DEV Community

loading...

Discussion on: How hackers steal your keys and secrets

Collapse
omerxx profile image
Omer Hamerman Author

True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.

Thread Thread
omerxx profile image
Omer Hamerman Author

Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.

For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.

Thread Thread
omerxx profile image
Thread Thread
organicnz profile image
Tarlan Isaev

Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."