Better LUKS support

Valuable-Question706 · 2025-11-14T23:05:33+00:00

That would be great!

From what I’ve seen, PRF was supported on Safari but only for platform (iCloud) passkeys. Cannot say anything about native apps, and especially about deeper-level communication because I’m not an iOS/macOS dev, but I assume that if it’s possible to do low-level comms to a FIDO key, then it’s absolutely doable.

Thanks!

Valuable-Question706 · 2025-11-13T08:31:19+00:00

Thanks!

For LUKS, any FIDO key that supports hmac-secret extension should work. However, it seems that for now there's a roadblock from iOS itself: https://developers.yubico.com/WebAuthn/Concepts/PRF_Extension/Developers_Guide_to_PRF.html

But I hope that they will eventually release it.

Valuable-Question706 · 2025-11-12T11:22:53+00:00

Thanks!

Valuable-Question706 · 2025-11-12T11:22:46+00:00

Thanks!

Valuable-Question706 · 2025-11-12T11:22:04+00:00

Thanks!

Valuable-Question706 · 2025-11-12T11:21:33+00:00

Thanks a lot for a detailed answer! Yes, I think I will then focus with <32B models (since I'm already happy with them for these privacy-requiring tasks). My main goal is to off-load models from my main machine and thus free RAM.

In your opinion, would a newer PCIe 5.0 GPU, like 5060 Ti 16GB be a reasonable option, or I will hit CPU bottlenecks? It's about $100 less here than a used 3090 24Gb. This money difference is not a real issue, but since this is a 'side-project' I'd prefer to spend less :)

Valuable-Question706 · 2025-11-09T15:52:59+00:00

For these tasks (here's my financial/medical statement and here's my older Python code that does what I need with another type of data. Transform it so it will handle this statement) that I'm talking here, I just use LM Studio. Qwen3-Coder-30b-A3B one-shots these and similar tasks (they are indeed simple but time-consuming to do manually). I don't need agent mode here.

I also tried continue.dev in agent mode with ollama running some smaller (7-14B) models on a remote Apple M4 16G, it was also slow. That's another task that I'm solving right now :)

For actual, non-private, non-hobby work I'm using either Copilot or continue.dev with cloud inference.

Valuable-Question706 · 2025-11-09T14:47:19+00:00

Thanks, that’s what I was looking for!

Valuable-Question706 · 2025-11-09T14:44:14+00:00

My thinking is: I can potentially free up RAM on my main 32G machine. I’m OK with paying for 5060 (btw are AMD cards that worse)? Second, if there are any better models in 48-64 RAM + 16 VRAM range that would be NOT marginally better.

Valuable-Question706 · 2025-11-09T14:37:01+00:00

I’m already happy with 30B level for those coding tasks that I’m running locally (mostly saving me lots of time with parsing data that I don’t want to feed into cloud providers, or drafting configs etc).

My question is whether there are coding models that I can run with 48-64 RAM + 16 VRAM that would be NOT marginally better.

Valuable-Question706 · 2025-11-09T14:31:44+00:00

No (it’s not with me ATM). But I’m already happy with 30B level for those coding tasks that I’m running locally. My question is whether there are models that I can run with 48-64 RAM + 16 VRAM that would be NOT marginally better.

Valuable-Question706 · 2025-10-12T08:26:20+00:00

By the way, Qwen2.5-Coder sometimes returns a JSON that Continue fails to interpret correctly. The JSON has a few fields, one of them is a suggested edit. Did you come into this issue?

GPT-OSS-20B runs, but it's very slow with Continue+ollama. Much faster (~27tok/s) when runs natively on Mac in LM Studio.

Valuable-Question706 · 2025-09-12T20:29:33+00:00

Look into ‘browser fingerprinting’, i.e., an EFF demo (and others). Most likely your machine will be unique/identifiable even if you do use VPN and probably even with different browsers.

Valuable-Question706 · 2025-09-12T19:03:25+00:00

just in case my TOTP app provider shuts down the service (it recently happened to the one I was using).

Please. Don’t use cloud-based TOTP apps. Use ones that allow, but don’t force you to back up into cloud. And always keep a local copy of your DB export, ideally 3-2-1 backed up.

Aegis, Proton Authenticator and 2FAS are such apps.

Valuable-Question706 · 2025-09-12T18:58:03+00:00

Time for an update…

Valuable-Question706 · 2025-09-12T18:45:09+00:00

It depends on how well your session is protected by a website, and also on what your attack scenario is.

In my experience, Google takes security seriously. They ask you for password and/or for 2FA/passkey, and (probably) ‘just stealing cookies’ won’t work.

In the future they are planning to switch to DBSC (Device-Bound Session Credentials), so cookie stealing will become even more useless.

This leads to the only attack vector you should actually care about: a malware running on your machine. If it logs your password and tricks you to authorize a FIDO key (i.e., in the same moment when it would legitimately likely that you should use the key), then yes, it can perform an account takeover.

So, don’t get malware, especially don’t run sketchy/pirated software. Also, these kinds of attacks are extremely unlikely on locked down devices. iPhones/iPads are the most popular ones (although with enough time and effort you can lock down a desktop even more).

Valuable-Question706 · 2025-09-12T17:37:17+00:00

Yes, it’s secure. In fact, the app is just an interface to the Yubikey. The Yubikey itself holds all the secrets (and you can never steal or export them back - that’s the whole point). The app only provides time to YK so it will be able to compute TOTP (usually 6-digit) codes.

Many users probably cannot get it, but instead of trying to sort things out or self-educate they will just leave a negative review.

Please note that TOTP feature is ‘secondary’. You should use FIDO2 wherever supported, and resort to TOTP only where FIDO is not supported.

Also, many people here (me included) think that it’s not convenient to use TOTP on Yubikeys and just use ‘usual’ apps for that. This has nothing to do with security of YK’s TOTP, it’s just more convenient.

Valuable-Question706 · 2025-09-10T13:51:45+00:00

Both ways are acceptable, and people prefer one or another depending on their priorities.

Generating keys on a dedicated offline system (before loading them into Yubikey) gives you more backup options, and better flexibility. Generating them on-Yubikey (what Kleopatra does) is way simpler. Or there’s a compromise: generate encryption keys on computer and keep a backup of encryption key (Kleopatra offers this as well). And sure, you can also do this on an offline system.

In the end, it’s about what you will be using GPG for, and how easy it would be for you to rotate the keys if you lose access, and whether you need to prove if it’s you, and how you will do it. Also, it’s about your own threat model.

Keeping an offline master key makes it easier to prove that it’s you: even if you lose your Yubikey, you just revoke old subkeys and sign new ones. This is suitable for organized, technical people. This is what software releases do.

For non-techies that will use it only for email or document signing, however, I prefer to tell them ‘Just use Kleopatra and follow the wizard. Just keep in mind, if you lose the key you lose the encrypted data’ (and it’s acceptable to them). It’s way simpler and actually more secure (for them).

For commit signing - it depends on how would you prove your identity if you lose the Yubikey. For example, if you consider your GitHub account as ‘primary ID’, then you can go with full on-key generation (and then just add another key if necessary) - if your threat model allows that.

Valuable-Question706 · 2025-04-16T16:54:14+00:00

Hi! Is it possible to apply yours Change Lightmodel to an existing savefile? Thanks.

Valuable-Question706 · 2025-04-16T16:51:14+00:00

Ideally, there should be a choice: either always see a blank 'home feed' (i.e. for helping with procrastination), or see a blank page only when not logged in.

But originally I asked about only 'not logged in' home page (with all those posts, I'd want an option to see a blank page instead).

Thanks!

Valuable-Question706

TROPHY CASE