From 57bcf303bfa6866d424cdb6573a2686a3a401846 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Mon, 17 Feb 2025 12:45:55 -0500 Subject: [PATCH] rename encrypt-keys.sh/decrypt-keys.sh scripts --- static/build.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/static/build.html b/static/build.html index 5bc78eb5..829b60f9 100644 --- a/static/build.html +++ b/static/build.html @@ -547,7 +547,7 @@ m aapt2

You should set a passphrase for the signing keys to keep them at rest until you need to sign a release with them. The GrapheneOS scripts (make_key and - encrypt-keys.sh) encrypt the signing keys using scrypt for key derivation + encrypt-keys) encrypt the signing keys using scrypt for key derivation and AES256 as the cipher. If you use swap, make sure it's encrypted, ideally with an ephemeral key rather a persistent key to support hibernation. Even with an ephemeral key, swap will reduce the security gained from encrypting the keys since it breaks the @@ -590,9 +590,9 @@ cd ../..

You can (re-)encrypt your signing keys using the encrypt-keys script, which will prompt for the old passphrase (if any) and new passphrase:

-
script/encrypt-keys.sh keys/raven
+
script/encrypt-keys keys/raven
-

The script/decrypt-keys.sh script can be used to remove encryption, +

The script/decrypt-keys script can be used to remove encryption, which is not recommended. The script exists primarily for internal usage to decrypt the keys in tmpfs to perform signing.