draft

Updated 1 May 2026

Inbox

Yubi-key
Secure element in Mac-os and phones
SSHkey using OpenPGP with a secure element
When and where to use passkeys

Psw Thumb Drive

Password Thumb Drive 3 copies geo-distributed. One of them marked as MASTER. use the Tails cloning tool to create them. You need to plug these in at least once a year to ensure they are refreshed. You should also replace them every 2-3 years and properly destroying the old.

Keep the flash drives inconspicuous. No special markings or labels on them. BUT keep a registry of their serial numbers, date of purchase and date of last flash.

The drive will have an encrypted volume for every individual using that drive (most likely some people in you smaller circle) and / or people that you want to be a custodian for. The encryption volumes will be LUX with a very high KDF. The volume must be named by the person.

Inside each encrypted volume will be 2 things. (1) A folder with documents and markdown files that are deemed sensitive or explanitory. (2) a KeePassXC database containing passwords. The password used for the encrypted volume and for the KeePass database must be the same so as to avoid confusion. 2FA is NOT applicable here (deliberately so since this is the root level). This is why it is essential that the USB is only plugged in to a trusted machine running TailsOS with no networking.

Notes on this design KeePass is only good for storing passwords and notes. It is not good at storing documents. The volume gives you a way to store some documents alongside your vault.

Using the same password for the encrypted volume and database is a safety feature. Since you are offline and given that you have a good master password, having separate passwords adds no real extra security, but it adds risk and complexity for forgetting one.

Why then use KeePass at all? KeePass gives you extra protection even if the hardware you are is slightly compromised. To be sure, you should trust the machine (see below). Keepass just adds additional margin for error.

What does a “trusted machine” look like? A rule of thumb is simply a machine that you know and had not been anywhere or handled by anyone you do not trust. It is not some strangers laptop. It is not an internet cafe. Ideally you should buy a small cheap dedicated laptop for this use specifically. But practically just use what you have. TailsOS provides the margin for error if that machine is infected with malware.

Places for passwords

Secure elements in devices (Mac, Phone) Passwordless, day to day, phishing resistant
Secure hardware keys like Yubikey
Online active, day to day, lower risk
Online but inactive. Not day to day, but readible in a pinch
Air-gapped
Memory
Physical (e.g. paper)

Air-gapped password

Tails OS on a computer that you trust. Tails must have no networking active. You boot tails from the Tails Thumb Drive which is a USB3 drive with only tails installed. You keep this on you.
The Psw Thumb Drive. This contains your air-gapped secrets. You must have at lead 3 copies of this drive, geo-distributed.

What to store in here

The master passwords for your online managers
Banking passwords and pins (or other financially inclined applicaitons)
2FA recovery codes
A full list of wallet signature (NOT seed phrases)
Optional BIP39 passphrase.
GPG private key
Phone PINs
Computor unlock passwords
The list of your kith members are
A list of people for which you are a kith

Online, active

There are multiple online password managers such as Bitwarden, OnePassword, Proton. These you will use for day-to-day password managemnt. KeePass does have a browser extension that you can use. The key issue with KeePass is that syncing accross your devices is an issue. Sure, you could do some gdrive or dropbox setup, but this extrac friction will cause you to take shortcuts in a pinch. e.g. copying a specific password to your notes app or to your whatsapp so you can “carry on”.

A key design is to have MULTIPLE accounts. For this reason I recommend bitwarden since it has a genours free tier. You sould not use the same online password manager for work as for personal. The rule of thumb is, have a different vault for every email that you have. We’ll make the distinction between your single “personal vault” and “other vaults”. The only difference is that you must remember the passphrase for the personal vault, but the other should be generated.

Concept of “temporary paper note”. Accessing your offlinevault is a delibarately slow process. The process of temoporary paper note is perfectly fine. e.g. if you generate a new online vault, or a new bank pin write it down on a piece of paper and then store it in the offline vault when you can. To make the process vivid, be sure to burn the paper after it has been store.

Checklists

Memory

Offline vault passphrase Online personal vault

Succession

A key thing to get right in a circle of trust is to ensure that the circle must act together in a succession scenario. This is NOT because you don’t want to trust any individual (we already assume that you trust the circle). The aim is to limit the liability. Firstly, a mistake by one indivudial acting alone must not comprimise others. Secondly and most importantly, one person cannot be held under duress. This limits the liability of everyone. An attacker would have to hold many people under duress.

A key element to doing this is Shamir Secret Sharing.

Sim pin

You should set a pin for your sim card. This makes the sim card impossible to copy. But it comes with a big risk. In an emergency, someone that does not know your sim pin cannot use your phone. Or worse, you forgot your sim pin. You can unlock your sim with the PUK number. The PUK number must be in the

Kith and Kin circles

The smaller circle are the poeple that you want to show and review your actual secrets and organisation thereof with. I.e. in your yearly ritual, you want to sit and audit all the passwords and ask critical questions.

The large circle are those people you also trust, but only as part of succession recovery.

The two circles is not a case of levels of trust. You trust all people in the circle. It’s a case of logistics. You cant sit with everyone once a year. You need a good number of people in your circle for the robustness and duress mitigation. But you expect everyone to work in smaller groups to audit eachother.

The People in the Kith ring should not know who the other people in the kith ring is. This is not for YOUR security, but rather for theirs. After your death, the kith members must identify eachother. Anyone can initiate it. For example someone can stand up at your funeral and ask for any kith members to contact them. Or your estate lawyer can ask.

Figure out a protocol such that they people must be able to prove themselves a kith before they can find out who the other kith members are. A very patient attacker can wait until your death and exploit the succesion protocol to make a play. One way to help this is that the kith members should be at least fammiliar with eachothers faces. So they shouldnt know who the others are, but once someone identifies themselves then the majority of the group can say “ah, yes, I’ve me you before at the babyshower that time”. Part of the “coming together protocol” you must go around the room and ask everyone to say if they have not seen anyone before, or cant remember them. The group could then decide to vote someone out if most people don’t know that person. So there must be some social proof. But I would still like to figure out if there can be some mathematical proof. Ie, some key you have that combined with others can prove you are legit. So, maybe they guide only requires SOME kind of proof. It does not have to presribe what that proof is.

I think the best way to do succession is the idea of a Collector. Someone nominates themselves to collect pieces. Someone interested in the secrets (if no one is interested in the secrets then it does not matter anyway) They would visit people asking for a piece. Those people have plausible deniability if they do not trust you. If you are still alive these people are your backup. You also can also add a duress signal. This can be written on the paper. Also on the paper must be how many is required.

Site must allow export as PDF so that you can attach to will. The site must also be published to IPFS