I have an Ubuntu droplet set up with DigitalOcean and have it pretty much running as expected and am ready to take it live. However, in following the extensive DigitalOcean setup instructions, one thing I did skip was the non-root user setup. I don't remember why I did that, but I did. Right now I'm accessing the droplet via SSH but I don't even have a root password (yikes, maybe?). I also have a firewall set up with NGINX, etc. and all of the standard recommendations based on DigitalOcean's setup articles.
I'm reading through this list of VPS security precautions and the first item is to remove root access.
I'm still very much new to Ubuntu and I'm wondering how I should go about transitioning from the root setup to a non-root one. I've made a decent number of changes to the default configuration and don't want to have to start from scratch.
Part of the reason I'm asking this question is that I may eventually want to store some fairly sensitive private keys on a droplet. I've read that VPS might be inherently insecure so also I'm trying to figure out if it's possible for me to get a sufficient level of security on a droplet or if I should give up on that altogether. I like DigitalOcean but I guess I would need to look elsewhere for a non-VPS solution.