Security

Lock your computer

Make sure to always lock your computer if you leave your desk. It is not about having or not having secrets. It is a good practice which easily prevents unwanted access to your computer while you are away. You should not rely on others while away. The computer you are working on is your own responsibility to keep safe and secure.

Every operating system can be configured with hotkeys or other handy shortcuts to lock your computer. For example on Windows you can use the Windows key + L to instantly lock your machine.

Taking data home

If you want to take data home with you, that’s totally fine but make sure it is secure. Apply the following measures.

Firewall

Setup a system firewall. Here’s a practical tutorial.

Full disk encryption

It is mandatory to apply disk encryption.

Here’s a practical tutorial.

Putting code on flash drives etc. is frowned upon. There are probably no valid reasons to take the risk of using flash drives.

Automatic updates

Stay up to date with the latest security updates. Here’s a practical tutorial.

2FA

Most systems within d-centralize enforce 2FA. It’s basically an extra layer of security on top of your first security layer: the password.

There are multiple ways of using 2FA. If you have no preference yet, the easiest way to get started is by installing the Google Authenticator app. This app will generate a code that you fill in after filling in your password. This code is always different, so an attacker stealing your password is now not enough to log in to your account, they would also need access to your smartphone.

Passwords

On sharing secrets

A secret can be a password, a private key, or a set of security Q&A’s for example.

Note

Whenever you’ve got the ability to invite co-workers to a project through another form of authentication, that has preference over sharing a login.

Whenever you create a secret for a project you’re working on, that may be relevant for a co-worker, make sure to enter it in Bitwarden.

Bitwarden

We manage all secrets of companies through Bitwarden, it allows fine-grained access control. Every employee should have received their own invite to the Vaultwarden service.

Note

While the Bitwarden clients are used, the backend is a self-hosted Vaultwarden instance. It’s used in clients as documented in ChangeClient and set to https://vaultwarden.d-centralize.nl

Browser plugin

It’s recommended to install a browser plugin to help you fill-in passwords for web forms.

Once installed, it’s recommended to configure the following:

Navigate to Settings -> Options -> Default URI Match detection: host.

Desktop app

You can also install an app for that:

sudo snap install bitwarden

CLI

Some scripts use the bw CLI tool to obtain credentials.

sudo snap install bw

A one time configuration is needed:

bw config server https://vaultwarden.d-centralize.nl
bw login
# Sync is needed everytime you need recent credentials
bw sync

Now enter your personal Vaultwarden credentials.

To prevent entering your password only once per shell session, you can persist BW_SESSION by adding the following snippet to your .bashrc.

function bwu() {
    BW_STATUS=$(bw status | jq -r .status)
    case "$BW_STATUS" in
    "unauthenticated")
        echo "Logging into BitWarden"
        export BW_SESSION=$(bw login --raw)
        ;;
    "locked")
        echo "Unlocking Vault"
        export BW_SESSION=$(bw unlock --raw)
        ;;
    "unlocked")
        echo "Vault is unlocked"
        ;;
    *)
        echo "Unknown Login Status: $BW_STATUS"
        return 1
        ;;
    esac
    bw sync
}