aws – How MySQL keyring_aws plugin stores the master key securely?

From MySQL internal doc, I am presuming that keys of keyring_aws are stored locally after generation. All the mandatory information like master key needed to decrypt table is configured locally using variable named ‘keyring_aws_cmk_id’.

If Intruder gets disk access then he/she get access to Mysql data directory and the master key stored in mysql conf file. Could be of great help if anyone could share some insights on security.

encryption – How to securely encrypt shared data for a dynamic amount of users?

You can use a simple symmetric encryption, like ChaCha20-poly1305, to encrypt the data with a key derived from the password, using Argon2id for example.

The key, encoded in base64url, can be appended by the client to the link as a URL fragment. The server (and its administrator) does not need to know the password or the key: the encryption should be entirely done by the client, for example in Javascript if the client is in HTML. If you want to append the key as a URL query, you should take care that the server does not read, process or log it.

The service MEGA is using a similar approach. This just an example of an implementation and not an endorsement of this particular service.

malware – How to securely create a bootable USB drive from a possibly infected system?

There is no foolproof way. Since you can’t trust the system, you can’t reliably verify the integrity of the image you will be using to create the bootable USB or, for that matter, of anything else. No matter what you do, it is possible for the malware to have interfered with it.

You could, however, do something the malware would likely not expect. Like make a bootable USB for a lightweight Linux distro, boot live from it, and then make the Windows 10 bootable USB from the live Linux OS. It is quite unlikely for a Windows malware to infect Linux as well, but for that matter, it is unlikely for malware to infect bootable USBs in the first place.

20.04 – Formatting USB flash drive securely on Ubuntu

After days of searching on the internet – I really need you help.

I have fresh installation of Ubuntu 20.04. No additional software has been installed. Also no changes to the system have been made. It is really just clean installation from DVD and update through “software update”.

I want to connect an USB-drive to this system and format it. I do not need to open any files from USB-drive. The only purpose is to have a fat32 formatted USB-drive.

How to perform this action without risking to get a worm or any other malware potentially contained on the USB-drive?

How securely should one treat their primary public key?

First of all, is my understanding correct that primary keys and subkeys are all key pairs consisting of a private and a public key?

I get the rationale behind using primary keys and subkeys1, and why one should keep the private primary key (or master key) “very, very safe“, but not sure what the consensus is on handling the public primary key? Is this the one that should be shared with others or uploaded to a key server2? (Sometimes this may be an explicit requirement.)


It was also confusing to see sentences such as “GnuPG actually uses a signing-only key as the master key” but realized that this refers to the private primary key because (quoting from the same source)

You use the private key to digitally sign files, and others use the public key to verify the signature. Or, others use the public key to encrypt something, and you use the private key to decrypt it.


(1):

  • To use different keys for signing and encrypting
  • to mitigate the effect of lost/stolen keys (see also)
  • (TODO: continue list with more)

(2): Superuser thread: Where to upload PGP public key? Are KeyServers still surviving?

javascript – Securely store data in localStorage

I am building a payment app where I need to pass a transaction ref and payment id to a next step in the payment process to verify a payment… For authenticated users this is handled all in the server, saved and retrieved there…Now I am creating a payment feature where non authenticated users can pay users but i can not use session…What i am thinking of doing is first encrypting the data(ref and id) in server using AES 256 bit and then send them to localStorage, in the next process retrieve the data, decrypt and finish processing the payment, once payment is successful, delete the data…just want to know if this is ok or if there are security issues with it.

security – How to securely develop and deploy a software

In our company, we are developing cutting-edge and critical software which they will deploy on mission critical product, so I wanted to know how should I make the whole process from software development to software deployment secure? i.e. no one (from internal or even cybercriminal) could make some changes and modifications to our software. So for this purpose, what standard or best practices I should follow?