Security on Janik von Rotz

Migrate From Pass to KeepassXC

Mon, 13 Apr 2026 08:26:08 +0200

In 2017 I migrated from KeePass to Pass and now migrated back to KeePassXC. For almost 9 years I was a happy pass user. It still does a very good job and keeping password management simple. But setting up pass on a new device was always a bit difficult.

Store Passkeys in KeePassXC

Fri, 04 Jul 2025 08:04:42 +0200

The goal of Passkeys is to replace passwords.

The idea is that instead of remembering a password and entering it to access your account, you own a device that generates a password for you.

Remembering is replaced with Owning.

In this post, I’ll give an example of such a device and how you can create and store a Passkey securely.

Store and load SSH keys in KeePass

Fri, 18 Oct 2024 11:03:41 +0200

I learned about this KeePass feature way too late. With KeePass you can store and load your SSH keys in a secure and encrypted way. No more worrying about your SSH private key being exposed or accessed on your local machine.

Die nicht ganz normale Bank - Kommentar

Mon, 07 Mar 2022 10:40:54 +0100

Dieser BlogPost basiert auf meinem Kommentar zum Artikel: Republik - Die nicht ganz normale Bank. Der Header des Artikels ist:

Eine Sicherheitslücke bei der Postfinance ermöglichte Einblick in die Daten von Kunden. Möglicherweise wurde dabei auch das Bankgeheimnis verletzt.

Hier folgt mein Kommentar:

Nginx WAF with ModSecurity and OWASP CRS

Wed, 26 Feb 2020 08:57:31 +0100

This tutorial explains how to enable and test the Open Web Application Security Project Core Rule Set (OWASP CRS) for use with the Nginx and ModSecurity. We are going to setup a Docker Compose project and deploy a ModSecurity enabled Nginx container with the CRS. Everything will be done using Open Source tools only.

Do not use VPN services

Wed, 23 Oct 2019 00:05:42 +0200

On my latest Hacker News trip I came along this fine post. I already told many people that they must avoid using VPN services if possible. In most cases there is no need and this post describes it very well.

Create pkcs12 key- and truststore with keytool and openssl

Tue, 22 Jan 2019 14:05:15 +0100

In my last post I’ve showed you how to create a custom certificate authority and sign a server cert using openssl without user interaction.

For this post I assume that we want to set up a webservice that requires a pkcs12 keystore. Using openssl and the java keytool we are going to create a pkcs12 store and add our ca cert, server cert and server key. Further, we assume that the application also requires a truststore containing the ca cert only.

Create a certificate authority and sign server certificates without prompting using openssl

Mon, 21 Jan 2019 16:20:35 +0100

Most of the times people want to get a certificate for the hostname localhost, let’s encrypt wrote a nice post about this, but sometimes people want a certificate for any hostname. And further, signed by a custom CA and if possible should the key material be generated without user interaction. In this post I have covered the less likely case.

The Future of Authentication

Mon, 07 Jan 2019 09:06:27 +0100

The world is changing and so does it in 2019. Time to make so predictions for the new year.

I firmly believe that we will see huge progress in the field of secure user authentication. As you might know the current state of authentication is fundamentally flawed. Users set weak passwords, 2-factor authentication is a usability mess and accounts are compromised on a daily basis. These problems are well known and big tech companies have tried to tackle them on their own.

Using pass in teams

Tue, 03 Apr 2018 08:29:22 +0000

Introduction

Pass is the standard password manager for Unix systems. It follows the Unix philosophy.

Pass saves passwords in text files and encrypts them using a gpg key. The folder structure containing the encrypted files is the pass store. Sharing a pass store without handing over the gpg key requires a gpg key exchange. Git is integrated into the pass cli and is used as version control system.

This document is a guideline for users which require access to a shared pass store and is also a documentation of how to set up a shared pass store. The first part elaborates the process of creating a shared pass store and the second part shows how collaboration from the perspective of a user looks like.

Migrate KeePass to Pass

Mon, 24 Jul 2017 10:05:46 +0000

I’m using KeePass for a few years now. It always has been the password manager of my choice. Currently I’m using KeePass on my Mac and Windows connected to the same database file. The KeePass database file is stored in a OneDrive folder, encrypted with a password and keyfile, which is stored in the Keybase filesystem. This setup gives me maximum security and portability. However, it makes it impossible to use KeePass on my mobile device. Also I miss the possibility to use KeePass in my browser or on the command line. I’ve looked for an alternative solution, which doesn’t compromise on security and gives me the same level of portability.

Install Let’s Encrypt and create a free SSL certificate

Fri, 04 Dec 2015 11:23:57 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/2e0ee4cf7e04bb75742d.

Introduction

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). This guide shows you how you can obtain a free SSL certificate.

free SSL for everybody

Mon, 23 Mar 2015 09:09:11 +0000

Let’s Encrypt is the latest initiative by the Internet Security Research Group (ISRG). Their goal is simple, every site on the internet has to be SSL secured.

They want to achieve that by serving an open certificate authority (CA) and also provide a tool to set up a secured site the easiest way possible.

And now the big deal about this, their service is free of charge!

If this is really a thing, it will be a disaster for the SSL economy. As you might know SSL certificates are everything else than cheap. So good luck to every company that relays on selling SSL certificates as their core competence.

Say Goodbye to TrueCrypt

Fri, 30 May 2014 07:21:00 +0000

Apparently the developer of TrueCrypt threw in the towel this week.

The official site http://truecrypt.org redirects to http://truecrypt.sourceforge.net/ where you’ll find instructions to migrate you TrueCrypt disk to Microsofts built-in solution Bitlocker.

The reason for all this is obvious, TrueCrypt can’t compete against Microsofts Bitlocker as their software comes with every Windows 8 version (withWindows 7 you had to have an enterprise license in order to use Bitlocker).

Redesign of DuckDuckGo

Tue, 20 May 2014 14:17:15 +0000

The DuckDuckGo search engine website has been redesigned. Hurray!

It grew up from a crappy students project to a respectable Google competitor.

Compared to other search engines DuckDuckGo doesn’t intrude your privacy.

What? You want to know why you should care about your privacy? I’ll let the real pros answer this question: https://duckduckgo.com/privacy

Netwars Project - Today’s IT threads well explained

Thu, 01 May 2014 13:19:00 +0000

This time I want to tell you about the netwars project. It’s a fact based cross platform experience exploring the impending threat of cyber warfare.

There’s a web series, tv production, digital graphic novel and soon an audio book will be released.

Install WPScan

Tue, 29 Apr 2014 07:10:57 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/11214650.

Introduction

WPScan is a black box WordPress vulnerability scanner.

Prevent a lot of spam on your next php form with this simple trick

Mon, 28 Apr 2014 12:08:19 +0000

Spam bots were parsing websites html to code and searching for form patterns. What they luckily don’t do in most cases is running javascript or applying css code. This behaviour is a good way to tell a human from a spambot apart.

Here is a simple example of how to make use of this behaviour to prevent a lot of spam.

How the Heartbleed bug works

Mon, 14 Apr 2014 06:39:22 +0000

This is the most accurate explanation I’ve found so far. Thanks to xkcd.

Open SSL Heartbleed Bug

Wed, 09 Apr 2014 15:25:47 +0000

For those who missed it. The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160).

Details of the bug are available here: The Heartbleed Bug

You can check you website here: Heartbleed test

Details and update instructions from the websites of your Linux vendor of choice:

On Ubuntu the update is simply done by executing these commands:

sudo apt-get update
sudo apt-get upgrade

The following command shows (after an upgrade) all services that need to be restarted.

Nginx SSL website

Thu, 03 Apr 2014 07:54:04 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9408793.

Introduction

This best practice shows you the most advanced SSL configurations for your Nginx website. For productive usage it’s recommended to use only public-signed certificates.

Convert SSL certificates

Thu, 27 Mar 2014 14:01:50 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9413205.

Requirements

Get a free verified SSL certificate from StartSSL (optional)

Instructions

When buying a certificate from you CA (Certification Authority) e.g. a wildcard certificate for *.example.org, you have to convert this file to different formats in order to use them with your webserver installation.

Get a free verified SSL certificate from StartSSL

Wed, 26 Mar 2014 10:29:07 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9430791.

SSL certificates aren’t cheap. You can create them on your own for private use. However for internet use you have to get a verified certificate.

Luckily there’s https://www.startssl.com/

They offer you a class 1 SSL certificate for free. Their site might not look trustworthy, but I’m quite shure they do a great job.

Website Update SSL

Wed, 19 Mar 2014 15:15:21 +0000

Hi visiter,

As you might have already seen, this websites is now accessible over https.

I’ve moved this website to a new custom webserver run by Amazon AWS EC2.

I’m still trying to fix some minor errors, so don’t be confused if the website is not reachable for a certain time.

Open a Windows Remote Connection using KeePass credentials

Wed, 13 Nov 2013 15:15:16 +0000

KeePass is a highly recommended Passwordsafe. Despite its supposed to be used mainly by private people it’s adaptable for business cases. In my company the KeePass password database is saved on a SharePoint folder and is encrypted with a password and a private key. The key has to be stored on the local machine.

It could be difficult to force employees to store their passwords in the KeePass database as many won’t get along with it. They’ll more likely store their password in third party tools. However storing a users password in another programm as KeePass f.e. microsoft remote desktop can be a security risk because the password is only encrypted in the user context.