This post explains how I perform a personal key rotation. This is a process where I go through all my important assets and accounts, to change the password. In the process, I also generate new encryption keys, and ensure that important accounts have two-factor authentication enabled.
Before starting the key rotation, I have already gained an overview of my assets, I have decided how much security and availability they need, and I have chosen a password safe.
Step-by-step personal key rotation
Below are the steps that I use when rotating my keys. If you feel geeky and have a few hours to spare, please follow along! Otherwise, you can do the short version:
- Think of your three most important accounts.
- Log in to each of them and change the password to something new and unpredictable.
- Keep the new password safe, in a password manager or on a piece of paper.
For the more complex version, start by downloading and booting a secure system:
Set up a secure environment
It is best to update passwords from a fresh and trusted environment that is free from malware. I like to use a live-system for this: an operating system that boots from a USB key, without modifying the computer’s primary operating system. For example, something like Ubuntu live or MX Linux works well. This serves two purposes:
- A live-system is less likely to contain malware that could steal my new passwords. It also leaves no trace on the computer, so I don’t need to worry about accidentally leaving unencrypted passwords or logged-in websites around.
- A live-system does not yet have my tools and settings. It forces me to log into all accounts from scratch, and thus tests that I can access them even if I don’t have access to my usual devices.
Set up a new password safe
I use the pa password manager, as described in the previous post. In this step, I set up a fresh empty safe, with a new set of encryption keys.
Now, I immediately back up the encryption keys and the (still empty) password
safe. I need to make sure that it is well stored before proceeding, lest I lose
all my new passwords and lock myself out. I copy the passphrase-protected
encryption key to Google Drive and a few other places. The password safe itself
is stored in a git repository, which I push to a trusted server. I write the
passphrase on paper; it will later be split and stored safely using psst.
Change all the passwords
One by one, I now go through my accounts, starting with the most important ones. I generate a new password, store it in my password safe, make sure it is pushed to the remote git server, and then set it as the new account password.
For important accounts, I also check the other security-related settings: Do I have the right two-factor authentication keys? Is the recovery email address up-to-date? Are there any old third-party apps or API keys that I can revoke?
In this step, I also generate a new SSH and GPG key. They are used for services
like GitHub, and for logging into the purpureus.net web server. I store the key
files in my password safe, and write the passphrases on my trusty paper. Then I
add my new public keys to my GitHub account and to the ~/.ssh/authorized_keys
file on web servers. I check whether they work for logging in and accessing my
git repositories. Only then do I remove the old public keys.
Clean up
When all the accounts have new passwords, I double-check that all the new passwords and keys are safely stored and backed up. If I’m sure about that, I can turn off the live-system and boot back into my normal operating system.
My old password safe is now no longer protecting anything of value. All the passwords contained in it should be outdated and no longer give access to any accounts. Despite this, I recommend to keep a backup of the old safe. There are cases where it could come in handy, for example if someone sends me an encrypted email using an old GPG key.
Store the root secrets
At this point, I still have my paper with the most important passphrases, those that I do not want to store in my password safe. For example, the passphrase for the password safe itself! These are the roots of my digital identity. I try to memorize them, which is easier than it seems because I use them occasionally (e.g., when unlocking my SSH key.), and I keep a backup for when my memory fails:
I use psst to back up these most important secrets, as described
here. With psst,
each secret is split into four shares. Any two of these can reconstruct the
secret. I keep two of the four shares in locations that I can access relatively
quickly, and send the other two out to trusted friends.
The very last step in the process is to ceremonially burn my paper with the passphrases.
Outro
You’ve made it to the end of my four-part series on personal key rotations. Did you follow along? If yes, you now have a good grasp of your online identity, and confidence that it is well protected.
What did you think of these posts? I welcome personal or anonymous feedback: write to jonas@purpureus.net or use this anonymous form.