We recommend regularly reviewing the digital security practices around your cryptomat's operation. The below are some key recommendations, though you should consider others related to your situation.
See also our article on physical security practices.
Reviewing and revoking admin access
When generating a new admin link, either for yourself or colleagues, you are granting the browser that loads the link ongoing access to your admin and its settings.
For security reasons, you should periodically review the links you've granted access to and revoke those that are disused. This is made easier if giving a relevant name to each link you create.
Use the commands in the article 'Authorising and revoking admin access' to manage admin permissions.
If you open a new admin link within a browser's 'Private' window, access will not persist past that session.
As a greater precaution, you may even turn off the admin fully when not in use, and switch it on again when needed. Details in the article linked above.
Halting service at your machines
You may wish to temporarily prevent usage of your machines, for reasons such as overnight security, so that transactions may not be placed.
To do so, follow the article 'Halting service at your machine' to stop and start service. This keeps your machines paired while denying their ability to authorise wallet withdrawals.
Backing up your wallets
We recommend you periodically backup your wallets to avoid any loss of funds.
Some wallets, like the mnemonic keys for ETH, you'll need to back up only once. This can also be the case for BTC, LTC, and BCH wallets if they were created with certain wallet versions and higher (as they'll be HD wallets from which all future addresses can be derived).
Others, such as ZEC, will require periodic backups to keep up with the keys to newly generated addresses.
You may make timely backups of all wallets using the 'Wallet backups' article.
If you use BitGo for a wallet service, make secure copies of your backup keycard PDF which was provided by them upon signup.
Keep only as much cryptocurrency in your machine’s wallet as is needed for a couple of days of transactions. This will limit your exposure as well as minimise the float needed for operation.
You may use the article 'Sending funds from your admin's wallets' to withdraw coins.
DigitalOcean, BitGo, Twilio, Kraken, Bitstamp, and other third-party services support two-factor authentication for greater security.
Ensure that you have two-factor authentication enabled on each service, especially on DigitalOcean.
Always use SSH keys
Our setup documentation walks you through the processes of creating and using SSH keys to access your server.
Not choosing an SSH key during server droplet creation results in DigitalOcean emailing a root password to you.
Password-based authentication is extremely insecure. Ensure your server permits only access through SSH keys by creating a DigitalOcean droplet specifying your SSH key at the time of creation.
Further, if you've granted other users SSH access, review the list of authorized keys on your server, carefully removing any which you no longer approve of.
Beware of social engineering and insecure communication
Consider possible ways you could be socially engineered to expose information or access to systems.
For example, if your associate or technician requests a new link to your admin or a new SSH key added to the server, consider how you can be sure it's truly them. Their account could have been hacked or their phone number SIM swapped.
Another example of social engineering would be if a supposed customer reaches out to you to ensure you have a large amount of crypto in your wallet or cash in your machine in advance of them travelling a long distance to make a large purchase. This could be because they have intentions of compromising your systems.
How secure is your computer?
There are many considerations when it comes to your personal computer's security that go beyond our scope here, and which you should consider as a result of holding cryptocurrency regardless:
Do others share the same computer you access your server from? Do you allow remote desktop software permissions over your computer for login elsewhere or tech support? Do you have a cloud backup service running that would make copies of your private SSH keys or wallet backups? Do you store your wallet backups on an unencrypted USB drive that others might obtain? Etc.
Updates and alerts
Our latest software releases include fixes for known issues. Ensure you're up to-to-date and schedule an update by visiting our Updates knowledgebase section.
For alerts on the latest software patches, please follow @LamassuSupport on Twitter and enable notifications. We have an operator-only Telegram announcement channel as well. Please email our support team for an invite.