diff --git a/static/build.html b/static/build.html index 5bc78eb5..829b60f9 100644 --- a/static/build.html +++ b/static/build.html @@ -547,7 +547,7 @@ m aapt2
You should set a passphrase for the signing keys to keep them at rest until you
need to sign a release with them. The GrapheneOS scripts (make_key
and
- encrypt-keys.sh
) encrypt the signing keys using scrypt for key derivation
+ encrypt-keys
) encrypt the signing keys using scrypt for key derivation
and AES256 as the cipher. If you use swap, make sure it's encrypted, ideally with an
ephemeral key rather a persistent key to support hibernation. Even with an ephemeral
key, swap will reduce the security gained from encrypting the keys since it breaks the
@@ -590,9 +590,9 @@ cd ../..
You can (re-)encrypt your signing keys using the encrypt-keys
script,
which will prompt for the old passphrase (if any) and new passphrase:
script/encrypt-keys.sh keys/raven+
script/encrypt-keys keys/raven-
The script/decrypt-keys.sh
script can be used to remove encryption,
+
The script/decrypt-keys
script can be used to remove encryption,
which is not recommended. The script exists primarily for internal usage to decrypt
the keys in tmpfs to perform signing.