Simple, Secure, Repeatable
Most of us live a connected life by default. I have six computers and three mobile devices that hold bits and pieces of my work and personal lives. As a software engineer that may be on the high end, but surely it’s not uncommon to have a computer or two, a shell account or VPS, a phone, and perhaps a tablet too.
On each device, I need different parts of my digital life:
- accounts and passwords
- configuration files and settings
- documents, source code, and so on.
Upgrading or replacing devices and restoring my usual environment has always been painful, so I resolved to automate a large part of this process once and for all. In devising a system to manage this data, I came up with the following goals:
- Changes to a file or configuration should be reflected on all my devices.
- All my information should be reasonably secure. Any cloud storage used should involve encryption that I control. Two-factor authentication should be used everywhere it possibly and sensibly can.
- Setting up a new computer or virtual machine with my comfortable development environment should take less than a minute or two, and involve minimal manual effort.
- There should be a thought out and tested disaster recovery plan, one in which I could bootstrap my environment from an encrypted cloud-based backup after losing all devices.
- Not every device needs or should have information; setup needs to be selective.
Over the years I have evolved a workflow and set of tools to achieve all of these goals. Here’s how I do it.
Accounts and Passwords
As of the time of writing this post I have 295 online accounts. This number is both ridiculous and common. The most popular approach to handling this many accounts in a sane way is either to use a password manager or reuse passwords. Reusing passwords is a terrible, horrible idea. Are you sure that every web application you use is correctly using bcrypt, scrypt or PBKDF2 to store one-way encrypted passwords? If one of the sites using your shared password is compromised, how many other passwords would you need to change? Do you even know if a site is compromised? Does the site owner know?
If you can’t re-use passwords, and it is not feasible to try to remember 295 passwords, the only sane option is to use a password manager. I happen to use 1Password, though LastPass and others are good too. Since I don’t memorize passwords, in every case I create long and complex passwords and store them in my database. Here’s one that I just asked 1Password to create:
These passwords, as well as other account information like user name, URL, notes, etc., are all stored in my passwords database file, which is encrypted locally and then shared to all of my devices using both Dropbox and BitTorrent Sync. I have access to every account from every device with only a very slight loss of convenience and huge boost in security.
My password database is the key to my entire digital life – it contains my GPG private keys, BitTorrent Sync keys, scans of my driver’s license, passport, credit card numbers, and other important documents and notes. Besides copying it to Dropbox and every device, I back up an encrypted archive weekly to an offsite, 3rd-party email account. In the event that I lose all devices, I can recover everything by remembering only two passwords.
Use a password manager – you will come to wonder how you managed in the past.
Configuration Files and Settings
I do non-trivial amounts of software development on at least three systems – my laptop, home desktop, and a VPS shell account. Often I am working on Flipboard software, but sometimes I play with my own projects or help out friends with their projects and websites. Where possible, I want to keep these various lives separate; files like SSH keys need to be handled thoughtfully, and debug and configuration settings for one system should not interfere with another. Only the needed components should be installed into the accounts that need them.
Installing these bits of configuration should be easy too (I’m lucky in that I upgrade computers fairly often) but VPSs also are designed to be easily blown away and re-provisioned, and I don’t want a carefully-but-manually setup configuration to prevent me from doing that.
To enable consistent, partitioned, quick and easy config file management, I built a little tool called wsup to take care of all the grunt work. I could have used Puppet or Ansible or similar tools, but I wanted something very simple that I wouldn’t forget how to use over time. In addition, my configurations are typically managed in Git repositories. I make changes to local clones of these repositories in various machines, and I don’t want to have to remember to manually copy those changes back to a master Puppet repository.
is built around the concept of named layers – each of which is backed by a Git
, I can go from a bare-OS to a full work development environment
1 2 $ bash <(curl -fsSL https://raw.github.com/dcreemer/wsup/master/bin/wsup) $ wsup add dotfiles dotemacs <url-to-private-work-config-repository>
This first command bootstraps
directory (and installs any
requirements like Git if needed). The second command downloads my
personal configuration files, my
Emacs configuration, and my private work configs and
installs them into my home directory with symbolic links.
makes it easy to add and
remove layers. For example, I can add my (hypothetical) Vim config and unlink my dotemacs
configs like this:
1 2 $ wsup add vim $ wsup unlink dotemacs
or switch back just as easily:
1 2 $ wsup unlink vim $ wsup link dotemacs
For more on
, see wsup’s GitHub repository.
In additional to configuration files, I need applications to be pre-installed on each
environment. Operating systems provide package management for this task (more or less; Mac
OS X is somewhat deficient here).
contains simple front-ends to the package
systems so that I can add:
1 install_package aspell
configuration scripts and
will be installed by the OS package
manager. My personal
configuration script installs Emacs, Markdown, Leiningen, and
many other tools. By installing the homebrew cask
external command, I can even add:
1 install_package cask google-chrome
and have my Mac OS X applications automatically installed.
For configurations where I want a substantial number of files and documents, I use
to install various private ‘documents’ layers. Each layer configuration checks to ensure that
required tools like BitTorrent Sync are installed, and then installs the data using those
My personal files, photos, and music are shared in the same way between all computers with
layers. A home server participates in all my personal sync torrents and then
backs up all files to encrypted offsite storage using
With a password manager, a configuration manager, and a workflow encoded in some support scripts, it’s possible to have a secure, backed up, simple-to-deploy, and relatively easy to manage work environment.