Drop #580 (2024-12-20): Safety First
Your 2025 Digital Security Checklist; System and Service Credentials (systemd); Apple Platform Security Guide
Programming note: we’re off to see #2.1 & #2.2 next week for the holidays, so the Drops will likely be intermittent or non-existent until ~next Friday. I hope everyone celebrating this holiday season has a safe and restful time!
TL;DR
(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom prompt + VSCodium extension.)
Digital security checklist for 2025 emphasizes strong passwords, encryption, secure messaging via Signal, and multi-factor authentication (https://freedom.press/digisec/blog/journalists-digital-security-checklist/)
Systemd’s Credentials system provides secure handling of sensitive data like API tokens and passwords using AES256-GCM encryption (https://systemd.io/CREDENTIALS/)
Apple Platform Security Guide details device security architecture and recommends strong passcodes, security policy configuration, and regular updates (https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf)
Your 2025 Digital Security Checklist
Photo by MART PRODUCTION on Pexels.comTruth be told, this is actually the “2025 Journalist’s Digital Security Checklist“, but I think it most definitely has applications for us all. It provides a comprehensive framework for protecting digital assets and communications. We’ll break this down into key areas of focus, but you’ll need to read the full resource to get all the details.
A proper security posture starts with identifying what needs protection, who might want access to it, and their capabilities. So, the core questions to address are: what assets need protection, who are the adversaries, what resources do they have, how likely are they to act, and what defensive resources are available.
Modern mobile devices and endpoints require multiple layers of protection. For mobile devices, this means using alphanumeric passcodes, enabling full disk encryption, and carefully managing app permissions and notifications. Computer security demands similar attention through disk encryption (FileVault for macOS, BitLocker for Windows), strong passphrases, and regular security updates.
End-to-end encrypted messaging is essential for protecting sensitive communications. Signal stands out as the primary tool for secure messaging, while ProtonMail serves well for encrypted email when both parties use it. WhatsApp can be made more secure by disabling cloud backups and enabling disappearing messages.
Cloud storage presents significant risks for sensitive documents. A clear separation between offline and cloud-stored content is crucial. When using services like Google Drive, Dropbox, or iCloud, sensitive documents should be downloaded and securely deleted from cloud storage. For enhanced security, tools like VeraCrypt can encrypt files before cloud upload.
Browser security requires a multi-layered approach using tools like uBlock Origin to block malicious ads and Privacy Badger to prevent tracking. For anonymous browsing, Tor Browser provides the strongest protection by routing traffic through multiple nodes.
Password managers are non-negotiable for generating and storing unique credentials. Multi-factor authentication should be enabled on all accounts, preferably using security keys like YubiKeys for their strong phishing resistance. For backup authentication, apps like Google Authenticator or Authy provide good secondary options.
I’m sure you’ll find some of the suggestions in the full post do mostly pertain to journalists, but there are absolutely some good tips for everyone.
System and Service Credentials (systemd)
Photo by Miguel u00c1. Padriu00f1u00e1n on Pexels.comSpeaking of security and privacy…
So, you’ve finally bit the bullet, migrated all your janky cron jobs to systemd timers and services and are all proud of yourselves. Except… you still keep API keys in environment variables that are readable by anyone who manages to get access to your server. And (worse), you still stick them in-script and forgot about that, then pushed the whole thing to GitHub (et al.).
In 2025 (or, y’know, now, if that previous paragraph described you), perhaps make a resolution to migrate to using the spiffy Credentials system of systemd. It provides a secure mechanism for handling sensitive data like cryptographic keys, API tokens, certificates, and passwords in modern Linux systems.
It operates by acquiring credentials during service activation and releasing them upon deactivation. Services access these credentials through the $CREDENTIALS_DIRECTORY environment variable, with access strictly limited to the service’s user context.
Credentials are stored in non-swappable memory and can be encrypted using TPM2 or keys stored in /var/. The encryption is automatic and requires minimal setup beyond the initial credential encryption. The system enforces kernel-level access checks rather than relying on process inheritance, making it more secure than environment variables. It is highly recommended that you store these on an ecnrypted partition.
Service credentials can be configured through several unit file directives:
Basic Configuration
LoadCredential handles loading from disk or Unix sockets
SetCredential manages literal strings in unit files
ImportCredential loads from credential stores
Secure Storage
LoadCredentialEncrypted and SetCredentialEncrypted handle encrypted credentials, making them safe for sensitive data even in world-readable unit files
The system uses AES256-GCM for encryption and authentication. Credentials can be encrypted using TPM2-derived keys, system-stored keys in /var/lib/systemd/credential.secret, or both. This ensures credentials can only be decrypted on the specific hardware and OS installation they were created for.
Credentials can be passed to systems through container managers, hypervisors, kernel command line, or UEFI boot environment. This enables system-wide credential management that can be propagated to individual services. The implementation supports both plaintext and encrypted credentials throughout the propagation chain, with decryption occurring at service activation.
The manual page and Arch Linux wiki are good places to start if you aren’t already using this feature.
Apple Platform Security Guide
Photo by Nicholas Githiri on Pexels.comThe Apple Platform Security Guide (direct PDF) may not be as engaging as The Murderbot Diaries, but it is, nonetheless, essential reading for anyone receiving a new Apple device this holiday season (there is no hope for Android users). It documents the security architecture protecting everything on those precious glowing rectangles and screen-less rectangular boxes.
New device owners should at least flip through the tome to see what steps they can take to make their devices a bit safer to use. First, set up a strong device passcode/complex passphrase. This isn’t just about unlocking your device, but forms the basis of how your iPhone, iPad, Mac, Apple Watch or Apple Vision Pro cryptographically protects your data. While biometric features like Face ID, Touch ID, and Optic ID provide convenient access, they complement rather than replace a robust passcode. Depending on your threat model, you likely will not want to enable biometric authentication.
Pay special attention to the security settings when first configuring your device. On Macs with Apple Silicon, understand the security policy options. “Full Security” provides iOS-like protection and should be your default choice unless you have specific needs for reduced security. For all devices, enable “Find My” to protect against theft and remote wipe capabilities (again, your threat model may make this feature a non-starter). When setting up Apple Pay, take time to understand how the Secure Enclave protects your payment information and familiarize yourself with the double-click confirmation gestures that help prevent accidental or fraudulent payments.
The guide also emphasizes the importance of keeping your device updated. Apple’s secure software update system prevents downgrade attacks and ensures you always have the latest security protections. Enable automatic updates to receive these critical security fixes as soon as they’re available. Remember that Apple’s security architecture is designed to be strong by default while remaining transparent to users — but understanding how it works helps you make informed choices about your device’s configuration and use.
It’s dense, and not-exactly bedtime reading, but it’s a good idea to have it on hand for when you’re setting up a new device or want to understand how Apple’s security architecture works. Apple also updates it periodically, so make sure to check back for updates.
FIN
We all will need to get much, much better at sensitive comms, and Signal is one of the only ways to do that in modern times. You should absolutely use that if you are doing any kind of community organizing (etc.). Ping me on Mastodon or Bluesky with a “🦇?” request (public or faux-private) and I’ll provide a one-time use link to connect us on Signal.
Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:
🐘 Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
🦋 Bluesky via https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy
Also, refer to:
to see how to access a regularly updated database of all the Drops with extracted links, and full-text search capability. ☮️
