⭕Securing Your Credentials

Ensuring your credentials are safe and secure is a vital aspect to the web. Learn about good practices when securing your Yubikey and accounts.

The name of the game is to ensure you secure your certificates and Yubikeys in a manner where there's only one way to gain access.

As a brief summary, train yourself to use the following practices:

• Always export certificates to .PFX with a passphrase.

• When using OpenSSL to generate, always provide a secure PEM password.

• Ensure the default PINs on your Yubikey are changed.

  • Yubikey PINs should NOT be anything related to you, such as bank debit card PINs, the numbers for your address, postal code, part of your phone number, etc.

  • This includes your FIDO2 PIN to authenticate with websites.

• Do not use the same passphrases and PINs you use for other services.

  • Your certificate passphrases should not be ones you've used with other websites or programs such as Bitwarden, KeePassXC, Aegis, etc.

• In the program Yubikey Authenticator, enable a password by clicking and selecting Manaage Password.

• If you utilize a 3rd party backup service to manage backing up your created certificates such as the application Duplicati; be sure to enable AES256 or GNU Privacy Guard for the encryption method. This ensures that if anyone obtains access to your backed up data files, there's protection in place.

  • You can also enable a passphrase, make sure the passphrase is NOT the same as your certificate passphrases.

• The most ideal method of backup is to send your private keys to an external USB storage device that is only connected to your device when you need them.

  • You can also enhance this security by creating a small encrypted partition on your USB drive using Veracrypt and also enabling Bitlocker.

❊ Fort Knox

If you are absolutely crazy about security, a common structure that is used consists of a layered process.

Why is it Overkill?

You'd first have to unlock your Bitlocker drive, which requires either a Yubikey + PIN, password, or recovery key.

Then you'd mount the Veracrypt volume, which requires a password + PIM + Yubikey depending on how it's configured.

You would then decrypt the GPG file which requires a valid private key + key passphrase + encryption password.

And then finally opening the RAR file which requires a password to extract everything.

That comes out to a total of:

• x2 Yubikey Authorizations

• x2 PINs

• x5 passwords

• x1 GPG private key

• x1 PIM

If you ensure all of those layers of passwords are different from one another, it just makes it that much more difficult.

The only time I could see this as even somewhat advisable is if you must use an online cloud service to store files for off-site backups. You could throw the Veracrypt volume on your Google Drive / Microsoft Onedrive. The security in place with a strong series of passwords should ensure that even if the file gets leaked, it would be practically impossible to break through those layers.

But this also means ensuring all the layers of passwords are completely different. If you use the same password for each layer, then the password is almost pointless. Once they breach the first layer, the password is given to them. It would still be protected by your Yubikey / keyfile and GPG key, but you don't want someone getting even the first bit correct.

STEP 1

Connect your USB thumb drive and Yubikey into your computer.

STEP 2

Enable Bitlocker encryption on your USB drive. You can follow the Bitlocker Tutorial provided by us for setting this up.

You will have to decrypt your USB thumb drive every time you plug it in which will require a password or Yubikey + PIN.

STEP 3

You will need to create a Veracrypt drive. An encrypted drive is a single file that you will store on your USB Thumb Drive. You can follow our Veracrypt Tutorial for setting a drive up using your Yubikey.

Every time you unlock your drive with Bitlocker, you must launch Veracrypt and select your Veracrypt encrypted file on your USB thumb drive. Mounting this drive has various types of security which include requiring a Yubikey, a passphrase, and even a custom specified PEM. The tutorial listed above will explain this in detail.

STEP 4

Within your encrypted veracrypt drive file, you will store your documents in a .rar archive. The documents you can store in there depend on what you feel needs to be secured, a few ideas are:

• KeePassXC password manager database

• .pfx / key files for generated certificates

• Any master passwords you have written down that you absolutely cannot lose

• Backups you've generated using Duplicati

You can decide what is important and what to store.

Once you've put all of your important files into a single folder, you will right-click on the files / folder, and select WinRAR -> Add to archive...

If you do not see this option on your right-click context menu, ensure you have WinRAR installed. You can also use WinZIP or 7zip.

Enter an Archive name and select the format you want to use, rar / zip are the most popular.

Select at the bottom.

Enter a password to protect the archive. Do NOT use a password that you've used for other things.

Select Encrypt File Names and select

Select once more and wait for your archive to be created.

You should see a new file in the folder where your files are:

Every time you extract this archive, you'll be required to enter the password that you specified during the archive creation process.

STEP 5

This step requires you to take the .rar archive you created earlier, and now encrypt it using Gpg4win.

Before getting started, you must have a GPG key created. You can follow our GPG Generation Guide.

Right click on the .rar file that you created earlier, and select More GpgEX options -> Encrypt.

You will see a dialog box appear:

You can sign the file if you wish by selecting your GPG key in the Sign As box.

Select Encrypt for me and select your GPG key for this option. It will mean that only your GPG key will allow you to decrypt your rar archive whenever you need it. You must ensure that you put your GPG key somewhere safe and always have a back up. This key can also be stored on your Yubikey.

Finally, select Encrypt with password.

This will mean that your archive has a dual system for decrypting:

• You must have the correct GPG key in order to decrypt the rar file.

  • You will also be required to enter the passphrase you specified when you first created your GPG key. So if you choose the option below, you'll actually be prompted for two different passwords in order to decrypt.

• You must have the correct password to decrypt.

If you lose either one of those, you cannot decrypt.

Remember that if you encrypt it using your GPG key so that only your GPG key can be used to open the archive AND putting a passphrase on the file itself, you'll need two different passwords to decrypt your archive.

You'll be presented with the following dialog each time you decrypt:

Once your file is encrypted, you will see:

Go back to the folder you've been working with, and you should see an additional file now:

The secureFiles.rar file can now be deleted.

The secureFiles.rar.gpg file is where your certificates, keys, and rar file are all stored. This is the file you must keep.

You can then take the file, and transfer it over to your veracrypt drive.

DECRYPTION

When it comes time to decrypt your .gpg and .rar files, you will open the secureFiles.rar.gpg file.

You will first be prompted to enter the passphrase you set when encrypting the gpg file:

And then you will be prompted to enter your GPG key's passphrase:

The program should then give you the following success message:

Next, you should have the .rar file sitting in the same folder, which you need to open.

You wil be prompted to now specify the RAR password you set when you made the rar archive:

Once you enter the correct password, your files will be extracted and you can now view them.

SUMMARY

This process is what I would consider "over protection", however, I've seen quite a few people utilize this process. Especially if you're working in a field where you must protect your data.

You must ensure that when you create your RAR and GPG passwords, they should NOT be the same as your GPG key you are going to use. They should not be anything related to other passwords you've used. The only true way to secure them is to memorize them.

People are shifting towards using passphrases instead of passwords. An example is given below:

Type	Pass	Bruteforce Estimate	Entropy
Password	$9av^G@4!Ja9$	1 million years	85 Bits
Passphrase	150 Truck Repair Broke Engine Boom	92 thousand trillion years	202 Bits

So what's the difference?

If you come up with a passphrase that is somewhat meaningful, you are far more likely to remember that instead of a bunch of randomly generated letters, numbers, and special characters.

There are however, some websites that do not allow spaces in a password, especially websites that are not up to standards with current security practices. You can simply replace the spaces with underscores, dashes, or just letters without spaces.

Yes, those still exist. I've come across websites that allow a 10 character max password which doesn't allow for special characters AT ALL. Personally, that's about the dumbest thing I've ever seen a company do.

For passphraes though, you should avoid anything particular that is associated to you such as names, birthdays, etc. While it may be harder to bruteforce, if somebody knows you well, they could get lucky at guessing depending on how strong your password is.