As someone not heavily vested in the FAANGs for personal data, I’ve been contemplating the best way to digitally prepare for the inevitable, should it happen unexpectedly. I’ve seen services like Dead Man’s Switch (DMS), but I see a pitfall and that’s the double edged sword of crypto. You’re storing, presumably, some secret - hopefully encrypted - on a service that you hope will outlast you and also function reliably. Spam filters alone make me wonder about the reliability with so many free mail providers just quietly discarding messages they perceive as “too spammy.” Even if it works, you have to make sure the right recipients can actually decrypt it. So the idea I have then involves DMS mailing out a portion of the key with Shamir’s Secret Sharing. Again, you’re hoping people actually get the share they need and can unlock the secret you’ve stored elsewhere.
I think my current iteration would simply be to have a flash drive with a GPG encrypted message that can be opened once the right threshold of shares is met. One copy of the drive can be stored in my residence and the other in another secure location. The decrypted message can then simply relay any instructions and things to take care of to close up my digital self. Probably my biggest instruction there is to help transition family and friends off any hosting I was doing for them and then to provide them the necessary credentials to close any remaining online accounts.
So that’s my idea (for myself). What are you all doing?
I just have an unencrypted backup at a physically secure location. There are existing legal procedures for e.g. allowing your next of kin to come out and have a locksmith open a safe and it doesn’t make sense to over-complicate from that baseline expectation. If you don’t have a safe, or the physical security of your property isn’t sufficient, then I’d go with something like a safety deposit box.
If you use GPG or shamir secret sharing nobody is going to figure it out! Your secrets will die with you. The physical-world legal system is good, and has already solved this! Use it!
My only concern with doing an unencrypted physical copy is theft or loss. You wouldn’t want all your secrets to walk out the door with the cleaning service, the building maintenance team for those in apartments), or just plain theft.
Based on this response, it seems a physical safe would be a good option to address your threat model.
There are enormous penalties for law firms that leak privileged client information. As a result, even small ones tend to have decent infrastructure. I’d recommend using that for recovery keys and instructions rather than for the data because it’s a bit painful to update these things.
A have a notary acquaintance and let me tell you, their security is… not that good?
To name just two glaring issues:
As for safety deposit boxes, they are basically uninsured. If you miss the payment, contents will disappear who knows where and in the US, they are mostly unregulated.
Out of curiosity, are you referring to the notary’s or the law firm’s security? Or are they a notary who work for a law firm? In the USA my experience is that the regulation and licensing for notaries is pretty weaksauce, basically “you are confirmed to be a real person with up to date contact info, and you pinky-swear not to cheat”.
To an extent, it depends on how tech savvy those you are sharing your secrets with are. Like, I have a friend who used shamir secret sharing to lock themselves out of social media via some access rube goldberg machine with a way for a threshold of friends and family to either access it themselves if they thought it was necessary or let them back in, and it actually somehow worked for their purposes. But that person had a circle of friends/family who were mostly in IT already, so.
Edited to add: maybe try portions of this out with some real but low stakes thing first to see whether the bits do work for you - eg using SSS as a way to do quorum based access to some thing.
…
Seems in either case, you’re assuming the next of kin will hire an expert to figure it out?
I worry that a physical safe will end up on one of those “Hey Reddit, I just bought a house and found a locked safe in it!” threads.
Feels like whatever we do, it’s most important to have great instructions that are clear with references about who can help resolve them.
Agree on instructions, but some instructions are easier than others. As long as your next of kin know that you have a safe, the rest is solved with a phone call by the executor of the estate.
Compare to: which telephone number does a non-technical person call to hire someone to help them operate a shamir secret sharing algorithm?
Also: if this plan did “backfire”, and thousands of redditors started going through my personal files and talking about me decades after I die, I think that would be kinda neat?
Hopefully any of numbers that are on the instructions I included? I know dozens of people who can figure out GPG for example (or more complicated technical instructions if included), I’m sure they already outnumber locksmiths (or certainly will by the time I’m dead).
But yes, if we’re in it for a Reddit treasure hunt, then we might need a whole other conversation path. :P
Also one more note: Avoid safety deposit boxes, they’re unsafe and totally unregulated. There’s dozens of stories of people losing their contents.
You can always organise a will with a lawyer that outlines the instructions for the safe or GPG or whatever you end up setting up so that on upon your death its almost certain that your next of kin will find out about it.
The lawyer solution could work, especially since he is bound by law (is he?) to follow through with the arrangement. However:
Most legal firms will hold your will for a fairly negligible amount and you can put passwords and so on in a sealed envelope with that for no additional cost.
Do you know what type of firm you’d look for to do this? Most people don’t typically have a lawyer on retainer.
Anyone doing family law. There are many in any town in the UK, though this probably varies a bit between countries.
My will has instructions for my next of kin to contact a list of my tech-savvy friends who I trust to be able to handle it.
I looked into a safety deposit box some years ago, and it was absolutely ridiculously expensive, on the order of a significant percentage of my income. Then there’s horror stories about banks losing stuff, throwing it away, or letting random people access it. Not sure how common those are, but considering the abysmal security basically everywhere, I don’t see how this is an option.
Hey guys! I made DMS (the site mentioned above), and all these concerns are valid. No matter how much encryption the server has, ultimately it needs to send your message in plaintext, so there will be a way to read it. That’s why I recommend using GPG or age to encrypt it, and only store that on the server.
You’re right about spam too, DMS has a good spam reputation and uses reputable email providers, but there’s always a chance. If anyone has any ideas about how to improve that aspect, please let me know! I added Telegram integration a while ago (for checking in), but sending messages is obviously trickier.
Any ideas or feedback in general are also welcome!
Maybe SMS integration? Something I’d love to see would be the ability for your recipients to “poll” your switch. They go to the site, enter a code and possibly a second factor and get either told the switch hasn’t been triggered or they get the content they would have otherwise got via email.
Hmm, that’s interesting, but whom would you want to be able to do this, as the user? If I want you to know I’m dead, you’ll get an email, why would I add you to a whitelist but not send you an email?
Because think about those instances where Gmail or other $FREEMAIL_PROVIDER silently discards the mail from the switch. I’d still want some facility for my intended recipients to be able to get the content and determine whether the switch has been “flipped.” The way I think you’d accomplish this is with some sort of code with the option to add a second factor.
Ah, yeah, that’s a concern. Hmm, I’ll try that. Maybe you could give them a URL that would only trigger (and show the message) after your switch had activated.
Well, let’s draw it out a bit more. You make the option available and I redirect a “haveiexpired.com.” Let’s assume the domain is conveniently registered for the max years and parked as a redirect to that switch URL. If I elect not to have the second factor, the switch displays my message if it’s been tripped. Seems like a very low to no (maintenance) cost to implement a readable “switch” if Gmail and friends decide your mail is silent junk.
I use Bitwarden’s “emergency access” feature for this. You can designate one or more other Bitwarden users as emergency contacts. They request access to your vault, and if you don’t reject the request within a configurable amount of time, they’re in.
In addition, since my contacts are less tech-savvy than me, I wrote a Google doc that I shared with my emergency contacts. It has no sensitive information, but it tells them how to request access and where to look (in the vault) for more detailed instructions from me. It’s also where I keep my equivalent of OP’s “how to transition away from hosting I was taking care of” instructions, since those have no secrets to worry about.
Would this setup withstand a sustained effort by a state-level adversary? Probably not, but that’s not my threat model.
The solution seems sensible enough from a security point-of-view (provided you are not the target of a targeted attack). However what about the reliability (especially in the long term) of the whole scheme?
In both cases, I’d switch to something else. It’s not a requirement that the system be something I can set up once and then forget about for decades. I update both the vault and the Google doc regularly as my information changes; they aren’t static.
The failure mode would be if my accounts were closed during the time window between something happening to me and one of my contacts attempting to take over my vault. Which is of course possible, but I don’t consider it a significant enough risk to spend a lot of effort mitigating.
I agree about the time frame and the ease of switching. However:
Are you hosting Bitwarden yourself, or using the SaaS? I wouldn’t really trust something I ran to keep running after I died.
That’d be my worry. Being able to access the instance in the first place…
This isn’t what you’re looking for, but I keep everything in iCloud and Apple has a process for deceased family members that other people might want to know about.
With all the Google support and Google account lock out horror stories, I feel that Apple is a better choice for this sort of thing.
The UK occasionally does bits of bureaucracy really well and dying is a surprising example of this. There’s a ‘tell us once’ service run by the government that, once you have a death certificate, notifies any companies that have opted into the service that a person has died and who the executor is. This lets things like banks, utility companies, and so on handle the transfer with some sympathy and efficiency. It’s a bit surprising that it doesn’t look like Apple has opted into that system.
That’s awesome. I’d actually off-hand considered doing something sort of like this here in the US. My initial thought was to start as a sort of concierge service that would handle passing all that info off to various third-parties for you, but then hopefully migrate to a centralized system where the common third-parties just pull from you a list of people that have been verified to have passed away.
My dad passed away 2.5 years ago, and there’s still a small handful of accounts that I’m slowly churning through the notification process on.
I just wonder if there’s a way to prioritize, say, an iCloud Note so that the legacy contact could actually sort that out relatively quickly.
You can pin notes so they appear at the top of the notes app always.
Just remember that Note passwords are not the same as the account password. Even if Apple can transfer the account to you, that Note would remain locked if you don’t also have a way to pass on the password.
I’ve received two requests for help using my software to unlock Notes for similar situations in the past few months. It is a very unfortunate answer to tell someone you can’t help tell them what someone wanted to pass on because the password wasn’t provided.
My team created a novel tool for timelock encryption: https://timevault.drand.love
Right now it’s in testnet (mainnet in the next few weeks!), but you could timelock something for 1 year and if you’re still alive after 364 days, rotate your keys and timelock it for another year. There are also some CLI tools on github in the links there.
We originally envisaged it for timelock encrypting vulnerability reports, but it could be used for plenty of other things!
.
Interesting question, one that I’ve asked myself quite a few times lately… Although I think it contains two / three conflated but crosscutting problems:
(A) how to store large amounts of data securely and reliably (i.e. encrypted backups of photos or other important documents), but also easily accessible (by non technical people) provided minimal instructions; –– unfortunately I don’t have an answer yet; my approach for the moment is
resticbackups on large drives (stored in multiple locations), with a (not yet implemented) plug-and-play feature (i.e. small Linux installation on a small partition) that would perhaps ask for the password and transform in a NAS; (an accompanying old laptop could serve as a tested platform for all this;) (this has to be operational day-to-day so new backups can be easily pushed;) about security and reliability concerns: theft is not an issue (resticencrypts the data), and provided you have enough (easily accessible) locations you can just keep swapping drives (thus reliability); (you could even have a thin client thrown in a basement somewhere so you can update / check the drive remotely through an USB enclosure;)(B) how to store small amounts of data securely and reliably for very long periods (think years), perhaps with secret-sharing built-in; i.e. how to store the password for the previously mentioned
resticbackup or the instructions on how to operate them (and perhaps who could help); unfortunately this part is perhaps the hardest, because:(C) the dead-man-switch, which I think it’s a non-issue, because if you have any family (or anyone that actually cares about your data) they’ll soon enough find about your demise; :)
Now, regarding (B), securely storing small amounts of data, easily accessible and updatable (only by the owner), the only solution I could come up with is a third-party trusted service that would provide such a solution.
The easiest solution would be just throwing something in Google Drive, Dropbox, S3, GitHub Gist, etc. However you never know when any of these companies decides to terminate your account (because you are from the wrong country, see GitHub, you’ve made something to upset the company, see Google, or because they just got tired to offer the service, see most likely Google).
So, last year I set out (but gave up) to implement such a service – and I would like to know what other people think about this – that provides the following features:
How about this?
Using Shamir’s secret sharing is actually a decent strategy, if you pick subjects who wouldn’t collaborate to prank you on your birthday.
I would use something even simpler, like encrypting a master key with all possible 3-key combinations using ARC4 written in Python, passed to everyone on a sheet of A4 paper along with their key and all ciphertexts with names, phone numbers and emails of other key holders.
I definitely wouldn’t rely on a lawyer or notary alone. Notary could be handy to prevent the birthday surprises, as they can’t really close their business and the piece of paper will probably survive, save for natural disasters and fires and so on.