Securing Your Coding Setup

As a software engineer, I spend a great deal of time writing code. Protecting this code is important not only for myself, but also for the companies I work with. Over the years, I’ve developed a list of methods and apps that I think everyone can benefit from.

Protecting your hosted repositories

The majority of developers I work with push code to a shared repository, like GitHub, GitHub Enterprise, or Bitbucket. This helps with collaboration and data backup, but adds some complexity for creating a secure setup. To ensure this code doesn’t fall into the wrong hands, I recommend the following:

  • 1Password: Every developer should use a password manager, and 1Password is one I highly recommend. Password managers let you generate a strong, unique password for every site you use.
  • Two-factor authentication: Enabling two-factor authentication on your repository host ensures an attacker can’t log in to your account without entering a special code from your phone. I use Google Authenticator for the codes, but I’ve heard good things about Authy.
  • SSH Keys: Using SSH keys to access your repositories instead of HTTPS limits your exposure to an attacker, because a stolen SSH key, unlike HTTPS credentials, will not allow an attacker to access your GitHub account and settings. For those unfamiliar, here is a quick SSH setup guide.

Protecting your local setup

To ensure code doesn’t fall into the wrong hands in the event your computer is stolen, I recommend:

  • Hard-drive level encryption: If the attacker disconnects the hard drive (or SSD) from your computer, it won’t matter if you have a secure user password. Adding hard-drive level encryption with FileVault (Mac) or similar will ensure your data stays out of the wrong hands. No matter what you do, do not lose your recovery key!
  • One SSH Key Per Device: Using one SSH key per computer will let you deactivate specific keys in the event a device is stolen, without having to reset your credentials on all your devices. I recommend naming the key appropriately in your GitHub account (or similar) so you’ll know which one to disable if the device is stolen.
  • (Optional) Kryptonite for SSH key management: Kryptonite, an open source app for iOS/Android, lets you store your private SSH key on your phone. If you try to access a resource that requires that SSH key, your computer will make a request to your phone, which, when approved by you, will return a SSH signature for the request. This is probably overkill for most people, but being notified whenever an SSH key is being used is a nice feature.

Signing your work

There is no concept of “registered authors” to git: if you set your name and email to Bill Gates <bill@microsoft.com>, your commit will use Bill as the author. To help verify you’re actually who you say you are, I recommend:

  • GPG Signing: Git allows you to use a GPG key to sign your identity to your commits. When you’ve set this up, running git commit will use your private GPG key to sign the commit. Because you’ve given GitHub the public key that matches this private key, GitHub can verify the commit was signed by you, and not someone pretending to be you.

Conclusion

Taking these simple precautions will help ensure your code doesn’t fall into the wrong hands, and that nobody can impersonate you when adding work to version control. They take only a few minutes to setup, and can save you a major headache down the road.