Trying to Secure My Digital Life

I am trying to improve the security of my digital life. I keep a lot of my life somewhere in digital form. There are passwords, bank account details, digital copies of important documents, and other sensitive information. My life is digital first, physical second. I do my best to secure these assets by delegating responsibility to hosted solutions and take on the rest my self. My goal is reclaim my data and make security a first class citizen in my digital decision making process. There are areas for me to improve, I just don’t know how to do that.

The Current Situation

• My daily driver computer (which includes copies of sensitive information) has a short easy to type (because I unlock it hundred of times a day) password. Full disk encryption is activated. I’m not sure how OSX full disk encryption with a single user. Surely my single password cannot protect the entire machine. I expected a password prompt before even hitting the login screen.
• I use LastPass as my password manager and general secret store. It also stores bank accounts and sensitive documents (such as Passport scans, scans of ID cards etc).
• Individual login tokens (such as API key) are kept in LassPass and added the OSX KeyChain. My comp repo provisions my working environment and pulls things from the key chain instead of directly persisting as environment variable settings in my fish config.
• SSH keys do not have passwords. This is because I cannot be bothered to remember unique passwords for all the keys. Keys are a mix of personal (e.g. for Git{Hub,Lab}, my own servers) and work (AWS infrastructure etc).
• MFA via OTP is enabled for as many things as possible. I use Google Authenticator or Authy. I’m unhappy with this because I tend to switch phones frequently and need to reconfigure MFA. I thought I could get around this problem by purchasing a YubiKey.
• My YubiKey protects my LastPass account, but not individual secrets in LastPass. I could, for example, configure LastPass to require 2-second factor (e.g. my configured YubiKey) when my bank password is requested. I’ve not done this really out of laziness. I’d like to replace OTP generation from these apps with my YubiKey but don’t know if that’s possible.

Desired Future State

1. Move non-passwords out of LastPass and into a self managed encrypted store.
2. Use my YubiKey for all kinds of 2 factor authentication. However I don’t want to go as far as globally protecting my computer with 2 factor authentication.
3. Increase the security of my SSH keys without needing to remember different passwords.

The question is how to achieve the future state. I need help to get there. The first point is achievable via public key cryptography. I have some idea how to make it happen. I have little to no idea how to achieve #2, and #3.

My plan for #1 is to create a version controlled directory for all my documents. Files are mix of secrets and non-secret (e.g. a todo list) information. Sensitive files will be encrypted with GPG using my public GPG and committed. I can use my private key to decrypt the files at access time. This blocks all access without the private key.

Points #2, #3 probably overlap with PGP in some way. However, I don’t know that for a fact. It seems that a solution will get me more involved with PGP. Here are my open questions:

• How can I create secure SSH keys using the tools at hand?
• How can I securely store & back up my PGP private key?
• How does the YubiKey relate to these points?
• How does the gpg agent relate to the ssh agent? This is a vague area for me that I don’t clearly understand.
• Can I generate secure password-less SSH keys protected by MFA?
• Can I generate a secure PGP key protected by MFA?
• How can I replace Google Authenticator (and similar apps) with my YubiKey? Surely there is some standard protocol used here.

I ask you (& the internet itself) because you may have been in my position before. Hopefully you can help me answer these questions. I plan to write another post once when these questions are answered and I have a concrete strategy.

Here are some helpful links I’ve come across so far:

• https://spin.atomicobject.com/2013/09/25/gpg-gnu-privacy-guard/
• http://www.ianatkinson.net/computing/gnupg.htm
• https://github.com/drduh/YubiKey-Guide (thanks to @qrasio)