How do you manage your encryption keys?

rutrum@lm.paradisus.day to Selfhosted@lemmy.world – 35 points –

I'm in desparate need of setting up borgmatic for borg backup. I would like to encrypt my backups. (I suppose, an unencrypted backup is better than none in my case, so I should get it done today regardless.)

How do I save those keys? Is there a directory structure I follow? Do you backup the keys as well? Are there keys that I need to write down by hand? Should I use a cloud service like bitwarden secrets manager? Could I host something?

Im ignorant on this matter. The most I've done is add ssh keys to git forges and use ssh-copyid. But I've always been able to access what I need to without keeping those (I login to the web interface.) Can you share with me best practices or what you do to manage non-password secrets?

12

You are viewing a single comment

Good catch... and that's why I keep up-to-date encrypted offline backups in two locations (home and office) always. That should be enough really, but I've been thinking about swapping one of those drives with a third backup at one of my relatives' house from time to time, just to make irrecoverable failure even less likely.

So you keep an encrypted backup at work with the decryption key at home, and an encrypted backup at home with the decryption key at work?

No, that would clearly defeat the purpose of redundant backups. I remember the passphrases for my backups.

1 more...