Use banks/notaries to store passwords and keys separately.



1.- We encrypt the certificates with something like AES (GnuPG allows to encrypt files with symmetric algorithms), or to an OpenPGP key created for escrow purposes. We store the encrypted certificates (and the private key, if we use OpenPGP) into an USB flashdrive. But we _don't_ put the passphrase (either the passphrase for symmetric encryption or the passphrase that unlocks the secret OpenPGP private key). And we put this flashdrive inside a sealed envelope labeled "Envelope 1A" (plus dates and other details to identify it).

2.- We store the passphase, in plain text, inside another USB flashdrive, and we put it inside another sealed envelope labeled "Envelope 1B" (plus dates and other details to identify it).

All of this is done in the presence of 2 or more people of CAcert. For obvious reasons, the person that enters the passphrase must not keep the first envelope.

3.- Now lets imagine banks offer a service for storing the envelope inside a safe box, which require 2 signatures from authenticated current members of the board. We put envelope 1A in a bank, and envelope 1B in another bank.


  1. Files and passphrase are not together. Even if a bank employee tries to access the certificates, the employee can't do anything because he lacks the other envelope.
  2. There is no need to a proper handover, people leaving the board lose the capability to do anything to the envelopes.


  1. First we need to find 2 banks or notaries that provide that storage service.
  2. Cost. I don't have any idea about how much would a bank charge for that service.
  3. Time. How much time do we need to authenticate board members to the bank (specially after a handover)?
  4. Can we check the backups from time to time, without having more costs?
  5. Single point of failure. Even bank vaults can be accessed (some years ago, a group of thieves stole the content of a vault, accessing it using an underground tunnel), or where may be disasters (some years ago, I saw a new about a man losing his money, because the vault was invaded by termites, which literally ate the money). This can be mitigated by creating envelopes 2A and 2B (not interchangeable).




Key Storage

Key Escrow

Assessment against Requirements

Author Assessment

Community Member Assessment

Community Member Assessment by Daniel Black

Roots/EscrowAndRecovery/EnvelopeBankNotaryEscrow (last edited 2011-02-20 17:17:22 by UlrichSchroeter)