diff options
| author | Nicholas Johnson <mail@nicholasjohnson.ch> | 2024-11-23 00:00:00 +0000 |
|---|---|---|
| committer | Nicholas Johnson <mail@nicholasjohnson.ch> | 2024-11-23 00:00:00 +0000 |
| commit | 52d5e9267a1fdadd5e91d8e096753f2b39b1abee61c733346078d510ce619645 (patch) | |
| tree | 942ae08cfc44b1b882467bc888d6e95dff28bd99b3f9517ed7cb61b7aee35f50 /content/entry/dead-mans-switch.md | |
| parent | c78a77591ed7344cec4305b3e3238b1d15b9b1d55cf27139168c08d1ad78cffd (diff) | |
| download | journal-52d5e9267a1fdadd5e91d8e096753f2b39b1abee61c733346078d510ce619645.tar.gz journal-52d5e9267a1fdadd5e91d8e096753f2b39b1abee61c733346078d510ce619645.zip | |
Convert angle brackets to square brackets
Hugo was rendering the angle brackets as raw HTML and omitting them.
Diffstat (limited to 'content/entry/dead-mans-switch.md')
| -rw-r--r-- | content/entry/dead-mans-switch.md | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/content/entry/dead-mans-switch.md b/content/entry/dead-mans-switch.md index 2b57b9f..2b7887e 100644 --- a/content/entry/dead-mans-switch.md +++ b/content/entry/dead-mans-switch.md @@ -63,7 +63,7 @@ Once your encrypted archive is prepared you'll need to distribute it to others. ## VPS Setup Now comes the part of the setup where you need a server machine to actually trigger the DMS. If you're using a DMS there's no reason not to make it as secure as possible because securing it from a state-level adversary is only a few steps extra versus securing it from a mobster. I won't cover how to secure your personal computer but if you're using a DMS you should at a minimum have [full-disk encryption](https://en.wikipedia.org/wiki/Full_disk_encryption) enabled with a strong password. -To get started use an anonymous VPS since you shouldn't have physical access to the server. If you have physical access an adversary could also gain physical access and permanently disarm the switch. So the first thing you need to do is acquire [Monero](https://www.monero.how/). Then use Tor Browser to [purchase a foreign VPS with the Monero](https://www.getmonero.org/community/merchants/#hosting), but don't give the VPS provider your true credentials. You can ssh into your VPS with the command torify ssh <user>@<server>. Then you should [harden your ssh configuration](https://blog.stribik.technology/2015/01/04/secure-secure-shell.html) and put sshd behind a [Tor v3 Hidden Service](https://scribe.rip/@NullByteWht/how-to-set-up-an-ssh-server-with-tor-to-hide-it-from-shodan-hackers-eda93927a742) so a [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle) can't locate it. Once all that's done you're finally ready to set up the actual DMS. +To get started use an anonymous VPS since you shouldn't have physical access to the server. If you have physical access an adversary could also gain physical access and permanently disarm the switch. So the first thing you need to do is acquire [Monero](https://www.monero.how/). Then use Tor Browser to [purchase a foreign VPS with the Monero](https://www.getmonero.org/community/merchants/#hosting), but don't give the VPS provider your true credentials. You can ssh into your VPS with the command torify ssh [user]@[server]. Then you should [harden your ssh configuration](https://blog.stribik.technology/2015/01/04/secure-secure-shell.html) and put sshd behind a [Tor v3 Hidden Service](https://scribe.rip/@NullByteWht/how-to-set-up-an-ssh-server-with-tor-to-hide-it-from-shodan-hackers-eda93927a742) so a [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle) can't locate it. Once all that's done you're finally ready to set up the actual DMS. ## Cron There is free software that automatically configures a DMS, but it's equally as easy to set one up yourself. Simply write a script that checks for the existence of a file and schedule it to run at regular intervals using [Cron](https://en.wikipedia.org/wiki/Cron). If the file exists, delete it. If the file does not exist, your script should execute a separate script that publishes the passphrase or private key needed to decrypt the data. It's up to you where you publish the decryption key. Just be sure to test it first with a fake key. @@ -71,10 +71,10 @@ There is free software that automatically configures a DMS, but it's equally as Here's what such a script might look like: ```bash {linenos=table} -# File: /home/<user>/trigger.sh +# File: /home/[user]/trigger.sh -FILE_DISARMED=/home/<user>/disarmed -LEAK_SCRIPT=/home/<user>/leak.sh +FILE_DISARMED=/home/[user]/disarmed +LEAK_SCRIPT=/home/[user]/leak.sh if test -f "$FILE_DISARMED"; then rm "$FILE_DISARMED" @@ -88,7 +88,7 @@ The script for disarming the switch might look like: ```bash {linenos=table} # File: /usr/local/bin/disarm.sh -FILE_DISARMED=/home/<user>/disarmed +FILE_DISARMED=/home/[user]/disarmed GREEN='\033[0;32m' CYAN='\033[0;36m' NC='\033[0m' @@ -104,13 +104,13 @@ fi Those two scripts are the most important. Don't forget to set their permissions as executable. Next you need to decide how often you want the switch to be triggered. You can set it to be as frequent as you wish but remember if the switch isn't deactivated each time before trigger.sh runs it will publish the private key. The last thing you want is to accidentally trigger the switch. Phoenixnap.com has a great [knowledge base article on using Cron](https://phoenixnap.com/kb/set-up-cron-job-linux). Here's an example that triggers the switch monthly at 00:00 hrs: ```plaintext -@monthly /home/<user>/trigger.sh +@monthly /home/[user]/trigger.sh ``` And finally the client command to disarm the switch is: ```bash -torify ssh <user>@<address.onion> disarm.sh +torify ssh [user]@[address.onion] disarm.sh ``` ## Reminder |