Security Foundations: How to Secure Your Wallet Recovery Phrase for Cryptocurrency Wallets

good evening everyone this is charles hoskinson from warm sunny colorado today we're going to do something a little different from normal programming this is a lecture on security on information security and the purpose of this lecture is going to be to teach a cryptocurrency user doesn't really matter the particular one you could be a bitcoin user an ethereum user eos user or a tezos user or a cardano user how to secure your wallet recovery phrase so let's talk a little bit about it it's going to be quite a long lecture and we're going to start from a first principles approach and the goal here is to build layer after layer after layer of skills to get you up to a point where you can not only secure your wallet recovery phrase with a great degree of certainty but you can do so with a great degree of ease and secure your digital life as a whole no solution is bulletproof and there are certainly ways to defeat the things that i'm going to show you but overall for the average user with the average skill set i think what we're going to go through is going to dramatically enhance your personal security and give you a great degree of certainty that your cryptocurrency is safe and that your digital life is just a little bit safer and i hope this is the first step in a long series of steps to help you build a better digital life and have a little bit more control over your personal privacy as well as your personal security okay so let's go to the whiteboard and let's try out my new wacom tablet so our goal is to secure the wallet recovery phrase so the wallet recovery phrase is something that comes from the bip 39 standard so it's been around since about 2013 and basically you can have 12 to 24 keywords and these keywords and i'll show you what they look like right here with the bip 39 standard this is the original standard on the bitcoin github it was proposed and created 2013 and ian coleman did a great application actually generate these words so these right here are kind of the back door into a cryptocurrency wallet with these particular keys you're able to restore pretty much any cryptocurrency wallet that runs in the hd format so a lot of bitcoin wallets use this cardano uses this and many other cryptocurrency systems use this so in essence these are the single most important assets for you to secure because regardless of how secure your passwords happen to be or your physical wallet happens to be this is your backup if you ever lose your wallet this is the only way to restore it and if you happen to have this compromised then that's bad news for you somebody can steal all your money so our goal in this lecture is to figure out how the heck are we going to secure that the problem is that we can't just start with this we actually have to walk our way through a lot of foundational approaches in particular we have to start with level one and that is developing a security mindset so a security mindset is something a lot of infosec authors like bruce schneier and others write about but basically it starts with this concept of an adversary an adversary is someone who's trying to do something wrong to you okay they can go after your files they can steal your money blackmail you extort you whatever it is and an adversary always lives within a system okay it could be a physical system a political system a digital system a voting system whatever it happens to be there's an adversary and they're connected to a system and there's always this concept of value at risk and there's this concept of capabilities or skill sets so the whole field of information security one of the pillars of it is the ability to quantify and qualify what adversaries are and what are realistic defense mechanisms against them and they do this by living in this kind of this framework called cia triad the ci triad stands for confidentiality integrity and availability and the basic idea is that there's no perfect security solution so everything i'm about to show you and talk about it's a pretty good system and it's pretty well balanced but i had to while designing it create trade-offs so there were certain things i did that lowered the security of the system to make it more usable and easier for you on the other hand there are certain things i've done that increase the security of the system that are going to require you to build certain skill sets so the cia triad is always about a balancing act against a particular form of adversary and adversaries are always connected to some economic gain some value at risk and so you have a spectrum of adversaries you have novices and you can think of this you're at a cafeteria and you've accidentally left your cell phone with the tray you go to the bathroom or you go back to work and then you say oh i forgot my cell phone you go back to the cafeteria and then your cell phone's gone this did not require exotic sophisticated skills it was an opportunistic crime for somebody to walk by and notice that there's an unattended item a wallet or a cell phone or keys and steal them and then you can go up the spectrum all the way to organized crime where you actually have a very sophisticated group of people who have a lot more capabilities and they target larger actors for ransom and blackmail and targeted hacking attacks and so forth and you can go even further to the highest level adversary state actors so this can be the nsa this can be the fsb this can be mi6 but basically these are large agencies with tens of thousands of people in multi-billion dollar budgets and they have unbelievably sophisticated capabilities for example i read an article years ago that talked about using a very sophisticated microphone to be able to listen to a computer processor 10 20 feet away and as it was encrypting and decrypting just by changes in the frequency you would be able to actually steal the keys to be able to decrypt and encrypt just by listening to a laptop 10 feet away 20 feet away with a microphone and an outdoor setting so it's really remarkable the capabilities so we never think of an adversary in terms of a static mindset rather they're adaptive and they're always growing and learning and they're obsessed with the value at risk so when we build a security mindset what we're doing is saying who are we concerned about what system do we live within so that's a geography a political system that can be a particular lifestyle like constantly traveling these types of things and how much money are we talking about what's our value at risk the type of criminal you tend to attract when you're talking about a hundred dollars of value is much different than the type of criminal you attract when you're talking about a million dollars of value okay when you talk about a million then you start living on organized crime there's even state-level actors that hack in the cryptocurrency space like there's good evidence that north korea for example has been behind several major bitcoin heists so it's a level of sophistication increases when your value increases so before we do anything at all you have to develop a security mindset and i thought a lot about well how do i help you shepherd that process along and one of the best ways of doing that is through mentorship and mentors are basically people that you can learn from who are domain experts in the topic and one of my favorite experts is bruce schneier he writes these phenomenal books and actually the very first crypto book that was in the open domain and bruce has a lovely blog if you go to schneier.com and he has tons of essays that he's written throughout the years hundreds and hundreds and hundreds and he's got lots of really interesting books we have root click here to kill everybody data and goliath talks about data privacy liars and outliers schneider on security beyond fear secrets and lies it's just an incredible library he's just a brilliant guy and he actually has a great presentation that he did recently called hacking society it's an rsa presentation and he talks a lot about how to apply the security mindset to broader social problems and this will give you a wonderful sense of how infosec people think there's another person that i really like to follow too and his name is steve gibson and steve runs a podcast that comes out on a weekly basis and he's been doing information security for probably three decades now and his podcast is free to listen to it's called security now and there's a lot of great information and every time there's a major hack the recent twitter hack or other things steve likes to cover it as well so you can do some armchair security mindset just by looking at your own personal life and asking questions like how much money am i willing to risk what type of system do i live in so what's my lifestyle like am i at home do i travel do i live in an apartment do i live in a trailer do i live in a house do i have roommates these types of things and then we're going to propose a solution that i think will fit into most people's lifestyle and balance out the cii cia triad and here's a nice little picture of the cia triad from f5 labs confidentiality integrity availability and gives a nice little description about it but this is a common topic in the information security space and it's all about balancing this topic okay so that's the first thing to do and then the next thing to do is kind of develop a mentor set and bruce is a really wonderful entry point and he gives you lots of stuff to think about he has great terms like security theater and so forth and steve is just great to listen to on a regular basis now once we've established a security mindset we've kind of gotten ourselves so tuned and aligned to thinking very carefully about stuff then the next phase is to actually start by building a secure operating environment you see you don't just start you don't just start from day one and say okay i'm gonna go use crypto or i'm gonna go use a bunch of passwords or something like that because the problem is that your cell phone your computer may be already compromised you may have apts on it you may have viruses malware key loggers all kinds of things exist okay and a secure operating environment actually has two planks to it one is the system and we're going to show you today how to secure your system in a way that really gives you a great degree of confidence that you're not being hacked and the other is the person so there's an old adage in the infosec world which is novices hack the computer experts hacked the people for example the recent twitter hack was not a failure of information security it was a social engineering failure where clever hackers were able to impersonate other twitter employees and then convince twitter employees to turn over lawful credentials to them so that they could then get access to the system so when you talk about a secure operating environment within the context of a particular adversary you have to think about that within the context of yourself your personal skill sets and the skill sets you want to protect against how much money you're trying to secure and you have to develop a security mindset to harden yourself to get away from giveaway scams and spoofing attacks and man-in-the-middle attacks and too good to be true and so forth the more that you read and listen to bruce and steve it'll really help you secure yourself and your own mind and not fall for scams or obvious problems what i can do in this video is show you how to construct a secure system and there are many ways to do this in fact i have a little hierarchy here that i brought together and the hierarchy is right here so this is from the yubikey documentation but it talks about preparation of environment and this is your general computer right here so your mac user a linux user a windows user this is your daily use computer so it's what you go and play around on the internet with and use facebook with and all your normal everyday stuff or your cell phone and there's a level of escalation step by step by step by step by step which allows you to get more secure so you can run a virtual machine in your operating system and that's a bit more secure than your daily system you can dual boot and have a separate operating system for a different hard drive that's a little bit more secure you can use a live image and actually memory only boot into a fresh system that's a little bit more secure then you can go to something like core boot a security hardened system or then you can even do use specialty computers a specialty system for that now which one should we choose again this determines on the adversary so when we talk about state level actors like if you go to the department of defense or the nsa or these people they use air gap systems with no networking capabilities and they also layer those systems with secure hardware and other devices and very sophisticated access control because they're trying to protect against other state-level actors odds are you're not so i thought a lot about which one of these would be the easiest for you to maintain and it turns out that number four is actually the one that seems to be the winner and here's why so you can go to amazon and buy a flash drive for about 40 bucks this is the one i'd highly recommend because samsung just makes great memory modules and their slc and mlc and other things just wonderful and the storage that they use is very fast and reliable and it's usb 3.1 it's very fast large storage and this literally just fits it's very tiny into one of your usb ports and what we can do is turn this into a device you permanently leave in your computer and at any time you can boot into that layer for security you can boot into a live distribution that's memory only and what this will do is it's kind of a sandbox an isolated sandbox where you can do a lot of secure stuff and you have a high degree of certainty that that sandbox doesn't have viruses and malware and other problems on it okay it won't protect you from social engineering people are still going to try to impersonate your friends and your mother and other people and steal your information but it certainly will protect you from digital intrusion and it's very easy actually to create this sandbox so how you do it and actually this screencast i'm going to show you a virtual machine to demonstrate the experience you'll have as we kind of work our way through the security hierarchy so how you do it is you download an application like rufus and then you download a distribution of linux for example ubuntu is the one that we're going to be using and i'll show you how to use ubuntu to do all the key generation and the other things that we're going to do is we start building out your security life and i have some helpful guides here on what to do so basically what you're going to do is create a bootable linux usb drive rufus is the device to do that so i'll go ahead and type rufus i've already downloaded it this is what rufus looks it's going to find a drive in your computer so that little drive you buy you plug it in and then you'll go to the website like ubuntu download an iso and then what you can do is just find the iso and then you just click start and in a few minutes it'll go ahead and burn and create a bootable drive and then all you have to do to use it is restart your computer open up your bios change your boot order and then you can boot right into it you see but charles how do i do that well i found a cool video here if you take a look at how to change your boot order and computer files this will give you the general idea for most bios a bios something been around since the 1970s the mid 1970s and basically it's a mini operating system that is the very first thing the hardware in your computer runs before your computer fully turns on so before you boot into mac os before you boot into windows before you boot into linux there's the bios and the bios really gets all the hardware started so there's boot order for example do i boot from a hard drive or do i do from a cd or do i boot from a usb okay that's determined by the bios and so when you create this little drive this guy right here and we burn it then what we do is we just say boot from this before the hard drive and this little video right here from mdtech videos how to change the boot order in a computer bios is a great little guide on how to do it i'd normally show you but it's really difficult to do a screencast from that screen without a hardware device and so i decided that i just referenced the video and i'll put this in this the other videos in the show notes as well okay so we want to create a sandbox to protect our system easiest way of doing that is to buy a usb flash drive and use rufus to turn that into a live cd and then we just boot into it okay and so once we do that this is what it looks so this is actually a copy of ubuntu i'm running in a virtual machine so when you boot into it you'll see a screen very similar to the screen if you're using the same version of ubuntu and what's so cool about this is this is kind of a destructible sandbox basically this is a workspace everything you save everything you do here the minute you restart your computer you're done there's absolutely nothing that's preserved it's all run in memory so it restarts from ground zero when you turn it on so the base configuration the fresh installation is what you have so there's no malware no viruses none of that weird stuff you can do lots of things like generate cryptographic keys store your wallet recovery phrase as a workspace and we're going to actually do all of that in this video and then once you're done with all of it you leave the enclave and everything disappears except for the things that you've decided to take with you on a secure drive and you say but wait a minute how do i get things out well you buy one of these this right here is an apricorn hardware encrypted flash drive and i'll show you a picture of it and i'll include this in the show notes as well but this is basically a special piece of hardware and they sell for about 50 and it has a keyboard on it you can use a seven to i think a fifteen or so digit pin code if you enter the pin code wrong ten times it destroys all the contents on it and what this drive basically allows you to do is everything that goes on it is securely encrypted anybody tries to tamper or break the hard drive or open into it it'll actually destroy the contents on it and that's what that fips 140-2 compliance is all about so military uses this they use this to store classified information it's a super convenient device super easy to use when you buy it they ship you an instruction pack and it's pretty straightforward you just push a few buttons set a pin code and then there you go when you want to unlock it you enter the pin code push the green button and then you plug in it and you're done so basically what we're going to do is create a secure operating environment with this device we're going to boot into it we're going to do a bunch of stuff and after we've done that bunch of stuff we're going to save the things that we want to save on this drive and then we're going to exit the secure operating environment and we're going to then transport the things that we need to transport back to windows or mac or your regular operating system okay and then we're going to leave some things here and basically we'll be able to keep building from there so let's keep going so all right we're going to build a secure operating system you're hardening yourself through a security mindset you'll notice there's a lot of cumulativeness and layering and transitivity and how you build a security system and as for your system itself we're going to build a sandbox you're going to use a usb flash drive to boot into it and then once you've booted into it we're going to exit we're going to do stuff and then we're going to exit through a secure drive okay all right now the third level is building a secure skeleton key and you always will have at least two because the way the internet works you say wait a minute charles what does this have to do with my wallet recovery phrase well we could technically get away with not doing this but if we do it your life is going to be a lot easier your security is going to be a lot easier and i'm going to show you some things you've probably never seen before and the end result is you're not only going to be able to secure your crypto but your entire digital life so all your passwords all your files everything you care to secure that's near and dear to you in a way that is incredibly difficult to penetrate and you're only going to have to remember three things two proper nouns one pin code and another pin code and you can pick your length eight digits at least and at least eight digits here so three items of information and i'll even show you something really cool so this is something called the mnemonics number shape pegging method so when you're actually trying to remember your code you can actually associate it with pictures and it turns out you can remember people have used this technique to remember pi to 30 000 digits so the number shape system is a common thing in memory challenges and mnemonics and in the show notes i'll include links to these things so that's it you're going to be able to secure your entire digital life at a level that you would expect an operator to secure you're gonna have your own personal sandbox where you can do lots of security stuff with oopsie okay there we go and you're gonna build a nice secure skeleton key and the only thing you're going to have to remember for it are these things and this pin code here is for your usb so this device right here and then the other one is going to be for your password manager so what is a skeleton key all right in the early days of the internet most of the older users actually most internet users they just simply used one password for everything okay maybe mclovin 44 whatever your favorite movie and so the minute that one website got compromised all websites got compromised because they could just reuse the password again again why because remembering 55 passwords or 100 passwords for all the different websites is super difficult so people decided to create something called password managers and they say all right well password manager let's have one password to access the password manager and then the password manager will generate lots and lots and lots of keys passwords for each website so maybe you have one for facebook and you have one for google and all these other guys etc etc and the advantage is that because a human being doesn't have to remember these passwords that the password manager generates they can be super secure so they could be very large and lots of digits and so forth and so the science of password managers actually has grown tremendously and they all embrace something called multi-factor authentication this comes from the military world and the intelligence world where they have classified information and they generally follow the three somethings okay something you have or something excuse me it's usually the first one something you have and then something you are so something something you have something you are okay so generally something is a password some secret that only something you have is usually a device and then something you are that's usually biometric so that can be a fingerprint an iris scan there's even devices that scan the vasculature in your hand and because the vasculature in your hand is a unique fingerprint lg actually created a phone that does that and this is called multi-factor authentication so in the military for example the devices they use are called cac cards they stand for common access cards and they're very common when you're in a classified setting and then of course you can have strong password standards and then there's lots of biometric devices that have entered the consumer market fingerprint readers face scanners like windows hello and apple's face scanner and so forth and this has allowed us to start using multi-factor authentication in consumer products instead of military products at a very low cost and because these three things are very difficult for an adversary to replicate as a consequence your life gets more secure so passwords and humans don't get along so well this is one of the fundamental problems with security the things that make it easy for you to remember they tend to cause a lot of problems for secure passwords and people use techniques like rainbow tables and other things and they can defeat most common passwords so the conundrum we have our first major security challenge as we're building a secure skeleton key so we're going to use a password manager for it and i mentioned there's always two your email is also a skeleton key unfortunately because most websites bind your recovery if you lose your password to your email address so we're going to secure both and we're going to do that with a password manager than your email the problem is if you left your own devices to create your own password probably is going to be very easy to break so i thought long and hard in this lecture of how do i kind of make your life a little easy and turns out there's actually a brilliant way to do this and we're going to go through it right now so the first security device that you're going to be using on a day-to-day basis is something like this this is called a yubikey and this is the swiss army knife of security these are just amazing devices they're very durable they don't require a battery they're easy to carry around you can see they're made to be on key chains for example and this is something that you just carry with you a companion and i have one right here okay now what's so cool about yubi keys is that they can be programmed to do all kinds of really cool things one-time pad authentication they can have static passwords on them and they can even carry cryptographic keys they're called pgp keys and we're actually going to do everything we're going to do all of the above and this one right here is designed to plug into a normal usb port but they also sell them to plug into different devices so this is a usbc and this is a thunder a lightning connector so you actually can plug it into your phone and basically the only interface it has is that it has a little electrostatic pad on it so this is that pad right there and then it also has these two contacts if you buy this model so you hold it from both sides when you touch it there's two forms of touch a tap and a long touch a tap is just that you tap it and when you do it it generates a one-time use password but you can program it when it does the long touch to generate a static password called assault phrase and so we're going to use that plus something else to generate the most secure password you've ever seen in your life and also the most memorable password you've ever seen okay so this is our first cool hack so we're going to take a yubikey so secure passwords move over here all right so we're going to take a ubi key and we're going to have what's called a salt password and here's how we do that so we actually finally get to use the secure enclave so i'll show you on windows first and then i'm going to show you how to do this command when we get to the part where we start generating cryptographic materials with with linux okay so i'm going to plug in my ub key into a flash drive okay let me restart the program sometimes it does that run it in okay there we go all right so this is the yubikey they're super reliable easy to use sometimes it gets a little flaky when it's trying to decide which operating system to use let's say if you're virtualizing linux on windows you'll run into this problem average user you won't and basically click on applications in otp and it has this two options remember i said you just tap it and it generates a one-time use code and then when you do the long touch it'll actually generate secure passwords so actually i'll show you the one-time use code so we'll create a nice little scratch pad to work with i'm just going to tap it there you go i'm going to tap it again again so this part is specific to the ub key itself and these parts are randomly generated so every time i tap it it generates that and this is used for authentication okay but here's what we can do we can configure the long touch to have a static password and we can generate something big and nasty okay that looks good finish okay and now that we have it i can just long touch so i just put my finger on it for a little while like three seconds and it generates something i can do it again and it generates something it's the same thing so this is called a salt password so you don't actually use this password as your final password but rather what you do is you take a simpler password and you add it to your salt and these two things together are going to allow you to create a very secure phrase so remember i said up here our requirements are that you're just going to have to remember two proper nouns and an eight digit pin code okay everybody can remember two proper nouns you can always remember something like denver that's a city and then pin code i don't know one one one eight two two three five and then another proper noun maybe it's a name james okay so that's it so when you use this for your password what you do is you basically just tap your ub key it'll generate the salt and then you append it to the end of it okay denver one one one 8 2 2 3 5 james all right very easy to remember denver very easy to remember james and very easy to remember the pin code especially if you use the techniques here with the number shape system it's super easy to remember once you do that you'll probably never forget it your entire life this by itself is a decent password it's not super secure but it's not super bad but combined with the salt this whole thing is you're now your master password you don't know this part and you don't type this part that's preserved by a piece of hardware so even if you wanted to replicate the master password you can't do it but because you have the device to remember that for you it's always there when you need it and then you have this phrase right here that you remember so if you ever lose the device you actually haven't lost your master password you've just lost the salt and what we're going to do is back up this whole thing in a bit so we'll get to the lecture where we talk about how to securely back it up in case you lose the device so you can rotate and get things where they need to go okay so that's how you create a super secure master password you have a salt part and then you have something super easy to remember and my recommendations two proper nouns one proper noun one proper noun so a city a name and then your pin code at least eight digits easy peasy right and that's your user part of the password your salt part and then together this is your master password as one unit okay that's the first level of access into your skeleton key but then there's the question of well what type of skeleton key should i pick what service should i use and i looked at all the different services and i think the easiest one to use is lastpass and let's take a look at it right now lastpass is awesome because it has you can use it for free and there's a premium subscription you can you for the purposes of this video free is fine and premium is three dollars a month so it's not really that expensive and lastpass works with your cell phone so it works with linux devices like android cell phones it works with ios devices and it works with laptops and pcs and it works right in the browser so let's take a look at lastpass so i have lastpass right here and here's the lastpass website let's go there okay so here's the lastpass as i said it's three dollars a month otherwise you just get it for free and when you create an account you can install a chrome extension or a firefox extension and you get this little thing that lives with you and basically it can generate those nice secure master passwords of any length up to 99 characters if you want it's pretty freaking crazy it's amazing to see that plus that's a great and here is the vault so when you create a lastpass account it creates a vault and then this vault can store your passwords notes addresses bank account information credit card information and auto enter all these things as you're using the internet and you secure this with that master password but then lastpass will also allow you to have multi-factor authentication and you have all these different options my recommendation is to use the microsoft authenticator if your windows user otherwise the google authenticator alongside the yubikey password and your user password those two things together are super secure you need a cell phone to access you need the yubikey to access that's two devices to get into your vault but you generally will have all of them with you at any period of time and then what's nice about lastpass is it also gives you the ability to have backup codes so the grid is a printable spreadsheet as a multi-factor authentication and you can even have trusted devices so your cell phone actually turns out to have a unique hardware fingerprint and you can white label that and say even if somebody has a different phone if they get my master password and my other credentials and try to log in they can't from a mobile device okay so there's a lot of great security features and lastpass has a lot of wonderful things on their their website on their youtube page explaining how to use their proper product there are 11 videos on the lastpass 101 it'll take you 30 minutes to an hour to get through super easy to get through they have some videos on multi-factor syndication and it's very easy to set all these things up so this is your secure skeleton key as i mentioned you always have to your email account because of the way the internet works is also going to be a skeleton key so you create your last pass first redo all your accounts get everything set up with a nice secure long password and then you secure your email get that really hardened down and use multi-factor authentication use an authenticator app for for your two-factor authentication and then use the salt password plus the the human memorable phrase and so far what's your burden you can plug this into your phone tap a button and then put a pin code in to enable lastpass and that's actually on phone they also allow biometric so you can use your fingerprint whenever you want to log into something you don't actually need to type anything so it's very user friendly and this browser extension will automatically fill in passwords for you so not a lot of copy pasting you have to do so from an availability and accessibility viewpoint your daily workflow hasn't changed much but all of a sudden you now have two-factor authentication through all of the websites that support it your linkedin your cell phone your facebook page your twitter feed all these things and long passwords like randomly generate like 40 digits long so that's a super secure setup and your whole digital life has now been completely rebuilt okay and we started this where in the secure operating system so the when you boot into this operating system this is where you're going to set up your lastpass account this is where you're going to rotate all your passwords and do all those things it'll probably take you an hour or two to get through all of it and get everything loaded into there but remember no one's eavesdropping no one's here there's no malware no queue loggers no viruses so you can be very secure in the way that you rotate everything and now you're starting to get into a great setup okay so that's the next step is choose a password management service lastpass i think is just an awesome nice thing and they have tons of wonderful videos and french and dutch deutsche i mean it says german and even have a dutch one and spanish so you pick your languages easy to use very nice to have okay once you have a secure skeleton key then and you've learned how to do this salted password and we're actually going to set this up on the command line and you have the user password all set up and these things the next step is to setup secure storage and we actually need a skill set for this we have to learn about encryption okay and we're actually gonna do that right now we're gonna learn how to create some keys and then we're gonna learn a little bit about secure storage and there's two parts to secure storage there's offline and then there's online i also call it cloud and i'm going to show you for the purposes of your wall recovery phrase and critical infrastructure two options on online lastpass itself has a secure vault so we're going to use it and then we're also going to use and all you security experts out there going to get terrified when i mention this your email but then after i show you how we're going to do it you'll calm down a little bit so we're going to use both of those as your and these are high availability high access yeah high availability very easy to access and if we use encryption properly then you will not have any issues with confidentiality and as for offline well we got this device right here and this is going to be your best friend for storing a whole bunch of assets so let's learn a little bit about encryption okay so if you boot into your secure operating environment this is the screen you're going to see and ubuntu is really awesome because it comes pre-loaded with something called gpg and gpg is an application and it has all these amazing capabilities built into it that allow you to construct what's called public keys public key cryptography and so it's based on something called the pgp standard and this is called public key cryptography or asymmetric cryptography is another name for it and this is the basis for how security works on the internet and it was created originally by five people previous shamir and adaman and diffie and hellman so diffie and hellman came up with a solution and rsa is the standard that the internet uses for the certificate architecture so how your e-commerce is secure how all the internet pages are secure when you look in your little browser and you see that nice little lock right there that's all because of public key infrastructure okay and we're gonna learn about that so you have two parts to a key you have a public part and then you have a private part okay the public part everybody in the entire world can see so the concept to keep in your mind is it's kind of an envelope an open envelope that's got a little bit of a lock on it okay and so you open up the envelope somebody's going to take something put it into the envelope lock it click ok it's the world's strongest envelope and the only person in the world who can unlock that envelope is the person who has the corresponding private key so everybody can see the public key but the only person in the world that can see the private key is you the only person who has access to that key is you and pgp is a standard that's so well thought out i'll show you the standard in a second that it also has this concept of shielding so as an added layer of security pgp keys are never stored with the private key unencrypted it's actually shielded meaning you need a password to be able to use them notice how everything's layered we have a secure operating environment so we can do everything safely but then we need to create a skeleton key so we have a basis to make everything easy and usable and we're using special devices to make that skeleton key secure but then because those things exist then we get to the next level and we have to do some complex crypto we can do that complex crypto easily because the same thing that can allow me to generate a random password for my google i can generate a random password with lastpass right and i don't have to remember it i don't have to use it we're going to do all that while we generate it so here's the pgp standard so pgp came out 1991 and this is the latest standard i believe in november of 2007 and you'll see john kallus and the pgp corporation and phil zimmerman and the other guys but there's actually a bitcoin connection to pgp hal finney the very first person to receive bitcoin outside of satoshi was actually one of the authors of the pg's p spec and he was a brilliant guy and he did some phenomenal work back in the day before he died of als it was a super sweet very nice guy but it's so cool that some of the pioneers in the bitcoin space were actually pioneers in cyber security and email encryption so pgp was originally meant as an email encryption service but also it's in a file encryption and decryption service a message authentication service and an identity service for something called web of trust so it is also a swiss army knife the ub key is the hardware swiss army knife and pgp is the software swiss army knife okay pgp comes in many forms but the management software that we're going to use is called clio catra and to get your pgp software on windows you're going to and mac you can download it from the pgp websites so gpg4win.org is here and then there's a version for mac and linux as well but basically it's all the same software it just it has to be packaged differently to run on those platforms so cleopatra comes with this and we have it right here and to get it with linux in your cold environment that you boot into because cleopatric doesn't come pre-installed all you have to do is type in this command sudo app get clio trap okay install oops there we go i've already installed it so it won't do anything when you do this when you boot into this for the first time you'll click y for yes enter comes install once it's installed then you just type cleopatra to open it and here we are and this is an interface that we can use to generate keys interact with our ub key and do all kinds of cool things so we're going to do everything from this and we're gonna back up a bunch of stuff so let's get started to create a key all you have to do is click file new key pair we're gonna create an open pgp key pair first step is you have to put your name in so i'm gonna call this charles and you put anything you want so i'm gonna say hot and we're gonna actually use two keys in our security scheme we're gonna have two key pairs so we're gonna have pgp hot and pgp cold generally when you talk cold that means it lives only on hardware and we talk hot it lives accessible from a hard drive so this cold key is going to live on our ub key and i'm going to show you guys how to generate that in an easy way and use it an easy way and it's super cool as for the hotkey this is actually going to live in the web browser and we're going to use a easy application called melvelope to manage it and what's so cool about mailvelope is that mailvelope actually will allow you to easily encrypt and decrypt your emails and encrypt and decrypt files and so forth and it works cross-platform linux windows mac i know the people who created mailvelope they've been around for over 10 years it's great software it's gotten government subsidies in germany it's been security audited and actually i'll show you right now my envelope so you have an encrypt option a decrypt option so there's all kinds of cool things here and when you look at these keychains and we say actually go back we'll say export actually show you what a public private key looks like actually let's go to the main key ring okay and hang on export show me the keys oh they must have updated it not to show keys all right well i can show you in cleopatra what a key looks like when we generate it okay so let's go here all right so let's generate a key so you put in a name hot and then we go email charles gmail as an example it's not a real one so you're going to click advanced settings and you see all those crazy crypto stuff ec dsa ed dsa edt 55 blah blah blah blah word salad here's what you do 4k is the most secure rsa key you can generate click authentication and the valid until is an expiration date so pgp keys because their communication infrastructure are meant to be rotated so they tend to expire but if you're using for encryption decryption you don't really need to care about that so we're not going to have it expire rsa 4k all these options here you click ok you click next and show details it shows you all the things it's going to do you click create now the minute you do that it says hey we need a passphrase well we have a password manager right so because we have a password manager what can we do generate a secure password i don't know let's do 60 characters how about that copy it and you're going to do all of this in your secure enclave look at that password that's pretty crazy right okay and it'll create the key pair for us there it is and we're going to start using it in just a second but first if you generate a secure password you need to write it down and here's how you write it down go into your lastpass vault you click on notes move a little camera here click add item and say pgp hot there we go digit password save this is not the pgp key this is just the shielding for the key this guy right here remember i said that pgp never stores its passwords unencrypted so this is just the shielding so you need this to be able to use the key the password and so we're going to save it to lastpass so you always have it you never need to remember it because you're not going to be encrypting and decrypting things on a daily basis and if you are even in lastpass because it's right there in your browser you can recall it very quickly but it's a very secure skeleton key it's where all your passwords live and we've already built a lot of great access control security for that right okay so pgp is is shielding is done let's actually look at our key all right so when we click this click export this is what your public key looks it's a lot of garbage right just really nasty stuff all right and so actually let's encrypt and decrypt something with it let's actually do something all right so click here and libreoffice is just like microsoft office but what's cool is you can create pdfs with it i think you can with microsoft office as well so this is a test okay now we'll click file and export as a pdf y and we'll say test why pdf because that's a very well understood format and it's easy to work with all right so let's see here it would be in documents there we go and we'll move this to the desktop so we can work with it easily okay select all right so with cleopatra open it now has this key it has the public key and the private key living in the application the private key is shielded we're going to go ahead and sign in a crypt so we're gonna pick a file and we put test on the desktop that little pdf right there and we're gonna remove the sign and we're just going to encrypt it for ourselves so we click right here and say encrypt for others charles this key right here okay encrypt and you'll see something happen it says successful and you can look at the audit log but we don't need to do that we see right here on the desktop test.pdf.

gpg so this is now an encrypted file no one in the world can decrypt this unless they have the corresponding private key this key right here and we have both in our keychain right now so we can decrypt it now here's the interesting thing everyone in the world can encrypt this because your public key will be public you can post it on what's called a key server i can pull it you can pull it this is how email encryption works so you can go to a key server like for example the mit key server and you can look at people's keys in fact let's do that right now mit key server and there's hundreds of these key servers and like here we can enter my name charles hoskinson let's see if the mit key server is going to find anything i believe i've uploaded a few keys to that mit key server it's a little slow these days they need to upgrade their infrastructure but hopefully it'll find something but anyway public keys anybody can look at them and encrypt with them the only person that can decrypt with a public key is the person who has the corresponding private key we have the private key right here so what can we do we click decrypt click the file and actually i'm going to get rid of the original file just to prove a point so we'll put decrypt click on the file and click open and i'll say hey you need a passphrase to do this huh well remember we had the passphrase so let's let's go grab it we saved it here okay decrypted this is a test look at that okay so this is the basis of file encryption you can encrypt and decrypt and you have these two keys all right well that's the hotkey but let's also now create a cold key okay and we're going to do this with the ub key so yubikey as i said is a swiss army knife and so i'm going to move over my ub key to work in this here we go uvico controller connect it i'm gonna move over my ub key to work inside here and what happens is when you plug your ub key in you have to first prepare it and so we're gonna have to do some command line but don't get scared it's not too much so if you open up your terminal you can type in gpg dash dash card dash edit click enter and i have reset my ub key so this is the base state of the uv key now before we do anything in cleopatra we're going to have to prime the card to do some stuff and so how you do that is you type admin it says admin commands are allowed okay cool and so then we'll like type in help and in linux help is a common command that you use over and over again and you can see all the different things we can do but the first thing we have to do is set a pin code now a yubikey is considered to be what's called a smart card and so a smart card basically has a pin code and the standard for smart cards is if you enter the pin code wrong three times it'll lock the card then you have another pin code you can use to unlock the card and if you enter that wrong enough time it'll lock the card and then you have to do a lot of stuff to unlock it okay so it's considered to be a very secure standard because of that and you can use pin codes of long links like greater than 10 digits and so forth and so yubikeys come pre-selected to have an administrator pin of one two three four five six seven eight that's the standard admin so you're gonna change your admin code and so forth so my recommendation is just use the same code for everything technically you should segregate it and have different codes in these things but this is again an availability thing and it's a memory problem and you'll always forget and actually you can reuse that pin code that you use in your master password for example because there's a very low probability that that's probably going to be compromised and when you're entering in the pin code for this it's client-side and it's not transmitted over the internet okay it's your personal preference and it's all about how much you think you can remember and how secure you want to be but i don't see any serious issue with reusing an eight digit pin code and what we're going to do is we're going to change the unblock pin and i'm just going to use the one through eight because there's no sense in setting a real legitimate pin code and we're going to change the reset code i would change all the pins so all four options to some eight digit code okay then after we've done all of that we'll type in help and the next thing we're going to do is type the unblock command and then it's going to ask for a pin code so enter in the pin code that you used and then re-enter that same pin code this is a little quirk that we have to do to prime the key to work with cleopatra i had to spend some time with it but we got it all done okay then when we type list again you'll now notice that something has changed very subtle if you have your keen eyes you'll have seen it up here you'll see that we had three zero three and now we're set to three three three it's all ready to go we're all prime we don't have to do any more command line for this so we're now going to go back to cleopatra now cleopatra has a built-in tool to work with smart cards and generate keys for smart cards so click on tools click on manage smart cards and we're going to say generate new keys okay so i'm going to go ahead and generate a small one primarily because it takes a long time about 5 to 10 minutes to generate a 4k key on your ub key you should generate a 4k key but for the purposes video i'm just going to generate a small one a 1k key and i'll type in my name charlescold charles gmail.com okay hang on a second it might require me to have a minimum key size of 2084. so let's take a look here charles hold at gmail.