Making keys and passwords 1really secure

Well, in the last two years, I’ve been way to glib about things. So now is the time to straighten up. There seems to be no really good guide about how to do this, but the steps are basically:

Secure your passwords

The advice here is good but it takes a long time to make it work.

  • Use 1Password and Dropbox to have a secure password store that you can run on Windows, Mac and Linux (well sort of Linux as they don’t have their own Linux client)
  • Store their encrypted files called agilekeychains in Dropbox so you can share everywhere

  • Get everything into it

  • the big vulnerability is the master password. If you lose it, you have lost all your data. They do not keep keys for you and there isn’t a backdoor. So guard it with your life. Or put it somewhere on a USB key and lock it up.

  • For Linux, install the 1pass python scripts, so from the command line you can access keys and manage them.

Secure your machines

  • Use 1Password to remember you logon passwords and make them hard, If you trust Apple (and I kind of do), then use your Apple iCloud login.

  • And turn on Find My Mac so you can disable machines remotely when they get connected, Apple will write a firmware pin code in.

  • Encrypt your disk so that if it gets into the wrong hands, they can’t hack it. Mac has FileVault. Beware though that if you lose those keys are you really toast.

Secure your SSL keys and certificates

Merging together quite a few guides, here is how to get maximum safety for sites (github.com, docker.com) which use SSL and also for logging into to other machines in your network with SSL and not passwords:

  • #mce_temp_url#Generate a big ass SSL key with ssh-keygen 4K bits of RSA isn’t too little for each service you login to. You want separate keys because it reduces the risk that you will have one compromised and lose all security. It is more of a pain and you have to manage your ~/.ssh/config file, but worth it to have per host handling of SSL keys with `ssh-keygen -t rss -b 4096 -C youremail@domain.com
  • If you didn’t create a passphrase initially, then ssh-keygen -p will allows you to add one. If you didn’t use the higher difficulty encryption on your key then use ssh-keygen -o -p -f id_rich -a 300 which says add a password and the new output format and use 300 rounds (this will take 10 seconds to actually process a password, so probably too long). The default is -a 16 which is 16 rounds or a few seconds.

  • Create a passphrase for sure and then make sure to use a difficult encryption (the default is MD5 which is terrible). You want 3DES at least using some parameters on ssh-keygen using the new -o parameter for ssh-keygen 6.5 or higher. The Mac by default is 6.2 so you need to install Mac Ports and get the later one which is 6.9 as sudo port install openssh

  • Copy the encrypted keys and the public key files into 1Password so it is easy to get them from machine to machine.

  • On a Mac, you automatically get ssh-agent running, but on Linux, run ssh-agent and then ssh-add id_rsa or whatever your key is. Then you just type your passphrase once per session and it is unlocked.

  • Building new machines

    A USB key with your agilekeychain is all you need and you can get up and running.

    You create a ~/.ssh and copy in your one key