Monday, 1 April 2013

Easier before you are dead

Dead men tell no tails, 
(of what their passphrase is, once they are gone.)

I think that most of us can agree that it is hard to get much done after you are dead. I overheard two people talking about death and how hard it can be to clean up after people. The example that one gave was, "how do you take down their social-network?". This is a good question.

I introduced myself and asked if they wanted to know the answer. They seemed to, and that is what I'm going to share with you now. Before I do that there are just two things that I need to check.

You have installed a proper backup solution and that you have something like keepass in which to store all of your private details. (I'll wait while you download and install them - I'm not going anywhere... unless I've died.)

So now let us imagine that you have a nice long, but memorable phrase that you use to lock keepass. You can use something called Shamir's Secret Sharing Scheme to do a little mathamagic.

SSSS lets you take a number, (lets pick 15) and create a number of shares, (lets say five). Each share is useless on its own, but, (and this is the clever bit) you can chose how many have to be combined to recover the original number! (If your mind hasn't been blown then read on.)


1-0a8b
2-971c
3-aca4
4-381d
5-03b7



The number of shares required is called the quorum, (in this case 3), and it does not matter which of the shares are used as long as they add up to the quorum, (you can only use one share once.)

You can test this at http://point-at-infinity.org/ssss/demo.html paste in any three of the above and press combine. (If that site goes offline because not enough people have contributed or because someone has died, then there are ssss programs like ssss-split that you can download and use.)

So how does this help? Well the words that you are reading right now are on a computer, (unless you printed this out) and words, for a computer are just numbers. So it is possible to put your passphrase through SSSS and create a share for each of the people that you trust. This means that, after you die, they can get together, (or just email it to each other) and recreate your passphrase. I gave one share to each of my five best friends, and four shares to my lawyer. The quorum that I set was 7, so my lawyer will need any three of my friends to recreate my keepass passphrase, (I hope that no more than two of them die in that car crash with me!).

I change my keepass passphrase on the 1st of every month, so how do I get update to my lawyer?
I don't!
I have passwords.txt inside of a truecrypt encrypted container and on the first of every month I update it with the latest dump from keepass... (and then I check it in because I have the inside of pw.tc under GIT version control.) - so my friends have to find pw.tc, which is in my Documents and has a link from my desktop on a special computer that is encrypted with a passphrase that is recorded in each of their keepass, (and if they forget I have it mentioned/explained in my will.) 

 The only problem with this is that you will not be able to do this once you are dead, and you do not know when you are going to die, (so DO IT NOW!.)

The reason that SpiderOak is so good, (other than the encryption done properly) is that once it is installed you can forget about it. That means that it makes life easier rather than harder. Moving over to keeping important data in keepass might seem hard for those of you still silly enough to use one password for everything, but those that have a piece of paper with notes on should at least think of keepass as a good backup for when that paper is lost, (though you might be tempted to keep that piece of paper after you have entered all of your existing passphrases and bank details into keepass, but DON'T! It will only lead to problems in the long-run and possibly problems for those that you leave behind.)

Things that would be helpful.

1. An easy and encrypted way to transfer keepass entries to someone else. I'm thinking some sort of PGP based module in keepass that would encrypt and send one, (or a group) of entries to a remote address, and an easy way to import them. I don't mind holding onto a SSSS share for a friend, but I'd like to be able to import it as easily as cut-n-paste.

2. A nice way for a lawyer to store all of their clients shares. I've printed out the shares for my lawyer and they are part of my will, but so far my lawyer has resisted installing SpiderOak, (he is still running on windows 98!) because he does not trust it, (or it might be that I failed to explain how impressive it is to him - I'll have another try.)

No comments:

Post a Comment

About this blog

Sort of a test blog... until it isn't