Silly question 101: How do you keep your server keys?

zhuanyi

So after spending time reading how easy it is for people to find out your password, I have also decided to take a small security step to enable keys-only login to my server.

My question is, how do you actually keep the keys to all your servers? And what if your server private key is lost? Is there a fallback method somehow?

I have no static IP at home, and I would prefer to access my servers at any place I want, even on my cellphone if necessary.

MrAndroid

OS X can store keys in the keychain, I think GNOME Keyring can do this too.

Adam

I just store keys in the .ssh folder, and use the config file. For a backup, I have them encrypted on Dropbox.

Insidiea

You can always KVM into the machine, and logon normally through there if you lose your keys.

Or in OpenVZ, this would be Serial console I believe.

camarg

@zhuanyi said: So after spending time reading how easy it is for people to find out your password

where did you read this ?

justinb

Boot into single user mode?
Small truecrypt volume.

gsrdgrdghd

There is no reason to store your private key on the server. And for storing it on your desktop you can choose an encryption passphrase, then you can back it up pretty much anywhere without having to worry too much.

nabo

However, the crucial point is that you can't access your server "on-the-go" if you're away from your netbook/desktop without the keys. But that's also true if you've forgotten your password. So I guess you must decided what fits you best.

yomero

@gsrdgrdghd said: then you can back it up pretty much anywhere without having to worry too much.

This.

Kuro

@nabo said: However, the crucial point is that you can't access your server "on-the-go" if you're away from your netbook/desktop without the keys.

This is why you keep your keys on a USB flash drive, and keep that on your keyring with the rest of your 'real' keys :P

zhuanyi

@camarg I can not remember a single post on top of my head, but this is the kind of picture I am getting after reading through all those posts on WHT complaining sites been hacked and so on...do you think passwords are safe?

zhuanyi

@Adam Care to share how you encrypt them? I am an active dropbox user too and this would be a good idea if I can somehow make sure my keys are safe in dropbox and does not take like a day to decrypt them when I need them, LOL

zhuanyi

@justinb care to elaborate?

camarg

@zhuanyi said: I can not remember a single post on top of my head, but this is the kind of picture I am getting after reading through all those posts on WHT complaining sites been hacked and so on...do you think passwords are safe?

are you talking about ftp passwords or ssh?
if you change the default ssh port install some kind of brute force detection-blocking software and use serious passwords, yeah I think you'll be ok

never heard of a proper setup being compromised

I'm not trying to prove that using keys isn't more secure, it is. I just don't think that it is easy for people to find out your password

Corey

@zhuanyi I believe passwords are safe if used correctly, please read my blog post.
http://www.yourdomaingoeshere.com/blog/2012/05/31/password-safety/
@camarag , exactly - I tried to outline that in my blog post.

miTgiB

I keep a copy of my keys on a thumb drive in my pocket, still using a 128mb thumb drive I bought 10 years ago, and no, I don't lose my lighter either.

zhuanyi

@camarag I am pretty sure those were SSH passwords, but I do see your point there, fail2ban it is...
@Corey thanks!

zhuanyi

@miTgiB And I am sure you back it up somewhere else?

KuJoe

I keep a copy of my key in about a dozen places (3 locations on each PC, 2 locations on my phone, 3 locations on my NAS, 2 locations on external hard drive, 1 location off-site). For a backup, I login remotely with my password.

miTgiB

@zhuanyi said: And I am sure you back it up somewhere else?

I have it backed up so many places @KuJoe would call me excessive

yomero

@zhuanyi said: Care to share how you encrypt them?

For encrypt he probably means ssh keys with password.
Or means... gpg, truecrypt, or even rar/zip with password.

Infinity

I don't have server keys atm (I cba to set it up) but when I did have 'em I used to back 'em up on my home server (files were encrypted ofc), on my gazillion USB drives (incidentally most are between 128MB and 256MB, have been through the washing machine a few times and are around 8 years old minus the 4GB one which I got in '08?), one of those sticks is kept inside the boiler incase I loose the others (it's still there).

KuJoe

@miTgiB said: I have it backed up so many places @KuJoe would call me excessive

Backup and excessive should never be in the same sentence. You can never refer to any number of backups as "excessive". You can only have to few, never to many.

vedran

Backup rules:
1. Always backup your data
2. Also backup your backups
3. Since backup backups are also backups, go to rule #2
stack overflow

Corey

@Kujoe murphy would have to be really mad at you to take out ALL recursive 4+ of your backups of backups.

debug

I memorize my private keys, and putty the fool who doesn't!

/s

KuJoe

@Corey very true. Me and Murphy would have some words if that happened...

miTgiB

@KuJoe said: Me and Murphy would have some words

I put my money on Murphy

FRCorey

I use 1password, bit of a pain if I'm at a remote terminal, cause my keys are 16 digits or more.

Boltersdriveer

.ssh folder, as always

Adam

@zhuanyi said: @Adam Care to share how you encrypt them? I am an active dropbox user too and this would be a good idea if I can somehow make sure my keys are safe in dropbox and does not take like a day to decrypt them when I need them, LOL

I use EncFS. But for Windows there's Boxcrypter, Axcrypt, and whatever else Google spits up.