Skip to content

Instantly share code, notes, and snippets.

@abhn

abhn/shardstorage.md

Last active June 23, 2018 14:13
Show Gist options
  • Save abhn/f9ae973091e7cbea018c25edd79087f2 to your computer and use it in GitHub Desktop.
Save abhn/f9ae973091e7cbea018c25edd79087f2 to your computer and use it in GitHub Desktop.
Download ZIP
Shard storage
Raw
shardstorage.md

Shard Storage

To ensure that the pieces of secrets ('shards') are not misplaced or stolen, and to avoid the possibility of losing your secret, there are some measures that need to be taken to ensure safe and secure storage of each shard. Here are some suggested ways of storing them.

Storage is two step process. There's the storage of the actual secret on a media, and then there's storage of the media itself. Let's call it technical and physical storage respectively. Listed below are some of the best practices for each.

The solution you choose depends upon your usecase and level of paranoia.

Technical Storage

  1. Cold storage in airgapped Tails persistence volume
  • Install Tails onto a USB stick, enable encrypted volume and save the shard on that volume.
  • Usecase: Locally available but requires a computer to access by booting up the Tails OS.
  1. LUKS encrypted USB stick
  • Encrypt block level devices using LUKS system that is widely used by the Linux kernel. Use Cryptsetup utility for creating a LUKS encrypted partition.
  • Usecase: Locally available, frequently accessible, portable to any GNU/Linux system, no booting into live OS required.
  1. GPG encrypted in unencrypted USB stick
  • Encrypt the shard using GnuPG utility using a password (symmetric key cryptography). $ gpg -c part-1.txt and enter a password. To decrypt, gpg part-1.txt.gpg and then enter the same password.
  • Usecase: Locally available, easily copy and paste to other devices, portable, no booting into live OS required
  1. GPG encrypted in encryped USB (LUKS or Tails)
  • Encrypt using GPG and then add the encrypted file (part-1.txt.gpg as in the previous example) to the Tails encrypted storage.
  • Usecase: Defense in depth, even if one of GnuPG password or Tails persistence volume password is compromised, the secret is safe.
  1. GPG encrypted on cloud storage
  • Encrypt shard using GnuPG and upload it to a cloud hosting provider
  • Usecase: Accessible from anywhere remotely, same as #3, ideal for lower security needs
  1. Filesystem level encryption
  • Encrypt the directory containing the shard using tools such as EncFS
  • Usecase: Locally available, frequently accessible, no booting into a live OS required

physical storage

  1. Safe room in organization
  • Ideal if the shard is owned by the organization collectively, inherits the physical security of the organization
  1. Safe at home/private bank locker
  • Ideal if multiple shards are distributed in the organization itself, and responsibility for individual shard management is upon the person handling the shard.
  1. On a keyring kept in person
  • Ideal if home/bank blocker isn't available (Example, in a foreign country).
  1. Encrypted shard on the cloud
  • Ideal for lower security needs and/or when physical safety cannot be ensured.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment