

Ask HN: How do you handle sensitive information (passwords, SSH keys, etc.)? - miGlanz

I'd like to get some ideas of proper procedures for handling sensitive information of your company. Something like: how do you store your SSH keys, who can access those and how, how are they backed up, where are they stored?<p>Basically I'd like to prepare detailed procedure (checklist?) that would lower the possibility of losing this kind of important data.
======
nyellin
I'm working on a two-man project.

1\. All sensitive information is encrypted.

2\. SSH keys are password protected.

3\. I store passwords in LastPass, with a unique master password.

4\. SSH keys are stored on my own computer and backed up with Dropbox.

Point #4 is obviously the weakest link, so I am looking to change that.
However, so far, Dropbox's ubiquity justifies it. When my laptop died, I was
able to download setup a new development machine in minutes.

------
marklabedz
For passwords and other sensitive, text-type, info: KeePass in Dropbox for
syncing <http://keepass.info/>

For SSH keys, tax returns, other sensitive documents: True Crypt volume
<http://www.truecrypt.org/>

------
ewan
[http://www.cyber-ark.com/digital-vault-
products/enterprise-p...](http://www.cyber-ark.com/digital-vault-
products/enterprise-password/index.asp) is something I've worked with, though
I've never seen what I would consider a well integrated deployment

------
JoachimSchipper
Passphrase-protected SSH keys on an encrypted disk. The latter is key - it
makes mistakes so much less likely.

