Skip to content
Snippets Groups Projects
Commit 73d379a6 authored by Florian Sesser's avatar Florian Sesser
Browse files

Move key generating docs into operations documentation

parent 94691286
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
docs/source/ops/README.rst
+ 2
0
View file @ 73d379a6
......@@ -9,3 +9,5 @@ This contains documentation regarding running PrivateStorageio.
.. include::
monitoring.rst
.. include::
generating-keys.rst
docs/source/ops/generating-keys.rst 0 → 100644
+ 50
0
View file @ 73d379a6
Generating keys
===============
``config.json`` has the paths for the Ristretto and the Stripe secret key files.
Here is a Ristretto key you can use, randomly generated just now::
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
Generate your own like this::
[flo@la:~/PrivateStorageio]$ nix-shell
[nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
[nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
Make sure you write it into the key file `without any leading or trailing white space, also without newlines <https://github.com/LeastAuthority/python-challenge-bypass-ristretto/issues/37>`_.
For example::
echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
touch chain.pem
Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
done
And a shared VPN key for "post-quantum resistance"::
wg genpsk > preshared.key
morph/grid/local/README.rst
+ 0
50
View file @ 73d379a6
......@@ -33,56 +33,6 @@ If you run an older Nixpkgs, retrieve and use the latest Vagrant development ver
NIX_PATH=nixpkgs=https://github.com/NixOS/nixpkgs/archive/refs/heads/master.tar.gz nix-shell -p vagrant
Generating keys
```````````````
``config.json`` has the paths for the Ristretto and the Stripe secret key files.
Here is a Ristretto key you can use, randomly generated just now::
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
Generate your own like this::
[flo@la:~/PrivateStorageio]$ nix-shell
[nix-shell:~/PrivateStorageio]$ nix-shell -p zkapissuer.components.exes.PaymentServer-generate-key
[nix-shell:~/PrivateStorageio]$ PaymentServer-generate-key
SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=
Make sure you write it into the key file `without any leading or trailing white space, also without newlines <https://github.com/LeastAuthority/python-challenge-bypass-ristretto/issues/37>`_.
For example::
echo -n "SILOWzbnkBjxC1hGde9d5Q3Ir/4yLosCLEnEQGAxEQE=" > ristretto.signing-key
For the Stripe key any random bytes with a little light formatting "work" - at least to make our software happy - but if you want to be able to interact with Stripe and have payments (even pretend payments) move all the way through the system you should get a Stripe account and generate a key w/ them.
Lauri can get you added to our "dev" Stripe account, too, though I forget how important that is for ad hoc dev/testing.
I think this will work for generating random Stripe secret keys (that our software will load, I think, but Stripe will reject)::
>>> import base64, os
>>> print((b"sk_test_" + base64.b64encode(os.urandom(25)).strip(b"=")).decode("ascii"))
sk_test_Dr+XLVjkC0oO3Zw8Ws0yWtDLqR1sM+/fmw
Public keys are the same but "pk_test" instead of "sk_test" ("test" is for "test mode" key that can only process pretend txns; for real txns there are keys with "live" embedded).
The ZKAPIssuer.service needs a working TLS certificate and expects it in the certbot directory for the domain you configured, in my case::
openssl req -x509 -newkey rsa:4096 -nodes -keyout privkey.pem -out cert.pem -days 3650
touch chain.pem
Move the three .pem files into the payment's server ``/var/lib/letsencrypt/live/payments.localdev/`` directory and issue a ``sudo systemctl restart zkapissuer.service``.
Create Wireguard VPN key pairs in ``PrivateStorageSecrets/monitoringvpn/`` or where you have them::
for i in "172.23.23.11" "172.23.23.12" "172.23.23.13" "server"; do
wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
done
And a shared VPN key for "post-quantum resistance"::
wg genpsk > preshared.key
Use the local development environment
`````````````````````````````````````
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment