I’m in desparate need of setting up borgmatic for borg backup. I would like to encrypt my backups. (I suppose, an unencrypted backup is better than none in my case, so I should get it done today regardless.)
How do I save those keys? Is there a directory structure I follow? Do you backup the keys as well? Are there keys that I need to write down by hand? Should I use a cloud service like bitwarden secrets manager? Could I host something?
Im ignorant on this matter. The most I’ve done is add ssh keys to git forges and use ssh-copyid. But I’ve always been able to access what I need to without keeping those (I login to the web interface.) Can you share with me best practices or what you do to manage non-password secrets?
You must log in or register to comment.
I add such stuff to my password manager. It supports files. But not all password managers do. I have a category for admin stuff where I also save passwords to servers, database credentials, service logins and the exported LUKS keys of the harddrives. I’d add backup keys there, too, but I currently keep them unencrypted on an encrypted harddisk.
Also using my password manager, keepass2 in my case (synced over webdav). A password manager should provide plenty of options to structurize. Password database is a part of scheduled backups, and always present on multiple synced devices, so a total loss is hardly imaginable.
As SSH keys were also touched as a topic in the OP, I just wanted to add I just found that there seems to be an addon for keepass that makes handling those even easier: https://lechnology.com/software/keeagent/ (haven’t tried that yet).
There are many ways to go about this. Those keyfiles are extra sensitive because (a) they provide access to everything and (b) losing them can block access to everything. Personally, I keep those types of files unencrypted in a directory that stays 100% offline (encrypted backups to external disks only). But there’s no reason not to back those files up to an encrypted online repository (where you trust the encryption). Just make sure that’s not your only backup of those files for obvious reasons.
A good practice to avoid painting yourself in a corner is to test your backups: Switch off your PC / server, put your mobile devices in a drawer (pretend they’re gone), borrow / wipe a cheap laptop. How do you access your backup files using just that laptop?
Password manager. Many allow you to attach a file to a set of credentials
Yes, you should have backups. You can use something like KeePass to store them I suppose. I personally just use the file system on a secure server.
