-Zephyr at MIT doesn't support* limiting who can sub to a zephyr class, so if you want to have reasonably private conversations, encrypting them is a good idea. `zcrypt` is the standard tool used for doing that.
+Zephyr at MIT doesn't support* limiting who can sub to a zephyr class, so if you want to have reasonably private conversations, encrypting them is a good idea. `zcrypt` is the standard tool for that.
`zcrypt` encrypts message bodies, but not the message metadata. In particular, instances are visible to anyone who receives a message (as are senders, times, zsigs, etc., though that's less-frequently an issue).
-h2. Creating a `zcrypt`ed zephyr class
+## Creating a `zcrypt`ed zephyr class
-The main requirement for a `zcrypt`ed zephyr class is to have a key and distribute it to all the users of the class. Typically, this is done by storing the key in AFS. You can set that up with:
+The main requirement for a `zcrypt`ed zephyr class is to distribute a key to all the intended users of the class. Typically, this is done by storing the key in AFS. You can set that up like this:
mkdir -p ~/Public/zcrypt/label/ # Pick an arbitrary label for your class.
fs sa ~/Public/zcrypt/label/ system:anyuser none # Keep randoms from reading your key
fs sa ~/Public/zcrypt/label/ system:groupname read # Allow an appropriate user/group to read the key
tr -d '\000\n' < /dev/urandom | head -c 126 > ~/Public/zcrypt/label/key.zcrypt
-The first three lines create a directory to store the key in, and set the permissions properly. You should replace `label` with an appropriate name; you may want to use something besides the class name in order to help keep the class name private. Subbing to the class will disclose traffic patterns and instances used, so you may want to use the traditional "secret class" (keeping the name secret) as a first line of defense, in addition to `zcrypt`.
+The first three lines create a directory to store the key, and set the permissions properly. You should replace `label` with an appropriate name; you may want to use something besides the class name in order to help keep the class name private. Subbing to the class will disclose traffic patterns and instances used, so you may want to use the traditional "secret class" (keeping the name secret) as a first line of defense, in addition to `zcrypt`.
The last line creates the key, which should be a random byte string of at least 126 characters, none of which should be null or newlines.
-h2. Subbing to a `zcrypt`ed zephyr class
+## Subbing to a `zcrypt`ed zephyr class
-This may vary between clients. For traditional zephyr clients, you should sub as usual (in Barnowl, run `:sub classname`).
+This may vary between clients. For traditional zephyr clients, you should sub as usual (in Barnowl, run `:sub classname`, or edit your `.zephyr.subs` file, then run `:loadsubs` in Barnowl).
You should also have been told a key path. In the example above, that would be `/mit/user/Public/zcrypt/label/key.zcrypt` (where `user` is your Athena username).
sipb-www / wiki.git / blobdiff