New year means new keys

The only New Years resolution I've ever made and follow each year is this - rotate your keys!

In the security realm long-lived keys are a bane - it allows any unknown comprimise to persist over time. In a perfect world we would be able to have keys with very very short lifespans, but unless that is very automated it can become a chore - and any security practice that is onorous will become one that is skipped.

Instead what I do for most of my keys is rotate them yearly, the exception to my rule is my Ops related keys, those are rotated much much more often than yearly. I'm talking about things like personal servers and the like as the holiday break is a good time for these types of personal infra cleanups.

My process for rotation involves a research step and then the implementation step.

First I take a few minutes to review the best practices to see if anything new has changed and my goto place for that is the Mozilla InfoSec wiki. Which is where I double check my nginx config but also my sshd config.

Once I have those notes I rename/move all of my current keys to "backup" names and then generate new keys for GitHub, personal servers and my local Git server. Having the old keys around in backup form allows me to still be able to get into the servers that I invariably forget I needed (or had) access to, not to mention that you do need the old key long enough to update a server to the new one ;)

ssh-keygen -t ed25519 -f ~/.ssh/name_of_new_key

That's it - nothing fancy or complicated, just a good simple process to help make things less easy for hackers.

A good writeup on what the latest SSH keytypes are and their adoption: https://chealion.ca/2016/06/20/ssh-key-types-and-cryptography-the-short-notes/


Mentions

:: https://aaronparecki.com/2017/01/06/13/