undefined | Better HN

0 pointsUnoriginalGuy10y ago0 comments

Create a normal user, DON'T add them to the sudo group (or any other special group), and then generate keys for them. Store those keys in some online "cloud" storage (DropBox, Google Drive, OneDrive, et al).

Then if you need to get in, download the key, type in the password, login as that user, and the su up to root by entering the password only you know.

As an additional layer of security you could encrypt the key using AES-256 (e.g. 7Zip archive, Microsoft Office's Word .docx (NOT .doc) format (just drag drop the file into Word, "Encrypt with password") now AES-256 encrypted, others).

Now you have four layers of protection:

- su password.

- Key password.

- AES-256 encryption password.

- "Cloud" storage credentials.

0 comments

2 comments · 2 top-level

larrys10y ago

So in short store the keys in some place that you have easy access to by a password. Kind of a version of two factor "something you know and something you have" whereby the "something you have" is the cloud storage device with the key.

cbsmith10y ago

While I'm a big believer in defense in depth, I think this adds a lot more complexity on the usability side without really improving the overall security. You'd be better off just protecting the private key with more trials and storing it with whichever cloud storage solution you have the most confidence in.

j / k navigate · click thread line to collapse