diff --git a/static/build.html b/static/build.html index 5bc78eb5..829b60f9 100644 --- a/static/build.html +++ b/static/build.html @@ -547,7 +547,7 @@ m aapt2

You should set a passphrase for the signing keys to keep them at rest until you need to sign a release with them. The GrapheneOS scripts (make_key and - encrypt-keys.sh) encrypt the signing keys using scrypt for key derivation + encrypt-keys) encrypt the signing keys using scrypt for key derivation and AES256 as the cipher. If you use swap, make sure it's encrypted, ideally with an ephemeral key rather a persistent key to support hibernation. Even with an ephemeral key, swap will reduce the security gained from encrypting the keys since it breaks the @@ -590,9 +590,9 @@ cd ../..

You can (re-)encrypt your signing keys using the encrypt-keys script, which will prompt for the old passphrase (if any) and new passphrase:

-
script/encrypt-keys.sh keys/raven
+
script/encrypt-keys keys/raven
-

The script/decrypt-keys.sh script can be used to remove encryption, +

The script/decrypt-keys script can be used to remove encryption, which is not recommended. The script exists primarily for internal usage to decrypt the keys in tmpfs to perform signing.