6

I am toying with the idea of adding keyfiles to various things that I encrypt. However what's been keeping me from adopting them is guaranteeing that I don't lose the keyfile while still keeping security.

My issues is that with passwords if you think long enough and can try enough you will eventually remember it. Keyfiles on the other hand are gone forever if you lose them with <1% chance of ever recreating it.

Sure I can put the keyfile in 6 flashdrives and back the file up to multiple sites (can't put it with my normal backups as they are encrypted), but then you run into plausible deniability issues ("Hmm, why do you have 6 flashdrives that have the same single file?") and security issues (the more exposed something is by definition its less secure).

What are some recommended ways to keep a keyfile backed up and always available without compromising security and plausible deniability?

Adi
  • 43,808
  • 16
  • 135
  • 167
TheLQ
  • 1,239
  • 1
  • 12
  • 21

4 Answers4

6

I think your requirements conflict - plausible deniability is not something which you will get from keyfile backups.

But for the backup/availability, follow standard backup and availability practices - mirror to secure location, secure backup, test backups regularly...

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
5

Rent a safety deposit box at your bank. Deposit one or two copies of the keyfile on different media such as optical and USB (redundancy in case of media-specific bit rot). Alternatively (or in addition), take the keyfile data, base64 encode it with a simple check per line (sum mod 7 or similar check digit) and print it out on a piece of paper.

It doesn't help with plausible deniability, mind you. But at least its only in one place. I've never rented a safety deposit box, but I suspect that your name is attached to it.

logicalscope
  • 6,344
  • 3
  • 25
  • 38
4

Steganographically encode the keyfile into pictures you take. Explains why you have multiple copies, as you can explain that you don't want to lose them. Make sure no copies exist without the keyfile encoded, as the difference in the pictures can be used to crack the steganography.

Orihara
  • 141
  • 3
4

Most banks provide safety deposit boxes, and my bank gave me one for free. Their smallest box isn't quite big enough for a normal 5.25" hard drive but its large enough to fit a few hundred GB in USB sticks or maybe a laptop drive. I make a copy of all of my key files as well as other important information and store it in this box in an encrypted archive. If I where to die then the pass phrase would be lost, so its not a perfect solution.

Deniable Encryption systems are very interesting and relatively new. Whisper Systems uses a system like this for text messaging, and this code was recently made open source after Whisper Systems was purchased by Twitter.

rook
  • 46,916
  • 10
  • 92
  • 181