I created a let’s encrypt certificate for my domain and install my SSL certificate in the nginx reverse proxy. Now, I want to secure the communication between the proxy and the backend server using also let’s encrypt and I have the same domain name for both the proxy and the server. I don’t want to use self-signed certificate in the backend server. So, how can I use let’s encrypt for both the server and the proxy?
We can generate OTP using HOTP – RFC 4226 and TOTP – RFC 6238.
But the generated OTP normally has a checking function
authenticator.check(token, secret);. But this only checks if the OTP is valid.
How to store any
data such that it will be encrypted in the storage of the system and can only be accessed after entering the OTP.
I’m thinking to build a VPN for personal use on a VPS but am unable to understand one thing. How exactly VPN providers encrypt data from client to their server? Suppose if I simply configure IP of my VPS and port in my browser it would be simple proxy it won’t encrypt traffic that originates from my machine or browser.
If I use OpenVPN would it solve the purpose?
One more thing which I can’t understand is, how do VPN providers exactly restricts usage to a few devices. Do they save device information? If by few devices they mean only X devices can run this VPN in parallel then how do the exactly restrict usage to only X devices because they have limited IPs and tons of users routing their traffic through them and there’s no way to know to know who is using how many devices. If this is mapped to user account and they figure this out via his unique account then technically they are maintaining logs right?
Is it possible to encrypt data server side and then decrypt it client side; without the client having the ability to encrypt the data themselves after decrypting?
I’m working on a license manager which needs to be able to read the contents of the encrypted file, but ideally we don’t want the client to have the ability to create their own encrypted license file.
By looking at https://letsencrypt.org/how-it-works/, I got the feeling that a man-in-the-middle attack might be possible in the ‘Domain Validation’ phase.
During that phase, the admin is asked to e.g. perform the challenge of putting a file on the webserver and sending a signed nonce to the CA. What if a man-in-the-middle generated his own (authorization) key pair (while the admin is performing the domain validation) and signed the nonce with the malicious key pair? The admin would have performed the challenge by posting a file on the server and the CA would have gotten a maliciously signed nonce (if the man-in-the-middle is able to discard the signed nonce from the admin). This would mean a compromised authorization key in control of the man-in-the-middle for a domain.
The solution (in my opinion) would be to simply post the signed nonce on the Website (on a path decided by the CA) instead of sending it to the CA, such that the “signature swap” cannot happen. This however is not depicted on the Let’s Encrypted “How it works” explanation.
Am I understanding something wrong or how is such an attack prevented?
just a quick question – does BitLocker encrypt everything including host protected area, device configuration overlay and bad sectors?
Normally, to upload an encrypted file I would first encrypt the entire file, then upload the encrypted file. However, for large files this is not that easy as I need a external hard drive to hold the encrypted file. I am wondering if it is possible to perhaps encrypt a large file, say of 500 GB size, bit by bit, and to send the bit by bit encrypted information to an upload stream to say, Google Drive? Thanks.
I am using GnuPG. When gpg encrypt is called from the command line, how is a key chosen to do the encryption? It appears to me that -r, or –recipient, supplies a user id and that is the simple answer. I believe all of the examples I have looked at they show an email address for recipient, which is required input when creating your key. However, I was able to create 2 keys with the exact same user name, comment, and email address. How does gpg pick a key if there are two keys that have identical email addresses and that email address is used for the recipient? It seems to me like using key id would be the best way to do this, but I do not see that option.
Say I have a document. I want to encrypt it, then give it to my friend, and I don’t want them to be able to decrypt it. I want them to encrypt it again using their GPG system. Then to decrypt it my friend has to first decrypt it, send it to me, and I decrypt it.
How do I do that roughly with the GPG CLI? I am confused because there are 3 interrelated elements.
gpg --encrypt --sign --armor -r firstname.lastname@example.org -r email@example.com name_of_file
I amnot sure how they all relate or what they do exactly. Do I just encrypt it without signing and without recipients, pass it to my friend and they encrypt it without signing or adding recipients?
Here is what I have done roughly, starting from scratch:
$ brew install gnupg $ cat >foo <<EOF Key-Type: RSA Key-Length: 4096 Subkey-Type: RSA Subkey-Length: 4096 Name-Real: My Name Name-Comment: ... Name-Email: ... Expire-Date: ... Passphrase: EOF $ gpg --batch --full-generate-key foo gpg: key ... marked as ultimately trusted gpg: revocation certificate stored as '/Users/username/.gnupg/openpgp-revocs.d/....rev' $ gpg --list-keys pub rsa2048 2013-11-23 [SC] ...key1... uid [ultimate] My Name <firstname.lastname@example.org> sub rsa2048 2019-10-26 [E] pub rsa4096 2019-10-26 [SC] .... $ gpg --output me.asc --armor --export ...key1... $ gpg --import me.asc gpg: key ...: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 $ gpg --version gpg (GnuPG) 2.2.17
What I would like to finish doing is finally encrypt a document.
$ gpg --encrypt file.png --recipient "???"
Not quite there yet. Wondering why I am getting this error:
gpg: key ...: no valid user IDs gpg: this may be caused by a missing self-signature
What steps am I missing? What did I do wrong or do I need to do?
Do I want a “self signature”, or do I want to somehow sign this with some trusted party (I’m vaguely familiar with self-signed SSH certificates, which is what I’m drawing the parallel with).