Backup and Security
- I use Stronghold.
- I use a strong password (32 character length, Shannon Entropy ~ 4.0) for encrypting the stronghold.
- I rotate the stronghold password on a regular basis.
- I create a daily backup of the stronghold.snapshot file.
- I keep a secure history of passwords used for recovery.
- I use a secure password management service that integrates with the server.
- I use a linux based server (best memory security).
- I have isolated my server behind a DMZ.
- Don't use SQLite.
- Don't store passwords and backups on the same device.
How to Backup Your Account
You can use a copy of the
stronghold.snapshot file as a backup. You can implement a cronjob, rsync or scp with a date-time suffix to periodically back up your account.
How to Restore From a Backup
Place a snapshot file in the directory that wallet.rs expects.
How to Export a User's Stronghold
You can create a new Stronghold snapshot on the fly to allow a user to leave your service and retain their key.
How to Rekey a Stronghold/Password Rotation
To change a Stronghold password, you read a snapshot into a vault and then write it out with a new encryption password. You can view this code for the source.
Old snapshot backups will not be "rekeyed", so you have to track your old passwords.