I have finally figured out a way to create an easy to setup backup plan for RSA keys.
Here’s the short version: use the service Boxcryptor to create an encrypted directory on your dropbox account. Put your RSA keys in there, then create a symlink to an automatically searched .ssh directory in your terminal path. (If you’ve never done this before, it’ll take about an hour. Once you know what you’re doing, it takes about 5 minutes.)
Here’s a longer version:
So, why does this matter? In 2004, my laptop was stolen. (My own stupidity was involved because I left it unattended in the airport for a little longer than desired. The term stolen, therefore, is a little dramatic, but never the less, all my data was lost.) I had been traveling for 6-months in an internet-poor area, so I lost 6 FULL MONTHS OF DATA. Ouch. I actually cried.
Since then, I have been on a personal quest to keep my data in a constant state of fault-tolerance. My goal: be able to drop my laptop in a lake without losing anything.
Today, some of this is easy: (1) Get a dropbox account (or Box or Drive). (2) Create a virtual drive on your machine. (3) Keep everything in there that you possibly can.
That system takes care of 90% of your data-loss woes. But there is a problem: what about things that are too sensitive to store on Dropbox? Dropbox is only as secure as the fickle internet will allow, afterall.
Until today, I’ve been relying on manually copying that information onto a physical backup drive. (Translation: that’s what I tell myself when I know the actual answer is that I’ve basically been not backing that stuff up.)
Today, I discovered Boxcryptor. An amazing service. Here’s how it works: (1) Boxcryptor sets up a virtual drive on your local machine that is protected by AES-256 and RSA encryption algorithms, (2) you store anything sensitive in that drive (financials, login credentials, secret plots, etc.), (3) Boxcryptor encrypts the data, and stores the encrypted data on your dropbox cloud, where it is backed up and shared with your other machines.
Voila! You’re covered.
Boxcryptor was a ..little.. difficult to setup because I didn’t understand their mental model of how folders are encrypted. You have to access your files through the boxcryptor virtual drive that it creates, not via your usual dropbox directory. Knowing that, the process is pretty straightforward. This is actually a really helpful reminder for knowing when you’re operating encrypted, and when you aren’t.
The rest of this is just my personal way of making this setup easier to use. It’s optional, but makes the change transparent when working with RSA keys on the terminal (which I do all the time.)
Now, for authentication credentials, it takes a little bit more hacking to get this to work seamlessly. For example, when you log into something using the terminal, your boxcryptor encrypted drive is probably not in you path for ssh public keys. There are two fixes for this:
(1) Add your Boxcryptor virtual drive to your public key search path. (I don’t like this because I don’t like dirty search paths)
(2) Create a symbolic link from your Boxcryptor virtual drive to your usual public key storage location. (This is what I did)
Here’s how I did that. Disclaimer: If you can’t understand this code, you probably don’t want to be using this.
Go to the right place:
> cd ~
Make a backup incase you screw up
> cp -r .ssh .sshbak
Move your keys into your new encrypted drive
> mv .ssh /Volumes/Boxcryptor/Dropbox/Encrypted/ssh
Create a symbolic link so that you can still reference your keys from their old location
> ln -s /Volumes/Boxcryptor/Dropbox/Encrypted/ssh/ ~/.ssh
Now, you can access your keys like they were in their old home:
> ssh -i ~/.ssh/superkey.pem ubuntu@ec2-54-198-256-097.compute-1.amazonaws.com