](#table-of-contents)
|
||||||
|
- [Target audience](#target-audience)
|
||||||
|
- [Limitations](#limitations)
|
||||||
|
- [Structure](#structure)
|
||||||
|
- [Checklist priority levels](#checklist-priority-levels)
|
||||||
|
- [Choosing the right hardware](#choosing-the-right-hardware)
|
||||||
|
- [Checklist](#checklist)
|
||||||
|
- [Considerations](#considerations)
|
||||||
|
- [SecureBoot](#secureboot)
|
||||||
|
- [Firewire, thunderbolt, and ExpressCard ports](#firewire-thunderbolt-and-expresscard-ports)
|
||||||
|
- [TPM Chip](#tpm-chip)
|
||||||
|
- [Intel Management Engine (IME)](#intel-management-engine-ime)
|
||||||
|
- [Pre-boot environment](#pre-boot-environment)
|
||||||
|
- [Checklist](#checklist-1)
|
||||||
|
- [Considerations](#considerations-1)
|
||||||
|
- [UEFI and SecureBoot](#uefi-and-secureboot)
|
||||||
|
- [Distro choice considerations](#distro-choice-considerations)
|
||||||
|
- [Checklist](#checklist-2)
|
||||||
|
- [Considerations](#considerations-2)
|
||||||
|
- [SELinux and AppArmor](#selinux-and-apparmor)
|
||||||
|
- [Distro security bulletins](#distro-security-bulletins)
|
||||||
|
- [Timely and trusted security updates](#timely-and-trusted-security-updates)
|
||||||
|
- [Distros supporting UEFI and SecureBoot](#distros-supporting-uefi-and-secureboot)
|
||||||
|
- [Full disk encryption](#full-disk-encryption)
|
||||||
|
- [Distro installation guidelines](#distro-installation-guidelines)
|
||||||
|
- [Checklist](#checklist-3)
|
||||||
|
- [Considerations](#considerations-3)
|
||||||
|
- [Full disk encryption](#full-disk-encryption-1)
|
||||||
|
- [Choosing good passphrases](#choosing-good-passphrases)
|
||||||
|
- [Root, user passwords and the admin group](#root-user-passwords-and-the-admin-group)
|
||||||
|
- [Post-installation hardening](#post-installation-hardening)
|
||||||
|
- [Checklist](#checklist-4)
|
||||||
|
- [Considerations](#considerations-4)
|
||||||
|
- [Blacklisting modules](#blacklisting-modules)
|
||||||
|
- [Root mail](#root-mail)
|
||||||
|
- [Firewalls, sshd, and listening daemons](#firewalls-sshd-and-listening-daemons)
|
||||||
|
- [Automatic updates or notifications](#automatic-updates-or-notifications)
|
||||||
|
- [Watching logs](#watching-logs)
|
||||||
|
- [Rkhunter and IDS](#rkhunter-and-ids)
|
||||||
|
- [Personal workstation backups](#personal-workstation-backups)
|
||||||
|
- [Checklist](#checklist-5)
|
||||||
|
- [Considerations](#considerations-5)
|
||||||
|
- [Full encrypted backups to external storage](#full-encrypted-backups-to-external-storage)
|
||||||
|
- [Selective zero-knowledge backups off-site](#selective-zero-knowledge-backups-off-site)
|
||||||
|
- [Best practices](#best-practices)
|
||||||
|
- [Graphical environment](#graphical-environment)
|
||||||
|
- [Browsers](#browsers)
|
||||||
|
- [1: Use two different browsers _(ESSENTIAL)_](#1-use-two-different-browsers-essential)
|
||||||
|
- [Firefox for work and high security sites](#firefox-for-work-and-high-security-sites)
|
||||||
|
- [Chrome/Chromium for everything else](#chromechromium-for-everything-else)
|
||||||
|
- [2: Use firejail _(ESSENTIAL)_](#2-use-firejail-essential)
|
||||||
|
- [3: Fully separate your work and play environments via virtualization _(PARANOID)_](#3-fully-separate-your-work-and-play-environments-via-virtualization-paranoid)
|
||||||
|
- [Use Fido U2F for website 2-factor authentication](#use-fido-u2f-for-website-2-factor-authentication)
|
||||||
|
- [Password managers](#password-managers)
|
||||||
|
- [Checklist](#checklist-6)
|
||||||
|
- [Considerations](#considerations-6)
|
||||||
|
- [In-browser password manager](#in-browser-password-manager)
|
||||||
|
- [Standalone password manager](#standalone-password-manager)
|
||||||
|
- [Securing SSH and PGP private keys](#securing-ssh-and-pgp-private-keys)
|
||||||
|
- [Checklist](#checklist-7)
|
||||||
|
- [Considerations](#considerations-7)
|
||||||
|
- [Hibernate or shut down, do not suspend](#hibernate-or-shut-down-do-not-suspend)
|
||||||
|
- [SELinux on the workstation](#selinux-on-the-workstation)
|
||||||
|
- [Considerations](#considerations-8)
|
||||||
|
- [Further reading](#further-reading)
|
||||||
|
- [License](#license)
|
||||||
|
|
||||||
### Target audience
|
### Target audience
|
||||||
|
|
||||||
This document is aimed at teams of systems administrators who use Linux
|
This document is aimed at teams of systems administrators who use Linux
|
||||||
|
|
|
@ -4,6 +4,102 @@ Updated: 2018-01-22
|
||||||
|
|
||||||
*Status: CURRENT*
|
*Status: CURRENT*
|
||||||
|
|
||||||
|
### Table of contents
|
||||||
|
|
||||||
|
- [Protecting code integrity with PGP](#protecting-code-integrity-with-pgp)
|
||||||
|
- [Table of contents](#table-of-contents)
|
||||||
|
- [Target audience](#target-audience)
|
||||||
|
- [Structure](#structure)
|
||||||
|
- [Checklist priority levels](#checklist-priority-levels)
|
||||||
|
- [Basic PGP concepts and tools](#basic-pgp-concepts-and-tools)
|
||||||
|
- [Checklist](#checklist)
|
||||||
|
- [Considerations](#considerations)
|
||||||
|
- [Extremely Basic Overview of PGP operations](#extremely-basic-overview-of-pgp-operations)
|
||||||
|
- [Encryption](#encryption)
|
||||||
|
- [Signatures](#signatures)
|
||||||
|
- [Combined usage](#combined-usage)
|
||||||
|
- [Understanding Key Identities](#understanding-key-identities)
|
||||||
|
- [Understanding Key Validity](#understanding-key-validity)
|
||||||
|
- [Web of Trust (WOT) vs. Trust on First Use (TOFU)](#web-of-trust-wot-vs-trust-on-first-use-tofu)
|
||||||
|
- [Installing OpenPGP software](#installing-openpgp-software)
|
||||||
|
- [Installing GnuPG](#installing-gnupg)
|
||||||
|
- [GnuPG 1 vs. 2](#gnupg-1-vs-2)
|
||||||
|
- [Making sure you always use GnuPG v.2](#making-sure-you-always-use-gnupg-v2)
|
||||||
|
- [Generating and protecting your master PGP key](#generating-and-protecting-your-master-pgp-key)
|
||||||
|
- [Checklist](#checklist-1)
|
||||||
|
- [Considerations](#considerations-1)
|
||||||
|
- [Understanding the "Master" (Certify) key](#understanding-the-%22master%22-certify-key)
|
||||||
|
- [Before you create the master key](#before-you-create-the-master-key)
|
||||||
|
- [Primary identity](#primary-identity)
|
||||||
|
- [Passphrase](#passphrase)
|
||||||
|
- [Algorithm and key strength](#algorithm-and-key-strength)
|
||||||
|
- [Generate the master key](#generate-the-master-key)
|
||||||
|
- [Back up your master key](#back-up-your-master-key)
|
||||||
|
- [Add relevant identities](#add-relevant-identities)
|
||||||
|
- [Pick the primary UID](#pick-the-primary-uid)
|
||||||
|
- [Generating PGP subkeys](#generating-pgp-subkeys)
|
||||||
|
- [Checklist](#checklist-2)
|
||||||
|
- [Considerations](#considerations-2)
|
||||||
|
- [Create the subkeys](#create-the-subkeys)
|
||||||
|
- [Upload your public keys to the keyserver](#upload-your-public-keys-to-the-keyserver)
|
||||||
|
- [Upload your public key to GitHub](#upload-your-public-key-to-github)
|
||||||
|
- [Set up a refresh cronjob](#set-up-a-refresh-cronjob)
|
||||||
|
- [Moving your master key to offline storage](#moving-your-master-key-to-offline-storage)
|
||||||
|
- [Checklist](#checklist-3)
|
||||||
|
- [Considerations](#considerations-3)
|
||||||
|
- [Back up your GnuPG directory](#back-up-your-gnupg-directory)
|
||||||
|
- [Prepare detachable encrypted storage](#prepare-detachable-encrypted-storage)
|
||||||
|
- [Back up your GnuPG directory](#back-up-your-gnupg-directory-1)
|
||||||
|
- [Remove the master key](#remove-the-master-key)
|
||||||
|
- [Removing your master key](#removing-your-master-key)
|
||||||
|
- [Remove the revocation certificate](#remove-the-revocation-certificate)
|
||||||
|
- [Move the subkeys to a hardware device](#move-the-subkeys-to-a-hardware-device)
|
||||||
|
- [Checklist](#checklist-4)
|
||||||
|
- [Considerations](#considerations-4)
|
||||||
|
- [The benefits of smartcards](#the-benefits-of-smartcards)
|
||||||
|
- [Available smartcard devices](#available-smartcard-devices)
|
||||||
|
- [Configuring your smartcard device](#configuring-your-smartcard-device)
|
||||||
|
- [PINs don't have to be numbers](#pins-dont-have-to-be-numbers)
|
||||||
|
- [Quick setup](#quick-setup)
|
||||||
|
- [Moving the subkeys to your smartcard](#moving-the-subkeys-to-your-smartcard)
|
||||||
|
- [Verifying that the keys were moved](#verifying-that-the-keys-were-moved)
|
||||||
|
- [Verifying that the smartcard is functioning](#verifying-that-the-smartcard-is-functioning)
|
||||||
|
- [Other common GnuPG operations](#other-common-gnupg-operations)
|
||||||
|
- [Mounting your master key offline storage](#mounting-your-master-key-offline-storage)
|
||||||
|
- [Updating your regular GnuPG working directory](#updating-your-regular-gnupg-working-directory)
|
||||||
|
- [Extending key expiration date](#extending-key-expiration-date)
|
||||||
|
- [Revoking identities](#revoking-identities)
|
||||||
|
- [Using PGP with Git](#using-pgp-with-git)
|
||||||
|
- [Checklist](#checklist-5)
|
||||||
|
- [Considerations](#considerations-5)
|
||||||
|
- [Understanding Git Hashes](#understanding-git-hashes)
|
||||||
|
- [Tree hashes](#tree-hashes)
|
||||||
|
- [Commit hashes](#commit-hashes)
|
||||||
|
- [Hashing function](#hashing-function)
|
||||||
|
- [Annotated tags and tag signatures](#annotated-tags-and-tag-signatures)
|
||||||
|
- [Signed commits](#signed-commits)
|
||||||
|
- [Signed pushes](#signed-pushes)
|
||||||
|
- [Configure git to use your PGP key](#configure-git-to-use-your-pgp-key)
|
||||||
|
- [How to work with signed tags](#how-to-work-with-signed-tags)
|
||||||
|
- [How to verify signed tags](#how-to-verify-signed-tags)
|
||||||
|
- [Verifying at pull time](#verifying-at-pull-time)
|
||||||
|
- [Configure git to always sign annotated tags](#configure-git-to-always-sign-annotated-tags)
|
||||||
|
- [How to work with signed commits](#how-to-work-with-signed-commits)
|
||||||
|
- [How to verify signed commits](#how-to-verify-signed-commits)
|
||||||
|
- [Verifying commits during git merge](#verifying-commits-during-git-merge)
|
||||||
|
- [If your project uses mailing lists for patch management](#if-your-project-uses-mailing-lists-for-patch-management)
|
||||||
|
- [Configure git to always sign commits](#configure-git-to-always-sign-commits)
|
||||||
|
- [Configure gpg-agent options](#configure-gpg-agent-options)
|
||||||
|
- [Bonus: Using gpg-agent with ssh](#bonus-using-gpg-agent-with-ssh)
|
||||||
|
- [Protecting online accounts](#protecting-online-accounts)
|
||||||
|
- [Checklist](#checklist-6)
|
||||||
|
- [Considerations](#considerations-6)
|
||||||
|
- [Two-factor authentication with Fido U2F](#two-factor-authentication-with-fido-u2f)
|
||||||
|
- [Get a token capable of Fido U2F](#get-a-token-capable-of-fido-u2f)
|
||||||
|
- [Enable 2-factor authentication on your online accounts](#enable-2-factor-authentication-on-your-online-accounts)
|
||||||
|
- [Configure TOTP failover, if possible](#configure-totp-failover-if-possible)
|
||||||
|
- [Further reading](#further-reading)
|
||||||
|
|
||||||
### Target audience
|
### Target audience
|
||||||
|
|
||||||
This document is aimed at developers working on free software projects. It
|
This document is aimed at developers working on free software projects. It
|
||||||
|
|
|
@ -4,6 +4,36 @@ Updated: 2015-08-13
|
||||||
|
|
||||||
*Status: OUTDATED*
|
*Status: OUTDATED*
|
||||||
|
|
||||||
|
### Table of contents
|
||||||
|
|
||||||
|
- [Trusted Team Communication](#trusted-team-communication)
|
||||||
|
- [Table of contents](#table-of-contents)
|
||||||
|
- [Trusting email](#trusting-email)
|
||||||
|
- [OpenPGP vs S/MIME](#openpgp-vs-smime)
|
||||||
|
- [Main upsides of S/MIME](#main-upsides-of-smime)
|
||||||
|
- [Main downsides of S/MIME](#main-downsides-of-smime)
|
||||||
|
- [Main upsides of OpenPGP](#main-upsides-of-openpgp)
|
||||||
|
- [Main downsides of OpenPGP](#main-downsides-of-openpgp)
|
||||||
|
- [Understanding the OpenPGP Web of Trust](#understanding-the-openpgp-web-of-trust)
|
||||||
|
- [Using the Web of Trust in your team](#using-the-web-of-trust-in-your-team)
|
||||||
|
- [Spinning the web](#spinning-the-web)
|
||||||
|
- [Yes, but what if they are 12 timezones away?](#yes-but-what-if-they-are-12-timezones-away)
|
||||||
|
- [Keysigning parties](#keysigning-parties)
|
||||||
|
- [Sending trusted emails](#sending-trusted-emails)
|
||||||
|
- [When to sign](#when-to-sign)
|
||||||
|
- [When to encrypt](#when-to-encrypt)
|
||||||
|
- [Trusting IM sessions](#trusting-im-sessions)
|
||||||
|
- [One-on-one messaging](#one-on-one-messaging)
|
||||||
|
- [Group messaging](#group-messaging)
|
||||||
|
- [Trusting git commits](#trusting-git-commits)
|
||||||
|
- [Signed-off-by's](#signed-off-bys)
|
||||||
|
- [Signed tags and commits](#signed-tags-and-commits)
|
||||||
|
- [Releasing code trusted by the community](#releasing-code-trusted-by-the-community)
|
||||||
|
- [Securing infrastructure access](#securing-infrastructure-access)
|
||||||
|
- [Using PGP keys with SSH](#using-pgp-keys-with-ssh)
|
||||||
|
- [Checklist](#checklist)
|
||||||
|
- [License](#license)
|
||||||
|
|
||||||
Establishing trusted communication between members of your team is paramount
|
Establishing trusted communication between members of your team is paramount
|
||||||
not only to avoid potential security problems associated with phishing and
|
not only to avoid potential security problems associated with phishing and
|
||||||
impersonation, but also to make it possible to exchange sensitive information
|
impersonation, but also to make it possible to exchange sensitive information
|
||||||
|
|
Loading…
Reference in a new issue