Wash your crypto keys

Saturday, Mar 30, 2013 · 200 words · approx 1 mins to read

When I first learned how to use public key cryptography to secure access to my system, I was incredibly protective of the private key and dreaded a scenario where it could be accessed by an attacker who could use it to pose as me. I secured access to almost everything with that single key.

Paranoia resulting in better protection of your most important assets is always good, but it took some time before I got over the mental hurdle that it wasn’t the only private key I could ever have.

Recently I’ve come to effectively “wash” my private keys whenever I care to, often quite frequently. It’s trivial to generate new ones, remember a key passphrase scheme that lets you change the passphrase each time too, and deploy them to your systems. Revoking access granted to old keys is just as easy.

That way you automatically reduce the time a private key is useful and reduce the surface area of any attack should it be compromised. Doing so should be part of your key management practice, just as you change and protect other access credentials.