You should set a passphrase for the signing keys to keep them at rest until you
need to sign a release with them. The GrapheneOS scripts ( You can (re-)encrypt your signing keys using the You can (re-)encrypt your signing keys using the The The make_key and
- encrypt_keys.sh) encrypt the signing keys using scrypt for key derivation
+ encrypt-keys.sh) encrypt the signing keys using scrypt for key derivation
and AES256 as the cipher. If you use swap, make sure it's encrypted, ideally with an
ephemeral key rather a persistent key to support hibernation. Even with an ephemeral
key, swap will reduce the security gained from encrypting the keys since it breaks the
@@ -586,12 +586,12 @@ cd ../..
Encrypting keys
- encrypt_keys script,
+ encrypt-keys script,
which will prompt for the old passphrase (if any) and new passphrase:script/encrypt_keys.sh keys/raven
+ script/encrypt-keys.sh keys/raven
- script/decrypt_keys.sh script can be used to remove encryption,
+ script/decrypt-keys.sh script can be used to remove encryption,
which is not recommended. The script exists primarily for internal usage to decrypt
the keys in tmpfs to perform signing.script/generate_delta.sh script provides a wrapper script for generating
+ script/generate-delta.sh script provides a wrapper script for generating
delta updates by passing the device, source version build number and target version
build number. For example:
script/generate_delta.sh raven 2021102503 2021102613+
script/generate-delta.sh raven 2021102503 2021102613
The script assumes that the releases are organized in the following directory structure: