How do you manage your encryption keys? - eviltoast

I’m in desparate need of setting up borgmatic for borg backup. I would like to encrypt my backups. (I suppose, an unencrypted backup is better than none in my case, so I should get it done today regardless.)

How do I save those keys? Is there a directory structure I follow? Do you backup the keys as well? Are there keys that I need to write down by hand? Should I use a cloud service like bitwarden secrets manager? Could I host something?

Im ignorant on this matter. The most I’ve done is add ssh keys to git forges and use ssh-copyid. But I’ve always been able to access what I need to without keeping those (I login to the web interface.) Can you share with me best practices or what you do to manage non-password secrets?

  • Dave@lemmy.nz
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    But if your encryption keys to your offsite backup are on-site only, doesn’t that make your offsite backup worthless in the case where “offsite” is important?

    If your house burns down, you don’t have your encryption keys to your only backup.

    • fullstackhipster@awful.systems
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      Good catch… and that’s why I keep up-to-date encrypted offline backups in two locations (home and office) always. That should be enough really, but I’ve been thinking about swapping one of those drives with a third backup at one of my relatives’ house from time to time, just to make irrecoverable failure even less likely.

      • Dave@lemmy.nz
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        So you keep an encrypted backup at work with the decryption key at home, and an encrypted backup at home with the decryption key at work?