Digital resiliency 2025 - checklist

Companion to digital resiliency 2025. Follow to become moderately more digitally resilient. This list does not implement every single suggestion from that post. But it puts you in a really good position to implement more later if desired.

Cheap wins

So called because altogether these will probably cost you less than $10 total in the first year, and under $100 in the first decade. (At least if your data needs are similar to mine in scope.)

• Install KeePassXC to computer.
  • New database. Strong new password. Never store online. Memorize.
• Install Aegis to phone.
  • Strong new password. Never store online. Memorize.
  • Turn on automatic backups.
• Turn on full disk encryption (BitLocker, FileVault, LUKS, GELI, etc).
  • Strong new password. All future passwords OK to store in KeePass.
• Install Syncthing to both computer and phone.
  • Use to sync Aegis backups from phone to computer.
  • Use to sync KeePass database between phone and computer.

• $5 or more into new tarsnap account.
• New tarsnap key. Print immediately for safekeeping / in case of emergency.
• cron - KeePass db to tarsnap, hourly. Should be very fast. Example script.
• Test tarsnap restore. Ensure you can grab any previous KeePass database version from the last few hours. Practice makes perfect!

• Install restic.
• Create Backblaze B2 account.
  • Turn on 2FA, and print immediately the QR code for TOTP backup.
• Create new bucket in Backblaze B2 account.
  • Turn on Object Lock. Ransomware protection.
• restic backup your /home to new bucket.
  • Strong new password for restic encryption. Store in KeePass. Store in local env file for automated backups.
  • First sync will take a while. Consider leaving PC on overnight.
  • Later syncs will be much faster.
• systemd - /home to B2, daily, at startup if last one missed (Persistent flag)
• Test restoring a single file from B2 with restic restore - maybe one of the Aegis backups?
• Test restoring a full directory from B2 with restic restore.
• Test verifying integrity from B2 with restic check.

Sin atonement

Necessary evils to ensure a clean security slate going forward. Turn a radio on.

• Decide, hardware keys: Yes or no?
  • If yes - at least two. Decide, offsite storage (e.g. safe deposit boxes, grandma’s house) - yes or no? How many?
    • If yes - at least n + 2 keys, where n = number of offsite locations.
      • n+1’th key for your safe / home storage away-from-desk
      • n+2’th key for actual daily use
• ⏲️ Move all passwords, accounts, TOTP etc. to KeePassXC, Aegis, hardware keys if included. Turn on 2FA for all possible accounts - passkeys > hardware key-based 2FA > Aegis TOTP 2FA > everything else. This will take time, probably a few days.
  • Exports from web browsers?
  • Exports from cloud-based password managers?
  • Exports from random docs, Post-It notes, etc?
• After: Register for data breach watches on all associated emails.
  • Mozilla Monitor
  • Have I Been Pwned?
• Future passwords to be rotated upon data breach, assumed OK otherwise if 2FA is on.

Capex optimization

Strategic purchases that are not strictly necessary, but often very helpful.

• Decide, external hard drive: Yes or no? (STRONGLY, STRONGLY RECOMMENDED but technically optional)
  • If yes - restic backup your /home hourly, cron or systemd, either work.
    • Strong new password for restic encryption. Store in KeePass. Store in local env file for automated backups.
    • First sync will take a while.
    • Later syncs will be much faster.
• Decide, home safe: Yes or no?
  • If yes - UL Class 350 1-hour or better. Waterproofing a plus but can get a waterproof bag as well. Boltable to floor/wall big plus, anti-theft.
  • Store originals of all important documents in there.
  • If hardware keys - store hardware key in there (don’t expect it to survive a fire).
  • Store printed Tarsnap key in there, ideally in multiple copies + multiple formats (QR codes, etc.).
• Decide, KeePass / Aegis password sharding (much harder to steal from one compromised location): Yes or no?
  • If no - print out and keep KeePass + Aegis passwords in safe, all deposit boxes
  • If yes - ssss-split passwords into secrets, one unique secret for both per box/safe. Require at least 2 secrets from any 2 boxes to recover the password.

Chaos engineering

We are what we repeatedly do.

• Every morning: roll d100
  • roll 3: factory reset phone, restore from backups, learn from mistakes
  • roll 2: factory reset laptop, restore from backups, learn from mistakes
  • roll 1: factory reset phone and laptop simultaneously, restore from backups, learn from mistakes