Recovery Procedures

TLDR: Use a DEK (data encryption key) to encrypt a recovery document. Keep this secret in your standard E2EE cold/vault. From this, create N-of-M KEKs (key encryption keys) to distribute to your trusted recovery group members. Use an authed service (behind a tailnet or equivalent, for your existing trusted group members to interact with,) where they can supply their current KEKs and retrieve the DEK. (This can also be done manually)

In the future, there will be an integrated service / recovery page for this. But the goal here is to prevent the DEK from being recovered before you want it to be, and to be able to rotate the N of M shares without having to re-encrypt your original recovery document. This allows you to safely store the data encrypted with the DEK in something like a safety deposit box, log attempted premature KEK usage / attacks, and also rotate KEK membership keys actively.

This is important as a 'last step' in transitioning security secrets. As it may be difficult to use multi-sig services for everything directly (and then requires updating all those as well.)

Edit this page on GitHub

IntroductionHardware Recommendations

Redgold Documentation

Redgold Documentation

Recovery Procedures