I'd like to get some ideas of proper procedures for handling sensitive information of your company. Something like: how do you store your SSH keys, who can access those and how, how are they backed up, where are they stored?<p>Basically I'd like to prepare detailed procedure (checklist?) that would lower the possibility of losing this kind of important data.
I'm working on a two-man project.<p>1. All sensitive information is encrypted.<p>2. SSH keys are password protected.<p>3. I store passwords in LastPass, with a unique master password.<p>4. SSH keys are stored on my own computer and backed up with Dropbox.<p>Point #4 is obviously the weakest link, so I am looking to change that. However, so far, Dropbox's ubiquity justifies it. When my laptop died, I was able to download setup a new development machine in minutes.
For passwords and other sensitive, text-type, info: KeePass in Dropbox for syncing <a href="http://keepass.info/" rel="nofollow">http://keepass.info/</a><p>For SSH keys, tax returns, other sensitive documents: True Crypt volume <a href="http://www.truecrypt.org/" rel="nofollow">http://www.truecrypt.org/</a>
<a href="http://www.cyber-ark.com/digital-vault-products/enterprise-password/index.asp" rel="nofollow">http://www.cyber-ark.com/digital-vault-products/enterprise-p...</a> is something I've worked with, though I've never seen what I would consider a well integrated deployment