Backup Encryption Key Storage

TL;DR

Don’t store your backup encryption key with your backups! Keep it separate and secure. A password manager, hardware security module (HSM), or carefully split physical storage are good options.

1. Why Separate Storage is Crucial

If someone gains access to your backups, they’ll also need the encryption key to read them. Storing the key with the backup defeats the purpose of encryption. Imagine locking a valuable item in a safe… and then leaving the safe key taped to the outside! A compromised backup *and* readily available key is worse than an unencrypted backup.

2. Options for Secure Key Storage

1. Password Manager: A reputable password manager (like Bitwarden, LastPass, or 1Password) can securely store your encryption key as a ‘secure note’. Choose one with strong security features like two-factor authentication.
   • Pros: Convenient, easy to use, often cross-platform.
   • Cons: Relies on the password manager’s security; potential single point of failure if your master password is compromised.
2. Hardware Security Module (HSM): A dedicated hardware device designed to protect cryptographic keys. These are more expensive but offer a very high level of security.
   • Pros: Highest security, tamper-resistant.
   • Cons: Costly, requires technical expertise to set up and manage.
3. Split Physical Storage (Shamir’s Secret Sharing): Divide the key into multiple parts and store each part in a different physical location.
   • Pros: Very secure if implemented correctly, no single point of failure.
   • Cons: Requires careful planning and management; losing even one part can render the key unusable.

3. Password Manager Setup (Example using Bitwarden)

This is a common approach for home users.

1. Create a strong master password for your Bitwarden account. Use a long, complex phrase – not something easily guessable.
2. Enable two-factor authentication (2FA) using an authenticator app (like Google Authenticator or Authy). This adds another layer of security.
3. Create a new ‘Secure Note’ in Bitwarden.
4. Copy and paste your encryption key into the secure note. Give it a descriptive name like “Backup Encryption Key – [Date]”.
5. Important: Do *not* store this note on any device that is also used to store your backups!

4. Shamir’s Secret Sharing (Simplified Example)

This involves splitting the key into parts, requiring a minimum number of parts to reconstruct it.

1. Use a tool like KeySplit or similar software to split your encryption key.
2. For example, you could create 3 parts with a threshold of 2 (meaning any two parts can reconstruct the key).
3. Store each part in a separate physical location – different buildings, safety deposit boxes, trusted friends/family members.
4. Important: Ensure each storage location is secure and that you have documented who has access to which parts.

5. Key Rotation

Periodically change your encryption key (e.g., every year). This limits the damage if a key is compromised.

6. Testing Your Recovery Process

Regularly test that you can successfully recover your backups using your stored encryption key. Don’t wait for an emergency to find out it doesn’t work!