[TomK32]

From the article is sounds like most of those cases are banks drilling open the boxes and putting the contents into storage. A better and stricter inventory system with strict and punitive regulation is what is needed, not some technical gadget.

[ghaff]

Furthermore, electronics fail. If there’s some records including 2FA codes that you want to store in a safety deposit box, fire box, etc. I absolutely want at least paper backups whether or not I also have a Yubikey, SD card, etc. eg if I have a home inventory I absolutely want prints even if it’s also in the cloud someplace.

[scruple]

I went through this recently. It's such a PITA. I ended up with physical copies in 3 different places because all of a sudden redundancy is a reality.

[ghaff]

You think you’re reasonably well backed up until the sh*t hits the fan and you realize everything is hanging by a much thinner thread than you thought. Recent events I experienced have added really working through record backups to my todo list.

[jdeibele]

I keep paper copies of the backup 2FA codes for Google and LastPass in my wallet and have been pretty happy with that strategy.

A couple of years ago, I had my wallet fall out of my pocket while I was on a boat.

My phone was back at the dock safe and dry so I had my primary authenticator. And I probably had printed copies somewhere at home.

I've been much more diligent since then about making sure there are copies and that they're accessible.

[Latty]

I think the parent post was asking where someone would securely store a hardware device like a yubikey that, for example, contains the only copy of a root key—as opposed to using such a hardware device as part of a security system.

[tialaramex]

In a safe? Buy a half-decent one.

You should align your storage choice to your contingency plan. For a lost root your contingency plan should involve distrusting and replacing the hierarchy underneath the root. To the extent that you wish to avoid executing the plan, buy a better safe so you are less likely to need the plan.

It is OK for your contingency plan to include "Go bankrupt and cease to exist" if you are any sort of corporate entity.

[Latty]

I'm a bit confused by why you responded to me with this.

"Installing safes onsite and self monitoring" was literally the example given by the person asking for other suggestions.

[tialaramex]

Sorry, probably the tangle of threads caused me to disconnect that from your response, as you say my response is useless in light of this.

[ghaff]

I would say nowhere. Even in a reliable safety deposit box that may not exist or be convenient, the hardware can fail. And actually the odds of that are almost certainly greater than your safety deposit box being breached.

[Latty]

I see your point that hardware keys can fail, but that is a completely separate issue—print it out and shove that paper in there as well, redundant copies in multiple locations, etc... it is just a standard backup problem. The hardware key is about ease and safety when you are using it, not as some perfect storage.

In any case, the issue of securing something that you only want to use in extremely rare cases is still an issue—"nowhere" isn't a solution to that problem, although I can see the argument that hardware keys aren't the best choice of storage medium (although as an efficiency measure it could be useful to have one in there as well so you can go quickly if it works).