Security

Password manager

Using passwords is not the holly grail of security. Long-lived credentials such as password and TLS certificates must be avoided when possible. The US zero-trust memo (HN) share interesting insights.

However, if a password you must use, make sure to never share the same password between two services. Always generate individual random passwords. Data breachs are regularly discovered and published online.

It is required to use a password manager. Possible choices include:

• Buttercup
• Bitwarden
• KeePass
• pass

Read about the Cobra Effect.

SSH keys

When configuring an SSH client, Ed25519 is the recommanded algorithm to generate your SSH keys. The command is:

ssh-keygen \
  -t ed25519 \
  -f ~/.ssh/id_ed25519 \
  -C "your_email@example.com"

When using a legacy system that doesn’t support the Ed25519 algorithm, RSA is the appropriate choice. Ensure to set a high bit value. Removing the -b option make your keys insecured and not portable. Modern servers reject it.

ssh-keygen \
  -t rsa -b 4096 \
  -f ~/.ssh/id_ed25519 \
  -C "your_email@example.com"

On Linux and MacOS, keys are expected to be located in your .ssh home directory.

Permission matters. Changing the default permission prevent SSH from working.

It is safe to share your public keys, also called certificates. At worst, someone obtains the possibility to grant you access to some resources. Never share your private key, Never store your private key anywhere. Anywhere includes Git repositories, backups, cloud and local virtual machines, … A single exception might be your password manager.