Avatar
MrMiaggy 3y ago

With SSH keys, if someone gains access to your computer/server, the attacker can gain access to every system that uses that key. To add an extra layer of security, you would add a passphrase to your SSH key.

The same is true for your 12/24 word seed recovery phrase. This is a list of words which store all the information needed to recover Bitcoin funds on-chain.

Protect your 12/24 word seed recovery phrase with a passphrase.

12/24 words + passphrase = šŸ”‘šŸ§”

However, forgetting this passphrase will result in the bitcoin wallet and any contained UTXO being lost. It is therefore important that you document your passphrase and store seperate to your 12/24 word seed recovery phrase.

Reply to this note

Please Login to reply.

Discussion

Avatar
CamerišŸ¦ā€šŸ”„ 3y ago

Have you tried Yubikeys?

Avatar
armstrys 3y ago

What are your favorite ways to use yubikeys? I use them for Yubico Authenticator and a few websites, but not in many other ways

Avatar
CamerišŸ¦ā€šŸ”„ 3y ago

Sign GIT commits, SSH into my own machines, Encrypt/Descrypt/Sign/Verify with my GPG keys and of course I need it for most websites that support it.

I keep backup Yubikey in case I lose my main one.

Avatar
armstrys 3y ago

I need to explore a lot of that. Am I correct that you canā€™t actually duplicate a yubikey? You have to register the backup with all those sources too? Thatā€™s the only thing keeping me from buying a second tomorrow - though I probably should.

Avatar
CamerišŸ¦ā€šŸ”„ 3y ago

Some websites let you configure more than one. Your password manager should let you add more than one

Avatar
armstrys 3y ago

Yeah I really should do that. Probably time to buy a second even if one of the cheaper ones. I was so stoked the day I could completely replace Google Authenticator with the Yubikey NFC Authenticator. I think a lot of people donā€™t know that exists

Avatar
CamerišŸ¦ā€šŸ”„ 3y ago

It depends. If you want the SSH and GPG keys on the backup Yubikey you have to generate your master encrypt/sign key on an air-gapped machine and then create a backup of the .gnupg folder.

Generate your sub-keys for the first Yubikey.

Transfer the master key and sub-keys to the Yubikey.

Restore the .gnupg folder from the backup.

Generate your yubikeys for the second Yubikey and transfer the master key and sub-keys to the second Yubikey.

Every time you transfer keys to a Yubikey, you end up with stubs for those keys in your air-gapped machine, thatā€™s why you need to make a backup of the .gnupg folder.

You could do this before or after it doesnā€™t matter, but you should also export your master key and encrypt it with a passphrase and keep it secure. You can buy one of those rugged USB memory sticks or YOLO it with a micro sdcard. You should do this even if you donā€™t have a second Yubikey.

Make sure you wipe that air-gapped machine once you are done!

If you only want to use the second Yubikey for signing into your password manager or something you can skip all that above and just register the second key.

Some security experts will frown at my recommendation because I didnā€™t suggest something so just DYOR and find whatā€™s the acceptable level of security that YOU want.

Avatar
armstrys 3y ago

Had no idea this was even an option. Probably beyond my comfort level at this stage, but I am definitely going to read up on this. Appreciate you sharing in such depth