diff --git a/content/about.md b/content/about.md
index ea87610..ddc1dab 100644
--- a/content/about.md
+++ b/content/about.md
@@ -18,7 +18,7 @@ I spend most of my free time to improve system support, document and **promote A
Check out my [local gitweb](https://git.nemunai.re) or my [GitHub](https://github.com/nemunaire) account.
-You won't find my on any social network, because I don't have time to sell my privacy for free (and I fight against most of them).
+You won't find me on any social network, because I don't have time to sell my privacy for free (and I fight against most of them).
I'm crazy about any knowledge (mainly focus on sciences, typography, society, companies, faune and flora, ...) and am looking for more freedom and independence.
diff --git a/content/post/kernel_configs.md b/content/post/kernel_configs.md
index 4d14c67..2c5d2a5 100644
--- a/content/post/kernel_configs.md
+++ b/content/post/kernel_configs.md
@@ -1,29 +1,34 @@
---
-title: Linux kernel configuration
+title: Linux Kernel Configurations
date: !!timestamp '2015-04-20 00:00:00'
-update: !!timestamp '2017-07-24 00:18:00'
+update: !!timestamp '2018-06-07 11:33:00'
tags:
- kernel
---
My favorite distribution is [Gentoo], for 7 years now.
+It allows me to have all the flexibility I need (the perfect world between stability with only legacy packages or recent ones on a constantly broken system; as in Gentoo, you always have choice) and it teaches me so many things each day.
+
+As I'm used to control everything, here is a list of kernels' configurations I use currently.
-Here are some of my kernel configurations I use:
-
* [Dreamplug]: latest public Grsecurity kernel 4.9 (before, I used precompiled kernels from [Xilka]);
* [Cubieboard 2]: Linux 3.4 [custom branch](https://github.com/cubieboard/linux-sunxi.git) for Allwinner A20 (dual-core ARMv7 Cortex-A7 and Mali400 MP2) + upstream patches on 3.4 not merged in the Allwinner tree;
* [Odroid-C1]: Linux 3.10 [custom branch](https://github.com/hardkernel/linux.git) for the Amlogic S805 (quad-core ARMv7 Cortex-A5 and Mali450) + upstream patches on 3.10 not merged in the Hardkernel tree;
-* [Mirabox]: latest public Grsecurity kernel 4.9 for the Marvell Armada 370 (with all available features for the board enabled);
-* [Cubox-i 4x4]: latest mainline kernel, currently 4.12;
-* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + upstream patches on 3.18 not merged in the imgtec tree.
+* [Mirabox]: latest public Grsecurity kernel 4.9;
+* [Cubox-i 4x4]: latest mainline kernel, currently 4.16, running OpenGL applications through etnaviv driver;
+* [Creator CI20]: Linux 3.18 [custom branch](https://github.com/MIPS/CI20_linux.git) for the Ingenic JZ4780 SoC + [upstream patches](https://github.com/nemunaire/CI20_linux.git) on 3.18 not merged in the imgtec tree;
+* [ThinkPad X250]: latest public Grsecurity patches on 4.9 kernel.
+* [Orange Pi PC]: latest mainline kernel, currently 4.17 on headless server.
[Gentoo]: http://www.gentoo.org/
-[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.html
+[Dreamplug]: http://www.globalscaletechnologies/p-54-dreamplug-devkit.aspx
[Xilka]: http://www.xilka.com/sheeva/
[Odroid-C1]: http://www.hardkernel.com/main/products/prdt_info.php?g_code=G141578608433
[Cubieboard 2]: http://cubieboard.org/model/cb2/
-[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.html
+[Mirabox]: http://www.globalscaletechnologies/p-58-mirabox-java-devkit.aspx
[Cubox-i 4x4]: http://www.solid-run.com/product/cubox-i-4x4
[Creator CI20]: http://store.imgtec.com/uk/product/mips-creator-ci20/
+[ThinkPad X250]: https://wiki.gentoo.org/wiki/Lenovo_Thinkpad_X250
+[Orange Pi PC]: http://www.orangepi.org/orangepipc/
diff --git a/content/post/pgp_key.md b/content/post/pgp_key.md
index b6371bf..c204259 100644
--- a/content/post/pgp_key.md
+++ b/content/post/pgp_key.md
@@ -1,7 +1,7 @@
---
title: PGP key
date: !!timestamp '2015-06-29 00:00:00'
-update: !!timestamp '2017-07-24 00:45:00'
+update: !!timestamp '2018-06-07 12:40:00'
tags:
- privacy
- cryptography
@@ -9,16 +9,47 @@ tags:
My personal PGP key is the following: [0x842807a84573cc96].
- pub 4096R/4573CC96 2014-06-23 [expires: 2018-07-01]
+ pub 4096R/4573CC96 2014-06-23 [expires: 2019-07-01]
Key fingerprint = E722 B5B7 3CA7 FA93 5FC1 AA09 8428 07A8 4573 CC96
uid Pierre-Olivier Mercier
- sub 4096R/9D2855C3 2014-06-23 [expires: 2018-07-01]
+ sub 4096R/9D2855C3 2014-06-23 [expires: 2019-07-01]
-This key is also available through [OpenPGP DANE], generated by [this script].
+I use PGP on a daily basis: each e-mail I sent is at least signed. Don't hesitate to send me encrypted or signed message.
+
+My keyring is stored on a tamper resistant USB token (a [Nitrokey Pro]).
+This is the only method I use to sign, encrypt or [authenticate](#ssh-authentication).
+
+
+## DANE
+
+My key is also available through [OpenPGP DANE].
+You can retrieve it using `gpg` via:
+
+ gpg2 --auto-key-locate clear,dane -v --locate-key nemunaire@nemunai.re
+
+
+I used [this script](https://gist.github.com/nemunaire/447c989e9f098c679edb) to generate the record.
+With modern version of `gnupg`, it is also possible to get the DNS entry with the following command:
+
+ gpg2 --export-options export-minimal,export-dane --export 0xKEYID
+
+
+## SSH Authentication
+
+Sometimes I use my dedicated PGP key to log me on a remote SSH server. Here is its corresponding public ssh key :
+
+ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCnABr9AhXL9AYBQnM0GRcR9yLaKheLcxXykTSEbKP4X/R5BElSS5iF+T+MPi1ym7AtcuFcHXqNdEhb3j6zvqk3sY069sg0zio/jQzWTtKjYVtCiE4SleFrb5I012IwFhPCUArVqhHrfuj8wtg5isl1CSIYii+bpFLbrAGqBcydfcN/Z/vd7jbGEdmHR1RYwE+TzJl1aPiWpqMg9PyaJudNcuxrWjHcHtAomT0CGn2OGREUZS9rcFomCqw7JW9moaWqDSaW+aNX+xTJISo6TiAB4nNOpvTMl6BWPJ5e2eqn4xQACuTb/EVCuAJGeQ8BQudanxRXrfpdgHATsJxldTau2CCmIrZrg2We0ZfiGZ7KEwf3isAyzH9FK/gmb29XeDfvE/UpTTijaPo8xgiH3Ag0ZBk1wb3PVneN9fQGpVogOxR/HwfqOl376N6kTQIhvAFaU/wJnHQ4Z0CBekOxC9XptrihUdW7ashP6arrhYzlyNUPrRGiLmab9jsqsvP7aDRFEpWa/cd9nD2Mp1JNj51ZeqwT5Juo3ElMCfoTy5IAyc6QUTtIdYRgukLjiO8k5NBi8/Yzm1lNzf3cRZdh5ZIS0AUO2Celi97WXiHrU841OqsuMBgdCDnOuG3X8qU+pyT7836XSjglLEwABtXUSWULf06AoPVJe4+cxi3NWfxJiQ==
+
+
+## Teaching PGP
+
+Each year, I ask my students at [EPITA](https://www.epita.fr/), a French computer science school, to sign their work when they send them to me, by e-mail.
+
+As it is not always easy for them, I developed a script to automatically check the correctness of their signature: [peret](https://git.nemunai.re/?p=lectures/peret.git).
[0x842807a84573cc96]: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x842807A84573CC96
+[Nitrokey Pro]: https://shop.nitrokey.com/shop/product/nitrokey-pro-3
[OpenPGP DANE]: https://www.ietf.org/id/draft-ietf-dane-openpgpkey-06.txt
-[this script]: https://gist.github.com/nemunaire/447c989e9f098c679edb
diff --git a/content/post/ssh_keys.md b/content/post/ssh_keys.md
index 6f105d7..e716da9 100644
--- a/content/post/ssh_keys.md
+++ b/content/post/ssh_keys.md
@@ -7,24 +7,17 @@ tags:
- ssh
---
-I always have a different SSH key pair per machine. The aim is to really never
-copy my private key from a machine to another over network or USB stick.
+I always have a different SSH key pair per machine. The aim is to really never copy my private key from a machine to another over network or USB stick.
## Client keys
-With this approch, if one of my host is compromised and/or my key could have
-been exposed, I have only to remove granted access to this key to host or
-services (OK, that can be painful to find such services), but I can continue to
-use other no-compromised keys to work.
+With this approach, if one of my host is compromised and/or my key could have been exposed, I have only to remove granted access to this key to host or services (OK, that can be painful to find such services), but I can continue to use other no-compromised keys to work.
-As you can see on my [github](https://github.com/nemunaire.keys) account, I've
-registered several keys, because I don't work from the same machine every time.
+As you can see on my [github](https://github.com/nemunaire.keys) account, I've registered several keys, because I don't work from the same machine every time.
-It can sometime be complicated to give me access to machine, but in most case,
-I tend to centralize most of my outgoing connections from a single host, which
-is in fact my home desktop: oupaout.
+It can sometime be complicated to give me access to machine, but in most case, I tend to centralize most of my outgoing connections from a single host, which is in fact my home desktop: oupaout.
Here is a list of my keys' md5 fingerprints:
@@ -55,6 +48,11 @@ ssh-keygen -l -E md5 -f KEY_FILE
```
+### Usign PGP
+
+Sometime, I use my authentication PGP key as SSH key. Read the [related article]({{< relref "post/pgp_key.md#ssh-authentication" >}}) to view the public key.
+
+
## Server keys
The `nemunai.re` domain, contains [SSHFP] records for each physical host. To avoid answering this message without further checks: