# 26.03.04 Secure Keychain

## Goal

Move critical secrets from the manglasabang repo to MLSBKC (USB) so that a repo compromise doesn't mean full identity theft.

## Decision Log

| # | Variable | Source File | Severity | Decision |
|---|----------|------------|----------|----------|
| 1 | SSN | personal-info.md | Tier 1 | MOVE |
| 2 | Bank routing + account | personal-info.md | Tier 1 | MOVE |
| 3 | Bitwarden master pw | bitwarden.md | Tier 1 | MOVE |
| 4 | Green card number | personal-info.md + greencardnumber.txt | Tier 1 | MOVE |
| 5 | DOB | personal-info.md | Tier 1 | KEEP |
| 6 | Purelymail admin pw | purelymail.txt | Tier 2 | KEEP |
| 7 | EIN | junwon-company.md | Tier 2 | KEEP |
| 8 | Driver's license # | personal-info.md | Tier 2 | KEEP (own file) |
| 9 | VIN | personal-info.md | Tier 2 | KEEP |
| 10 | Tax returns (PDFs) | personal-federal-tax/documents-ignore/ | Tier 2 | MOVE |
| 11 | Green card scans | medical-and-calfresh/documents-ignore/ | Tier 2 | MOVE |
| 12 | DL scans | medical-and-calfresh/documents-ignore/ | Tier 2 | MOVE |
| 13 | Bank statements (18mo) | review-finance/documents-ignore/ | Tier 2 | MOVE |
| 14 | Fund positions/trades | palacefund/secrets/ | Tier 2 | MOVE |
| 15 | Housing portal passwords | housing-accounts.md | Tier 3 | MOVE |
| 16 | Operating agreement | palacefund/legal-ignore/ | Tier 3 | MOVE |
| 17 | Deploy unlock keys | palaceapp deploy-unlock-keys.json | Tier 3 | MOVE |
| 18 | Form 1120s (7 years) | company-federal-tax/documents-ignore/ | Tier 3 | MOVE |
| 19 | Lease agreement PDF | medical-and-calfresh/documents-ignore/ | Tier 3 | MOVE |
| 20 | Delaware file number | junwon-company.md | Tier 3 | KEEP |

## MLSBKC Contents

```
keychain/
  ssn.txt
  bank-accounts.txt
  credit-cards.txt (reserved)
  bitwarden.txt
  usa-green-card.txt
documents/
  tax-returns-personal/    (3 PDFs)
  tax-returns-corporate/   (Form 1120s, expenses, 96 receipts)
  id-scans/                (DL + green card images)
  bank-statements/         (18mo across 6 accounts)
  fund-secrets/            (positions, trades, securities CSVs)
  housing/                 (portal passwords, lease PDF)
  legal/                   (operating agreement, legal docs)
  deploy-keys/             (production deploy keys)
```

## Steps

- [x] Create task
- [x] Go through each variable and decide MOVE or KEEP
- [x] Copy decided items to /Volumes/MLSBKC
- [x] Delete moved files from repo
- [x] Encrypted MLSBKC with VeraCrypt (FUSE-T, AES, SHA-512, exFAT)
- [x] Tested on both Mac and Windows