Companion to digital resiliency 2025. Follow to become moderately more digitally resilient. This list does not implement every single suggestion from that post. But it puts you in a really good position to implement more later if desired.
Cheap wins
So called because altogether these will probably cost you less than $10 total in the first year, and under $100 in the first decade. (At least if your data needs are similar to mine in scope.)
- Install KeePassXC to computer.
- New database. Strong new password. Never store online. Memorize.
- Install Aegis to phone.
- Strong new password. Never store online. Memorize.
- Turn on automatic backups.
- Turn on full disk encryption (BitLocker, FileVault, LUKS, GELI, etc).
- Strong new password. All future passwords OK to store in KeePass.
- Install Syncthing to both computer and phone.
- Use to sync Aegis backups from phone to computer.
- Use to sync KeePass database between phone and computer.
- $5 or more into new tarsnap account.
- New tarsnap key. Print immediately for safekeeping / in case of emergency.
-
cron
- KeePass db totarsnap
, hourly. Should be very fast. Example script. - Test tarsnap restore. Ensure you can grab any previous KeePass database version from the last few hours. Practice makes perfect!
- Install restic.
- Create Backblaze B2 account.
- Turn on 2FA, and print immediately the QR code for TOTP backup.
- Create new bucket in Backblaze B2 account.
- Turn on Object Lock. Ransomware protection.
-
restic backup
your/home
to new bucket.- Strong new password for restic encryption. Store in KeePass. Store in local env file for automated backups.
- First sync will take a while. Consider leaving PC on overnight.
- Later syncs will be much faster.
-
systemd
-/home
to B2, daily, at startup if last one missed (Persistent
flag) - Test restoring a single file from B2 with
restic restore
- maybe one of the Aegis backups? - Test restoring a full directory from B2 with
restic restore
. - Test verifying integrity from B2 with
restic check
.
Sin atonement
Necessary evils to ensure a clean security slate going forward. Turn a radio on.
- Decide, hardware keys: Yes or no?
- If yes - at least two. Decide, offsite storage (e.g. safe deposit boxes, grandma’s house) - yes or no? How many?
- If yes - at least n + 2 keys, where n = number of offsite locations.
- n+1’th key for your safe / home storage away-from-desk
- n+2’th key for actual daily use
- If yes - at least n + 2 keys, where n = number of offsite locations.
- If yes - at least two. Decide, offsite storage (e.g. safe deposit boxes, grandma’s house) - yes or no? How many?
- ⏲️ Move all passwords, accounts, TOTP etc. to KeePassXC, Aegis, hardware keys if included. Turn on 2FA for all possible accounts - passkeys > hardware key-based 2FA > Aegis TOTP 2FA > everything else. This will take time, probably a few days.
- Exports from web browsers?
- Exports from cloud-based password managers?
- Exports from random docs, Post-It notes, etc?
- After: Register for data breach watches on all associated emails.
- Future passwords to be rotated upon data breach, assumed OK otherwise if 2FA is on.
Capex optimization
Strategic purchases that are not strictly necessary, but often very helpful.
- Decide, external hard drive: Yes or no? (STRONGLY, STRONGLY RECOMMENDED but technically optional)
- If yes -
restic backup
your/home
hourly,cron
orsystemd
, either work.- Strong new password for restic encryption. Store in KeePass. Store in local env file for automated backups.
- First sync will take a while.
- Later syncs will be much faster.
- If yes -
- Decide, home safe: Yes or no?
- If yes - UL Class 350 1-hour or better. Waterproofing a plus but can get a waterproof bag as well. Boltable to floor/wall big plus, anti-theft.
- Store originals of all important documents in there.
- If hardware keys - store hardware key in there (don’t expect it to survive a fire).
- Store printed Tarsnap key in there, ideally in multiple copies + multiple formats (QR codes, etc.).
- Decide, KeePass / Aegis password sharding (much harder to steal from one compromised location): Yes or no?
- If no - print out and keep KeePass + Aegis passwords in safe, all deposit boxes
- If yes -
ssss-split
passwords into secrets, one unique secret for both per box/safe. Require at least 2 secrets from any 2 boxes to recover the password.
Chaos engineering
We are what we repeatedly do.
- Every morning: roll d100
- roll 3: factory reset phone, restore from backups, learn from mistakes
- roll 2: factory reset laptop, restore from backups, learn from mistakes
- roll 1: factory reset phone and laptop simultaneously, restore from backups, learn from mistakes
Comments