WingNews logo WingNews
top | item 33421973

(no title)

edub | 3 years ago

Not yet, but it is on my todo list. There are multiple projects/companies/groups that I am the bus factor of 1 for any of the technical parts (hosting, code repository, etc). This is a real concern to ensure they continue on without me, and hit me hard one night when I had to be rescued from a flood.

I am a paying customer of Bitwarden, so that's the easiest path for me, but I like complicated things.

My plan is to use Shamir's Secret Sharing. Specifically I was thinking of using Klaus Post's Reed-Solomon (golang) which is a port of Backblazes JavaReedSolomon. One could perform an All-or-nothing Transformation first depending on the security level needed.

The primary advantage of this compared to Emergency Access with Bitwarden is that it isn't reliant on a single person surviving me. I would give my wife the emergency access, but if we became incapacitated at the same time (almost happened in the flood), then other trusted people can come together to assemble the keys to unlock the data.

Additionally I can give different people different weights. Perhaps my wife and my mom have enough keys by themselves to unlock, or maybe just a couple or a few keys short. Whereas my trusted friends have enough keys that would require X amount of them to agree to unlock my vault, and people that have an incentive to kill me have the least amount of keys :)

I would likely just store my password to my Bitwarden account, my email account, and my note-taking application. That way I don't need to update it except when I need to change the password. Which is also how I could revoke someone from holding a key, change my password and re-run RS and redistribute keys. Realistically if you gain access to my Bitwarden then you have the keys to the other places, but not necessarily the ability to pass a 2 Factor Authentication, so I could include recovery codes for 2FA.

There is no reason I couldn't have multiple vaults for different things with different levels of keys needed to open, so for a non-profit I work with it only takes a few key people to come together to unlock but only gets them access to stuff relevant for that organization.

If someone loses a key, or it gets corrupted, it just takes more people to agree to use their key to gain access.

In addition to death, something could happen to cause me to forget my master password, but otherwise I'm still capable of doing things. So it is also a backup for myself.

discuss

order

No comments yet.