Passwords, Keys, Vault, etc. - Passing them on

There are regularly discussions of Security that include Passwords, Keys, Vault, etc. and of course Qubes shines. :slight_smile:

But rarely, if ever, is the question addressed of “passing it on” - to associates, heirs, temporarily in case one becomes incapacitated, etc. This needs to be done before it’s needed, so that one’s affairs can be continued or wrapped up in a timely fashion. For example, in the case of one’s death, without having to wait for the courts to grant access to accounts, etc.

Do you give critical passwords and keys in a (wax :slight_smile: ) sealed, lead-lined ( :slight_smile: ) envelope? Together with an archive copy of your Vault and other data? And somehow keep it up to date? And regularly verify that the envelope’s still unopened? And regularly test it all to verify it still works? To more than 1 other person?

Would appreciate the thoughts of those who’ve already considered this, and possibly implemented something(s).



I think it depends on what you want to pass on. For example, you may use Qubes to securely manage your bank account. However, it doesn’t follow that you must pass along any passphrases or keys to your loved ones in order to ensure that they receive the money in your bank account after you die. Rather, that’s typically handled by beneficiary designations that your bank keeps on record and the transfer-on-death laws of your jurisdiction.

If, on the other hand, you have locally-encrypted data to which you hold the only key, e.g., a private journal in a text file or cryptocurrency in a cold storage wallet, then that’s a different story. I don’t know of a good solution here. All the solutions I’m aware of entail significant security sacrifices or a potentially unreliable dead man’s switch.

Thanks @adw. Yes, it’s complicated and there is no perfect solution. I’m of course aware of beneficiaries, wills, probate, etc., but that’s a separate issue from both being sure one can get to what is to be passed on (e.g., your crypto example) as well as taking proper care of the assets, investments, information, whatever until the passing on can happen.

I was hoping for examples of what people have done; or even better examples of what they’ve been the recipient of that worked!

As I’m getting older, I thinking about this more frequently… but not implemented it yet.

But my plan is to

  • use a physical security token - like YubiKey - to encrypt my password database
  • ‘duplicate’ the security token, and store it in a physical safe (preferably not inside the house)
  • create regular backups into our internal private NAS share.

I have experience with the first point (with KeePassXC and YubiKey) only - but this solution should work in practice :slight_smile:

All would depend on the reliability of the physical safe (or 3rd party service?) as they should allow access to that box as you defined before.