I’ve had in mind a particular setup for my digital life for a little over a year now, and I’m getting close to realizing it. It’s a stop-gap, a halfway house between where I was and where I hope to be, but it’s a solid one. A place to rest for a while, maybe.
First off, I’ve acquired a TRNG I believe I can trust. In the past I’ve used dice for generating private keys, but it’s a somewhat painstaking way of doing things. Not something I’d want to use for generating, say, multiple PGP keys. Using this TRNG and an offline-only machine, I’ve created a couple PGP keys which I’m treating hierarchically. I keep the root key offline at all times.
For passwords, I’ve found the Mooltipass Mini to be almost exactly what I want. It lets me keep my password file encrypted and offline. My biggest complaint is only that it cannot generate passwords itself. It uses a Chrome app for that. This shouldn’t pose too much of a problem if it’s run on a secure, offline machine, though a smaller, simpler application would likely be better.
Two-factor authentication is still a pain point for me, however. I’ve been using a $20 smartphone with Google Authenticator in airplane mode, which is at least better than keeping it on an explicitly Internet-connected device, but it’s still less optimal than a dedicated offline device. Unfortunately there don’t seem to be any solutions to this problem out there, so I’ll likely be crafting a device myself.
I’ve been using NixOS on my primary laptop for almost two years now. I’ve finally begun learning how to write “derivations” (like “packages” in other distros), which means I can start to convert the Ubuntu VMs I’ve spun up in that time into NixOS VMs. I keep my daily-use PGP keys in the host machine and run as little as possible in that context, with all my development and browsing activities kept sandboxed in various VMs. It’s kind of like an ad-hoc QubesOS with deterministic builds.
I use i3wm without a desktop manager on my host machine and my VMs. I’m considering replacing it with something whose code I can read and comprehend in an an afternoon (probably dwm), but for now it serves me well.
Since my host machine runs NixOS, its configuration is derivable from a Nix expression and a nixpkgs repository. I’ve set things up so that my configuration.nix, hardware-configuration.nix, wpa_supplicant.conf, and custom nixpkgs repository all reside in my home directory. I use git and git-remote-gcrypt to keep fine-grained, versioned, commented, PGP-encrypted backups on an offshore server somewhere. Using only an SSH key, my PGP key, the server’s IP address, and a NixOS installation USB, I can reconstitute my laptop’s setup anywhere.
Since my VMs and my host machine use roughly the same scheme, switching between contexts is easy. My i3 keybindings are all the same, except all my host bindings start with the “meta” key and my VM bindings start with the “Alt” key. Also because of this setup, I don’t need to keep image snapshots of my VMs, as I can reconstitute them from their git repositories as well. This means my backups are very light in spite of VMs figuring heavily in my daily workflow.
I’m still a good distance from my ideal setup, but now I’m at least a bit closer to something sane.
Addendum: My colleague at DappHub, Mikhail Brockman, published a blog post about how our company uses Nix about a day after I published this. His knowledge of the subject runs a lot deeper than mine and I think his post is well worth a read.