I’ve been browsing many different posts over the past few days and I’ve ready many different things such as using crpytomator to securely backup passwords from a password manager or using the default json encrypted file then storing them on different media and different places such as the cloud. I’m still unsure on a good way to do this, I also want to somewhat remove the fact that I could forget the password if it’s encrypted but want to have 3-2-1 backup. Does anyone have any ideas?
Not sure if this fits into this category as it’s more of a security question than a privacy question.
I also had this puzzle and needed to find a solution. All paths require remembering at least one password. If you use Cryptomator, you have to remember that password, if you download encrypted JSON files, you have to remember that password, etc.
But the solution I found works well and maybe it’ll work well for you too.
I created a Cryptomator folder, but put all sensitive files into it, i.e. password manager download (unencrypted CSV) but also recovery files and codes for my 2FA app and other accounts. By having all of these in a single encrypted folder, I would only have to remember one password to access all my backup/recovery data.
As long as that folder is then somewhere that you are including in your 3-2-1 backup routine, it is then backed up along with everything else. I keep it in my normal main ‘Documents’ directory, which I back up along with the main Pictures and Videos directories.
I tried things like using KDE Plasma vaults to store this same set of special files, but that doesn’t work well with backup programs. However, backup programs treat Cryptomator folders like anything else and copy it to the backup location.
Whenver you need to use that backup, you then only need to install Cryptomator on the new/rescued/replaced device and you can access everything again with the same password.
If you’re not sure what backup program to use, try Vorta. It can back up to both local and online locations. I’ve tested it quite a bit and was always able to retrieve and decrypt my backups.
This is the easiest way IMO. Just use your master password when creating an encrypted export (works on Bitwarden, not sure of others) and follow 3-2-1 backup rules, though if you’re using the cloud as an option you’d need to be sure you can access it without your password manager. (You can add that as a password you gotta remember or use passkey sign-in, just be sure you have passkeys across multiple devices.)
I’ve always thought that for these “root keys” (as in, keys you need access to without any dependency on anything else), it may be interesting to use BIP-85 PWD BASE64, which deterministically derive passwords from a “master key” using BIP-32.
That way, you can simply write down the index and password length in order to re-derive the password, and not have to write down the whole password itself.
I know this is far fetched but what happens if cryptomator or programs like that are either abandonded or don’t work anymore? Is there a way to get into a cryptomator vault / folder without having cryptomator installed?
Cryptomator just not working anymore is most likely to happen because of a buggy update. That would mean waiting for another update to fix the bug, or using an alternative app which is interoperable.
If someone doesn’t want to wait for the fix, and they don’t want to use an interoperable app, they can use an older version of the app, from before the buggy update.
For example, the current app on Linux is version 1.16 and the portable app is 1.15.2. So if they pushed out version 1.16.1 on Linux and it didn’t work for some reason, I’d use the portable app to open my vaults. This is much more convenient than keeping an older version of the Linux app downloaded somewhere and using it to reinstall an older version. I can just keep the portable app on a USB stick, which is something I do with a few portable apps anyway.
If cryptomator was abandoned, it would still work for some time, so users would have time to choose an alternative.
Both CyberDuck and MountainDuck claim to be interoperable, although I haven’t tested that. Now that I mention it, I must add that to my list of things to test.