Wow, good thing I still use RSA keys and have a short expiration on all of them plus a plan for quick revocation if any are compromised :)
I cannot stress this enough: if you lose physical possession of your hardware then you MUST assume it is compromised and act accordingly.
@jakehamilton out of interest, how do you deal with revocation? thinking mostly of ssh access to servers
@puppy all of my ssh stuff is hooked up via gpg. I have revocation files ready to go on a usb drive which I can push up to key servers which would prevent any new usage of my keys. Existing users would need to fetch the update, but I would be shouting it from the rooftops. As well, my subkeys expire after a year so I can renew them every 12 months and confirm I am still in possession of the private key.
@puppy use of my keys would also require my passphrases which would at the very least take time to crack. All my devices would get their ssh configs updated which is as simple as a single line change and then running deploy from my config repo.
@jakehamilton yeah... sigh. you may have noticed us rotating our keys a few months ago when several of our hardware tokens disappeared to the cat toy dimension for a while.
@jakehamilton I have magical power that make things disappear forever in another dimension as soon as I let them out of my sight so as long as no one can jumps dimension is should be fine
@jakehamilton they eventually came back, and showed signs of damage consistent with having been cat toys and not consistent with having been decapped and subsequently reassembled by a high resource attacker. we're still glad we rotated.
@ireneista better safe than sorry!!
@jakehamilton the way we think of it is that for our security practices to be real, they need to just be the boring thing we always do when we're in the situation that prompts it. we can't let ourselves overthink it every time or else we won't do it when we need to.