Back to Overview

Security Guidelines

Disk encryption

We ask of all employees to utilize full disk encryption in order to protect their personal, as well as company data. This can be accomplished pretty easily on macOS and Linux.

Password Storage

Passwords should never be easy to guess and should be different for each service and site. We recommend all passwords to be [a-zA-Z0-9]{24}, which means 24+ characters long. In order to save passwords, we strongly encourage the use of password managers like 1Password, LastPass or Bitwarden.

In order to minimize the risk if passwords should be exposed anyway, we strongly encourage all employees to utilize two factor authentication and enforce its use for relevant work-place services.

SSH keys

SSH keys used for work purposes must be of at least 4096 bit length and be secured with a password. We ask that keys have a comment containing the person's name to which it belongs such that we can identify them easier after having granted access to a person.

For obvious reasons private keys must be stored securely and should never be exposed to anybody else in any fashion. Also do not never send private keys to anyone, including yourself, via the internet.

Server access is only ever granted based on SSH key authentication, never password authentication.

Work Place

When leaving your workspace, we require locking your machine such that nobody else can access it. This also goes just for the case of leaving the developer office or taking short breaks. If the computer is out of sight, it should be locked down. This goes for all machines containing company data or with access to it.

Working on a server

Passwords, API keys or other credentials should never be leaked into shells history, especially on servers. Passwords should be read from stdin only or be read from files.

Production data

All production data like MySQL and MongoDB dumps or Elasticsearch snapshots which does not reside on the respective servers must be encrypted. If you want to share a (sub)set of any of our production data with someone for testing purposes, encrypt it using AES-256 and tell the person you want to share it with the password directly.

Don't store production data on your local machine longer than you need it.