The NTP is an unencrypted UDP based protocol and has been abused for attacks in the past. There have been several attempts to provide replacements, however the difficult nature of the protocol and its usage make this quite challenging. While the NTP provides capabilities for encryption, they have been proven to be unreliable. With NTPsec a 'secure' replacement is possible.
You can install NTPsec via the ntpsecAUR package.
It is necessary to import a new GPG key to your keyring with:
$ gpg --recv-keys 5A22E330161C3978
gpg: key 5A22E330161C3978: 6 signatures not checked due to missing keys gpg: key 5A22E330161C3978: public key "NTPsec Contact <email@example.com>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 8 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 8u gpg: next trustdb check due at 2019-12-03 gpg: Total number processed: 1 gpg: imported: 1
Starting the service
Normally start/enable the
NTS is a method for using TLS/SSL to authenticate NTP traffic on the net
Append the keyword
nts to the end of your server lines. Do this only for servers that speak NTS. If the server uses a port other than
4460 for NTS key exchange, you also need to specify the port number.
server time.cloudflare.com nts iburst server virginia.time.system76.com nts iburst server nts.netnod.se:4460 nts iburst
Here is an unofficial list of NTP servers supporting NTS.