Browse Classifications
- All Resources
- Strategic Content
- Technical Content
- Ahead of the Breach Podcast Content
- Partner Program Content
Whether it's your personal life of business life, you'll die, that's inevitable. This is a tutorial on how to not be be a burden on others in the event of your death, but instead, instill a secure and confidential process.
You might think I'd rather die with all my passwords then insecurely share them. That was me too (especially since I work in infosec). Times have changed and more is at stake of significant loss. Digital assets, bitcoins, etc.
You need to prepare for your death to lessen the burden on loved ones and business partners. It's like "eat your broccoli", you know you should, you just don't do it.
I wanted a way to share my backups, passwords, and other digital assets upon my death.
The solution needs to meet the following requirements:
Use a hardware device commonly used for bitcoin cold storage (an offline only storage that's not connected to the computer in any way) with a secret sharing algorithm to distribute the keys to multiple trusted individuals.
This method does not provide the trusted individuals with all the keys.
So no one person can be compromised, or act maliciously, or lose the key and affect the possibility of decryption.
An approach we'll use works similar to dual authorization in banks (or nuclear launch codes). Think multiple people must agree and provide something in order to carry out an action.
We'll use a similar secret sharing approach that allows us to share with a larger group of individuals. We'll also have fun with some algorithms that are used in the blockchain.
First we have to choose how we'll physically provide the secrets.
The best option is to use something that can withstand a disaster such as a house fire, flood, etc. Here is what I chose:
I bought four, one for myself and three to be given to trusted family and friends:
Cryptosteels can be pricey, but they should last a lifetime. ;-)
The Cryptosteel Capsule is the premier backup tool for autonomous offline storage of valuable data without any third-party involvement. The solid metal device, designed to survive extreme conditions, works under nearly all circumstances.
Other options can be:
Shamir's Secret Sharing (SSS) algorithm splits a secret (in this case a password) into multiple parts (called shares). You can set a threshold or a number in which the required parts are need to reconstruct the original secret.
This allows me to hand out unique password shares to each person I trust, but require a smaller number (threshold) of those individuals to reconstruct my original secret. This allows one of your trusted individuals to loose their password share but not compromised the ability to reconstruct the original share. Or if you are like me, your closest friends are hackers and would take the opportunity to pull a personal prank on me...but they can't unless they have the cooperation of multiple individuals.
These instructions were carried out a Linux system, but could be adapted for Windows.
mylife.txt
. You can also include anything you'd want to share upon your death in this file. I buried $3m behind a bench in the park
, for example.mylife.txt
file and provide a passphrase using GPG. This passphrase will be the secret that gets converted into shares. It should be different than whats stored in the mylife.txt
file:gpg -c --no-symkey-cache mylife.txt
Note: The above command outputs a separate encrypted file named mylife.txt.gpg
. Don't forget to shred and delete the original plaintext file.ssss
command:ssss-split -t 3 -n 4
I chose to split my password into 4 shares and only require 3 of the 4 shares to recovery the original secret. You can change these values based on your needs. Take each share and put them into your capsule. ssss-combine
command uses your secret shares to reconstruct your original passphrasessss-combine
output can successfully decrypt the GPG file, mylife.txt
:sprocketsecurity / password-recovery-upon-death
A secure password recovery process used upon your death and engaged by multiple approvers. Use Shamir Secret Sharing and Cryptosteel capsules.
The biggest benefit of this method is the ability to rotate your master passsphrase or even switch password vaults altogether and not have to redo the original work.
Keep your original shamir secret (the one to decrypt the gpg file) within your password safe. Simply decrypt the mylife.txt.gpg
file, change your passphrase or instructions, and encrypt using the same original shamir secret. Passphrase rotations made easy!
You can use this process for your personal life, part of your business succession plan, disaster recovery, or simply for multiple authorizations. The whole process takes less than an hour and you'll have a great feeling at the end knowing that your backup plan is safe.
Continuous Human & Automated Security
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.