Hi all,
Working through some things like a Will (I am fine, just normal life planning), and debating on methods for digital management when I do die.
I run a lot of self-hosted services for family and friends, all on secured servers with ZFS and on/off site backups. Key ingredient is Vaultwarden for password management.
I’d like to put something in place so that encryption keys, some docs, and key passwords are released to a tech savvy friend. Anyone know of existing solutions for this?
Requirements of:
- Not providing keys to a third-party beforehand
- Not forgeable to open
- If possible, no “weekly press a button”
I’m thinking some kind of key pair where my friend has the private key and the public key is provided to a family member, and when activated a timer starts where I could cancel the release.
Of you already have a will the most secure, proof idiot way I’d to add that key + instructions to the will. Get some lawyers on board for that and it will work.
If you still have concerns about having the full key on a single place, add a topt or second way of identification and distribute it between your heirs.
Sometime, the old fahion way is the best one by far.
I think this combined with the solution provided in this comment Will be the most robust approach and solve all your problems.
That’s what I would do
Vaultwarden let’s you designate someone to take over your account if they request it and you don’t respond within a week
Had not realized this, thanks!
This was gonna be my suggestion too.
Add secure notes to your vault detailing your setup and what do do with it when you’re gone. Then create an account for whoever you want to pass things on to, designate it as a trusted emergency contact and teach them how to access it.
Well, I always dreamt about encrypting my master keys to all my digital heritage with some threshold scheme encryption like Shamir’s secret sharing. I believe there is some Linux tool available: http://point-at-infinity.org/ssss/
That way N out of M of my friends would have to gather after my passing, combine the puzzle pieces and be granted with access to my stuff.
There are easier ways, though. You can just write down a password and include it with your last will, seal it and have a notary take care of it. I’d create a seperate administrator account/password for that.
You could set up two factor authentification and give them one factor now, and have the other factor stored with your things so they can collect it after your passing. Doesn’t need to be complicated, create a password with 30 characters, split it in the middle and you have two factors.
There are online services for these kind of things. Or you can run some dead man switch yourself. I’m not sure what kinds of projects someone would use for that. Taking care of a dead man switch would be annoying for me.
Great idea. My poor mans version idea was an encrypted data set inside another encrypted data set to require two people, but Shamir’s seems like a much better option.
I’m still a bit split on this. And whether the complexity and reliability is good enough for the use case… I mean if you don’t need N-out-of-M, but it’s just two people: cut a password or key in half. Same if it’s N-out-of-N people, you just need to make some puzzle pieces and hand them out, we don’t really need encryption and fancy maths for that. But I guess encrypting something would work, too. Just use a program or algorithm that’s likely still around when it’s going to be used. And you can always add a sheet of paper or PDF with instructions. Maybe save the executable file to to decrypt it somewhere if the solution requires software.
Possibly dead, but a cool project none the less.
Nice. Thanks. Seems I’ve missed some Harry Potter themed stuff. That gave me an idea… Take (or write) an Arduino library (or SSS implemeted in plain C, instead of Go), flash it on a microcontroller like an ESP32 and you have some actual, physical horcroxes. I’d have to think about the form factor, and whether they need displays, or act as a USB thumb drive… But they could light up once you get like 3 of them in bluetooth proximity and reveal the secret. Other than that I think it needed to be part of some well-maintained password vault app. Or be a web service, so people don’t need to worry to get some old computer code running.
Edit: Seems the Bitcoin people have had a thought at something like this: https://github.com/satoshilabs/slips/blob/master/slip-0039.md
Last release was over 5 years ago and judging by the issues not receiving responses best to assume it’s deprecated.
Cool project it seemed.
Yeah, I was looking at the most recent commit being two years ago. Hadn’t checked out the issues.
@ohshit604 @AbidanYre Nah, they are still doing releases, but they’re hidden. You have to combine the past few releases to unlock the url for the latest release.
[I’m joking, of course.]
I’ve thought about this myself during a phase of less that then perfect health. I think a somewhat practical solution is to have all passwords and documentation on how to use them/access the services that require them in a (online) password manager (so it stays current). Then have an USB stick with encrypted login credentials and OTP backup deposited at a notary and hand out the decryption key to a few trustworthy friends and family members.
This way nobody can access your stuff and the notary can make sure to hand out the USB stick only to the one person you specified in your will. The other friends family members are there as backup in case your “special” friend has lost the decryption key in the meantime.The alternative to an online pw manager would be a local one that you synchronize to your friends and only the notary has the key to unlock the database, which they only hand out according to your will.
I’d love to hear about other solutions though. Maybe there’s a better option.
P.S.: There are tools to have more redundancy on USB sticks and so on, so that bit flips/degradation can be accommodated. Multiple redundant data carriers are an option as well.
Yea this is a similar idea to what I’m considering. Thanks!
Vaultwarden’s readme says that it supports the Bitwarden Emergency Access feature. Why not use that?
Will have to look into this, thanks!
