I recently orchestrated this, although in my case I've chosen to use 1password's cloud based store as my primary secret store, so I'm accepting some exposure right off the bat that you might not be comfortable with.
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
Thanks, it's also available via my 1password cloud account, so it'd have to be a joint fire at my home and the 1password data center (and my phone, for that matter). Pretty bad day I feel.
Unrelated note: this was the first time I've linked to my static generated docs for this project and it was really fun watching the grafana dash of my fly.io nginx proxy pick up all the scraping traffic. Thanks for warming my cache :) I work with this tech all the time at my day job but this is the first time I've hosted something from my home, it's genuinely made my afternoon to see it light up.
I sync the database to my phone, and a couple of other devices too with syncthing. I need it on my phone anyway to log into accounts while I'm out and about.
What clients are you using ? Trying syncthing with synctrayzor with my windows boxes and Synctrain on my iPhone and it’s mostly alright but still a little spotty.
I'm also using Synctrayzor on my Windows 10 machine. I'm on Android using the official Syncthing app there as well as on Linux. It sometimes takes a while for them to discover each other, and it of course works better when all the devices are on my home network. The only real problem I've encountered is when filenames have special characters another OS doesn't like.
Hey thanks for the quick reply! Yeah, I've noticed the discoverability is a lot more consistent when I just foreground the app on both devices and let it sit for 10-15 seconds. So used to instant gratification in this age :\
Well, the same issue exists for your BitWarden recovery keys or 2fa method. You need to have proper and redundant off site backups for anything valuable.
How often do your change your passwords? Assuming they are decently long and all that, why would you change them at all other than when a site gets breached?
The only reason my Keepass database changes is because I make new accounts on sites every now and then, and that's a fairly rare thing these days. And if I get so ungodly unlucky that my house burns down before my off-site database is updated to have that new account listed, I'll still have access to the email that account is associated with, so I can still recover the account either way.
Every time I add an account, for one. And there's still plenty of (dumb) sites which force me to change my password and sometimes username periodically.
Keeping an offsite database in sync is tedious, especially if it's delivered via sneakernet.
I add an account to that database maybe twice a year, probably less. Do you make a lot more accounts than that?
The off-site solution I have updates a lot more often than that, although that's only because only the really important stuff is backed up in that way; the stuff I truly need to survive my house burning down.
I'm almost done with that aspect of my life now, but every school year it feels like there's a new slate of apps, parent communication portals, etc. I need to manage these as well.
It's way more often than twice a year for me. And it's accelerating.
Fair enough, but it’s genuinely super easy to have a regular copy of your password manager saved in the cloud. You can also have a less frequently updated version stored somewhere physical that isn’t your house. My house burning down has never been a concern for me, as I’ve taken the proper precautions for my data.
I've documented the recovery process here: https://docs.eblu.me/how-to/operations/restore-1password-bac...
Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...
The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.
It was fun to build!