Encryption: Difference between revisions
No edit summary |
No edit summary |
||
| Line 17: | Line 17: | ||
Use the following config file:<pre>MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com</pre> | Use the following config file:<pre>MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com</pre> | ||
==SSL Key Management== | ==SSL/TLS Key Management== | ||
===Key Creation=== | ===Key Creation=== | ||
If you need a SSL cert that is signed by a root authority for public use in a web browser or other SSL/TLS client, use [https://letsencrypt.org/ Let’s Encrypt] to get free SSL certificates.<br>Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta 2015-12-03. | If you need a SSL/TLS cert that is signed by a root authority for public use in a web browser or other SSL/TLS client, use [https://letsencrypt.org/ Let’s Encrypt] to get free SSL certificates.<br>Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta 2015-12-03. | ||
==Secure SSL/TLS Ciphers== | |||
===Stunnel=== | |||
As of 2018-07-02, using TLS 1.3 with stunnel, this is the most secure configuration (TLS 1.2 and 1.3 only): | |||
verify = 2 | |||
sslVersion = all | |||
options = NO_SSLv3 | |||
options = NO_TLSv1 | |||
options = NO_TLSv1.1 | |||
options = CIPHER_SERVER_PREFERENCE | |||
options = DONT_INSERT_EMPTY_FRAGMENTS | |||
ciphers = TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384 | |||
Revision as of 21:36, 2 July 2018
Key Management
SSH Key Management
Key Creation
As of December 2015, the most secure key type is ed25519 with 4096-bit:
ssh-keygen -t ed25519 -b 4096 -C my@email.com -f keyfile
Older clients may not support ed25519, but fuck them.
Secure Configuration
Using crypto is only the first step. You need to ensure that the tools you use are locked down to enforce only the protocols that are not known to be weak.
SSH
Server Config
Ciphers
As of 2015-12-04, the best Ciphers setting in /etc/ssh/sshd_config is:
Ciphers aes192-ctr,aes256-ctr,arcfour256,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour
MACs
As of 2015-12-04, the best MACs setting in /etc/ssh/sshd_config is:
- Disable anything using MD5
- Disable anything using less than 128 bits
- Disable anything not using -etm mode
Use the following config file:
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
SSL/TLS Key Management
Key Creation
If you need a SSL/TLS cert that is signed by a root authority for public use in a web browser or other SSL/TLS client, use Let’s Encrypt to get free SSL certificates.
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta 2015-12-03.
Secure SSL/TLS Ciphers
Stunnel
As of 2018-07-02, using TLS 1.3 with stunnel, this is the most secure configuration (TLS 1.2 and 1.3 only):
verify = 2 sslVersion = all options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 options = CIPHER_SERVER_PREFERENCE options = DONT_INSERT_EMPTY_FRAGMENTS ciphers = TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384