The following constraints apply
- cannot use physical storage medium (such as Safe/ Vault)
- the service used to store secret/ password should be highly available and accessible from anywhere in the world.
The following constraints apply
In our company, we are developing cutting-edge and critical software which they will deploy on mission critical product, so I wanted to know how should I make the whole process from software development to software deployment secure? i.e. no one (from internal or even cybercriminal) could make some changes and modifications to our software. So for this purpose, what standard or best practices I should follow?
I’ve taken measures and thoughts on how to securely store and manage my key pair. In the process of it a few questions arose, which I’m not capable of answering yet. My key pair will be used to encrypt passwords and documents of banks, insurances, invoices, photos and the like. All this data is not publicly available. It is stored in a cloud with password restricted access. I’m evaluating right now, which one fits best.
This is how I set up my key pair:
# Generated a key pair in the past, following general tutorials gpg> list sec rsa2048/9AB628FC04C23871 created: 2019-02-29 expires: 2022-02-29 usage: SC trust: ultimate validity: ultimate ssb rsa2048/17832C40CF826BA9 created: 2019-02-29 expires: 2022-02-29 usage: E ( ultimate ) (1). Thomas Kelly <Tkelly@ua-corp.com> > gpg --list-keys --with-fingerprint Tkelly@ua-corp.com pub rsa2048 2019-02-29 (SC) (expires: 2022-02-29) B69A 8371 FC28 402C C204 82CF 7138 A96B B8F4 C87A uid ( ultimate ) Thomas Kelly <Tkelly@ua-corp.com> sub rsa2048 2019-02-29 (E) (expires: 2022-02-29) > fdisk /dev/sdb # n, 2048, +2G, w > cryptsetup open --type plain -d /dev/urandom /dev/sdb1 data > dd if=/dev/zero of=/dev/mapper/data status=progress bs=1M > cryptsetup close data > cryptsetup luksFormat /dev/sdb1 # pw ... > sudo cryptsetup open /dev/sdb1 data > mkfs.ext4 /dev/mapper/data
Then I went on and exported my keys towards this device, I’ve created. After I got used to it, that private keys are always a little bit different from another and you can’t export your sub-public key, the following questions remained:
gpg --export-secret-keys 17832C40CF826BA9 gpg --export-secret-subkeys 9AB628FC04C23871
Is it fine to remove the key 9AB628FC04C23871 from my system, after I backed it up on the drive, created above?
Should I save a revocation certificate with it?
This key pair once expired and I changed the expire date. I can’t remember correctly, but I’ve found two additional certificates lying around that seem to be these old expires certificates. I’ve read that the process of changing the expiring value creates new certificates. Can you confirm this?
I want to have two certificate stores like this on different locations. I’d renew the key on a yearly base. Should I use paperkey or the same digital method above?
As far as i understand, resetting an iOS device by using „erase all content and settings“ is considered secure deleting, as the key for the encryption is obliterated and no data can be recovered.
Just to be sure: is that still the case if i set up the device with the same Apple ID afterwards? Will iOS generate a new key, or will the system somehow recognize my Account and use the same key all over again?
I would really like to make my phone more secure. But at the same time I want to be able to factory wipe it any time. I’m afraid that factory wiping could brick the phone/makes it unusable. So is it safe to wipe the phone directly after encrypting it?
I would really like to make my phone more secure. But at the same time I want to be able to wipe it any time. I’m afraid that wiping could brick the phone/makes it unusable. So is it safe to wipe the phone directly after encrypting it?
Browser wallet extensions that let you interact with dapps are required to access different crypto-related services. These (to mention a few: MetaMask, Fortmatic, Tron wallet, etc) often require access to everything I do in the browser, including crypto exchanges, other wallets, etc.
Do I have a better option than install say 10 standalone portable chromium browsers, one for each extension?
Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
As far as what I understand there are different approaches and I have a few doubts regarding each of them:
On the one hand, it seems that factory reset does not securely erase itself data from SSD storage for certain operating systems and devices. However, in case data are first encrypted and then the factory reset is executed, the data will remain in the storage as encrypted, thus they cannot be recovered (as long as the encryption scheme remain secure).
My doubt is that this approach does take into consideration the fact that a portion of data may have been deleted before being encrypted, so they are not involved in the encryption once executed and they are recoverable. Is this a potential problem?
On the other hand, it seems that for SSD the traditional method of filling the whole storage with zeros or random data is not the reccomended approach because intense writing may reduce the life of the device and the reccomended approach is one exploting some magic related to the physics of the hardware that “erases” the electrons used to represent data at once. While the traditional method of filling the whole storage is not reccomended, is it still secure (as secure as the reccomended one)?
What about using a data recovery tool first, then encrypt everything and finally delete whatever you don’t need? Thus, you’d make sure that whatever recoverable data your SSD has, will at least be encrypted.
Of course, the caveat to this approach is that one could use more sophisticated recovery tools than you and, thus, get access to unencrypted data you weren’t able to recover.
We have an open source software that allows users to be created. The users are saved in an LDAP directory. The software connects to the LDAP as an administrator to write a new entry for a new user, or to edit the password if the user wants to change his password. To do this, the LDAP master password must be stored in the software. Now, this password is valuable, where valuable means, if it gets into the wrong hands, you have to call the police within hours. Therefore the suggestion was made to store the password reversibly encrypted with salt. However, for me this does not come out on a remarkable improvement, because the key for the encryption must also be stored on the system, as well as the salt. If an intruder has root privileges on the system, he can read the encrypted password, key, and salt, and with the open source software application, with a little programming knowledge, he will have decrypted the password shortly. I think about the best way to solve this, but no matter which technology you use, the associated key must always be stored on the system, so it is just as vulnerable as before. So the question is essentially how do you make the application have the key, but it is not stored on the system?
The application is old and has a lot of memory leaks, so it has to be restarted automatically every night, so just keeping the key in memory is not a usable option. The key must be permanently available, even after restarting the server.
What i had assumed is that if i am able to set a CORS policy an error will be thrown if someone try to access by different means other than browser.
'Access-Control-Allow-Origin', 'http://localhost:4200' 'Access-Control-Allow-Credentials', 'true'
If i had set this above header in response from php then only a site (CORS enabled) that is running on ‘http://localhost:4200’ can access the server otherwise it will throw an error.
But recently i’ve found out that if i can edit a header origin and send a request it is not throwing a CORS error instead request was successful.
Is there any way i can just limit site access from browser only from ‘http://localhost:4200’?