Whatever works. I prefer OpenVPN/Softether for their SSL VPN implementations, and am too lazy to be arsed to deal with stunnel and Wireguard. But if you’re not as paranoid then Wireguard works perfectly fine

That’s a lot of software I haven’t heard of before (Nyxt and Tubo), thanks. How do you like GUIX?

Yup. I’ll open a port in a cheap VPS and tunnel my traffic over that rather than directly open ports on my router. If people here can trust Cloudflare they can use their tunnels too

I might actually have to use Conjur for temporary credentials in my network. Thanks

How do you securely authenticate, restrict access to secrets and store secrets with pass? Other than GPG authentication and discrete keys for different secrets (in which case, how would you automate key policies and life cycles?)

Get a thinkpad?

Could you tell me how I can use pass whilst authenticating an application with something akin to identities? I.e. I need application 1 to be able to access a certain key but I don’t want application 2 to be able to do so. How would I be able to restrict access to keys?

A bit about the scenario: I will be running this in a VM which will act as my central password suite on the network, which I will access using a password/keys.

Thanks

Thank you for raising these points. I’ll need to read more about DMA, Baseband and shielding.

Thank you, I’ll need to think more about possible attack vectors

Thanks

What do you mean?

I’m so glad that you brought this up. As might be apparent, I have fairly strong sentiments regarding freedom of software. I won’t be spilling everything I feel into a single comment, but needless to say, this is a subject I feel strongly about.

On hardware

I absolutely detest Intel and Qualcomm. I wish them the worst in their collective futures (alongside the likes of Samsung and Mediatek too, but I’ll keep to the two of these for now). I have a soft spot for AMD for sticking with the FOSS community to an extent and for their affirmative action towards open silicon initialisation with OpenSIL.

I am not one to drink, but I will personally purchase an expensive bottle of wine from the nearest Costco on the occasion I feel that RISC-V has finally reached the realm of everyday computing. Unfortunately, that seems to be a while away, with SBCs being the only ones to bring the technology forward.

On software

On a related note, I am almost equally annoyed at software that has been locked down. Embedded software like the one in the EC and the PCH, alongside proprietary drivers in peripherals and microcode like you described, are something I wholly abhor.

But that was a lot of complaining. If you go through my posts, just the other day I was asking if the T440p was the last Thinkpad I could put Coreboot on (the answer is yes), alongside which I went over me_cleaner and the AMD PSP remover. I do not prefer Coreboot either, but it’s the best we can do till probably 2030.

On physical security

I will be employing Faraday cages and metal shielding liberally around my electronics, in an attempt to prevent some of what you mention. Unless we’re talking about undisclosed exploits in Android, removing Google and most other proprietary applications should do the trick (I doubt I can do much if the NSA really wants to listen). Of course, by that logic, me_cleaner should be good enough too, but I digress. Of course, all network traffic will be logged and I will operate on a “whitelist by case” basis.

Thank you for bringing across the point of spying using an accelerometer (I’m interested in how that would work, could you point me towards what I should look for?), I’ll make sure to utilise simple and easily auditable hardware.

This is not a perfect method, and I have a lot to learn about OPSEC and cybersecurity. Thanks again for your comment.

I think you replied to the wrong comment haha

This machine will not be connected to the Internet, and the only way to get to it would be a VLAN-hopping attack (in which case, I’ll have to think of something else)

Thanks for your reply. Fortunately, I am not a person under such scrutiny, and the only reason I ask this is because I’m paranoid.

Thank you for the comprehensive answer. I will go through it again and attempt to implement some of these mitigations.

Thanks again, I saved your comment

Thank you, I realise that what I’m asking for might not be physically possible. I’m certain that RAM loses all of its contents after a loss of power, but would it be possible to pad the RAM before/during the shutdown process to make sure that nobody gets to the key?

Thank you, and indeed, I realise that I may have been asking for the impossible

I’m curious; how would you do it for VMs with an encrypted virtual disk?