Skip to content
Snippets Groups Projects
generating-keys.rst 2.37 KiB
Newer Older
  • Learn to ignore specific revisions
  • Generating keys
    ===============
    
    ``config.json`` has the paths for the Ristretto and the Stripe secret key files.
    
    Here is a Ristretto key you can use, randomly generated just now::
    
      SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
    
    Generate your own like this::
    
      [flo@la:~/PrivateStorageio]$ nix-shell
      [nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
      [nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
      SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
    
    Make sure you write it into the key file `without any leading or trailing white space, also without newlines <https://github.com/LeastAuthority/python-challenge-bypass-ristretto/issues/37>`_.
    For example::
    
      echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
    
    For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
    Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
    
    I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
    
      >>> import base64, os
      >>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
      sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
    
    Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
    
    The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
    
      openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
      touch chain.pem
    
    Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
    
    Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
    
      for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
        wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
      done
    
    And a shared VPN key for "post-quantum resistance"::
    
      wg genpsk > preshared.key