[joerickard]

Nice! I was already satisfied using Bitwarden, and now I will no longer have to manually manage my ICE backup.

In the past I've kept an offline copy of my 'vault' on a few USB keys in a safe deposit, for my family in case of death or similar. I'm curious how others have solved this problem.

[neartheplain]

I periodically send my loved ones encrypted copies of my password vault. A copy of the decryption key is stored in my safe-deposit box, which they can access only after I am gone. This lets me update the contents of my password vault without having to visit the bank.

And actually, the safe-deposit box only holds one half of the decryption key. My loved ones have the other half in their respective safe-storage locations. This means a rogue bank employee can’t drill my box and do anything useful with the contents.

The password vault itself is a plaintext file that I decrypt and edit/grep as needed. I use the OpenSSL command-line tool for encryption and decryption. My loved ones either have this installed by default on MacOS, or have a Cygwin installation on Windows with which I have tested the commands. The safe-deposit box contains short and detailed instructions for use for my non-technical loved ones.

I also use the Google Chrome password manager with client-side encryption enabled. Whenever I change any important passwords, I’ll export its contents to my text file password vault.

[NikolaeVarius]

I have a similar and opposite problem. I would be fine with all my secrets dying with me, but what i want to protect against is me going into a coma/for some reason I forget how to access my accounts.

How to securely manage it so that only I can open it if my biological self is there? I don't trust bank safe deposit boxes and I can't put a safe worth using inside my Apt.

https://www.nytimes.com/2019/07/19/business/safe-deposit-box...

[ahnick]

I think you are going to have to rely on another human being (or perhaps a group of trusted individuals) even in that case. Depending upon what caused your incapacitation, you may or may not be able to actually retain and manage your secrets going forward. Put another way, if your wetware is damaged you may need a backup (aka trusted human) to handle your secrets on your behalf.

[vorpalhex]

Shamir's secret sharing is the algorithm for splitting a key and requiring only a subset of pieces (so you can disperse it to 20 friends but only need 11 to agree to reform the key).

This would give you protection both against the amnesia route (where you fall unconscious, lose your memory but are totally fine afterwards) and the route where you're unable to manage your secrets at all (eg stroke resulting in longterm failure to maintain memories or make decisions).

You'd still, for the total lose route, need a replacement actor (someone acting on your behalf) to assemble and receive the key, and be the keyholder moving forward - and you would likely need to leave instructions with the flock of people having pieces of the key on how to select or confirm your future keyholder.

[neartheplain]

I think you are going to have to rely on another human being (or perhaps a group of trusted individuals) even in that case.

Not necessarily. Bank safe-deposit boxes are a secure place to keep secrets. To guard against rogue bank employees, encrypt the stored secrets and keep the key at home on a sticky note. If you ever hit your head and forget all your secrets, just present your ID to the bank teller, pull the secrets out of the vault, and decrypt them with the key on the sticky note.

[brigandish]

In that situation I can see myself forgeting where I'd put the sticky note, or what it meant.

[neartheplain]

That’s why you write the whole plan down on yet another sticky note!

[brigandish]

Haha, believe me, I can make this plan fail if I haven't had my morning tea or coffee, let alone serious head injury!

[ibejoeb]

Perhaps just an old ipnone or android with a fingerprint sensor and another installation of bitwarden. You can keep the phone's passcode written down because its only use is to start the device. Then configure biometric log-in for bitwarden as an alternative to a distinct passphrase. In the event of a total blank, you should still have access as long as you retain a finger.

[jbverschoor]

Requires a passcode before allowing biometrics

[ibejoeb]

That's why I said write down the passcode and keep it with the device. The device itself isn't important because you're not keeping anything on it. Bitwarden encrypts everything itself. To my knowledge, once you enable biometrics in bitwarden, you will not need to use the master passphrase.

[chris37879]

Not the person you responded too, but I imagine you could likely get a custom firmware to allow biometrics whenever, if you can replace the kernel, you can generally make the device behave however you'd like.