Ask HN

6 points by kornhole ↗ HN
How would you setup an emergency data locker for a (mostly) trusted partner to access if you were indisposed in some kind of emergency?

If I got hit in the head and couldn't remember my main passwords or was unconscious, I would want my partner to be able to access all my accounts and such if needed. I do trust her but do not want to just give her a URL and credentials she could access at any time. I think maybe a timed access with notification to me if she accessed it would give me time to intercept if needed.

18 comments

[ 4.5 ms ] story [ 51.4 ms ] thread
Print it out and put it in a bank safe deposit box. Or, consult an attorney.
Relatedly, are there good ways to do this considering 2FA? (or maybe that is tangential to the author's ask)
Include 2FA seeds or backup codes, or put a backup yubikey somewhere recoverable offsite.
An Online Deadman switch can release a piece of info (a pin or password in this case).

This requires you logging in or responding to the service daily/monthly/yearly.

You could periodically create encrypted backups of the necessary data on a USB stick (stored in a known place in your home), so that the data locker only needs to disclose a relatively short password to her (and it could even broadcast it in a tweet, since she would be the only person for whom that password would be useful).

Then, as you say, if she wants to access the plaintext, she would have to click a button on a secret web page somewhere which would trigger a server to send an email to you (and a couple of friends) saying that she had done this and that a 24 hour timer had started.

The email would also include a link to a page that could reset the timer, up to N times, while you tried to buy a new phone or regain consciousness or post bail or whatever the attack scenario is that you want to defend against.

In practice, the most likely failure mode is that you don't need to use this system for years and then something silently breaks, like you forget to renew a domain, or you forget that you changed your email address. As such you should include a quarterly test process for all of the steps, including making sure your partner remembers the process for performing the decryption, and making sure your friends haven't marked the automated email as junk, and so on.

I have my password as part of my will. The contact details for them are in my wallet and in my room.
This is protected from subpoenas right?
Doesn't appear to be. Inheritance here goes under sharia law, I believe, which is a separate thing to civil law. The will is there to override the default sharia inheritance laws, and also cater for assets outside it, like crypto and foreign earnings like Google Play, PayPal. And other weird assets like Steam account.
Can you put the lawyer into the contract instead and have him disclose the password directly? The lawyer is protected by confidentiality.
I won't answer the question fully accurately in public lol, the OP question smells a bit like spearphishing.

But I have no contact with the lawyers themselves. Lawyers are, say, private access to the entity that handles the will. There's an entrance. I basically have ownership over the will. This is done by proving my identity, biologically or legally. Thus I have read, write, delete access. I'm making the assumption that with a delete request, that they would return the password. Or otherwise I might have to add something that triggers the will if I am mentally incapacitated. But for now, the risk of that is quite low.

I'm in the process of setting this up with multiple SD cards as locker[1]. I got SD card storage with credit card like form-factor so that it fits in my wallet. The tricky thing is to figure out how to keep the instructions unencrypted. I'm thinking about making a half-yearly ritual like a fire-drill which also allows me to rotate keys and improve the process. Not sure how to make it feel less morbid than it is :)

[1]: https://john2x.com/blog/managing-pgp-keys.html

> Not sure how to make it feel less morbid than it is

That requires some extra "UX design", but I think it's possible. It's like that classic piece of advice "you're not designing a computer system, you're designing a system in which a computer and a human interact".

So, I would recommend making this half-yearly "fire-drill" part of a day you set aside and fill with other more positive things, like having a fancy meal with your family, relaxed in the knowledge that you've done your half-yearly duty, and focused on making the most of every day you have.

I guess it might still feel a bit weird at the start, but after the first 20 times you do it, you won't even be thinking about the technical details (and why you are doing them), you'll be looking forward to enjoying the rest of the day as the reward for that quick little chore.

Thank you. Will take your advice and plan for a nice elaborate ritual in 6 months :)
I was lowkey thinking about approaches to a similar arrangement, and my conclusion is that the key to this is a lawyer/attorney, unless you want to make the trusted person a part of a convoluted cryptography scheme. Give the person an encrypted file with instructions, or a password database, and have the attorney deliver a piece of paper with the password to that file if you're incapacitated. Perhaps make the paper look innocuous to the lawyer if you want. IDK though if lawyers actually do things like this in various jurisdictions—outside of the rather final scenario of a will.
> have the attorney deliver a piece of paper with the password to that file if you're incapacitated.

I think this is the difficult step. How does an attorney know whether you are incapacitated? Do they video-call you every day, and check that you aren't under duress or being deepfaked? Do they check government records of deaths every year?

It would seem that any system with a reasonable cost and reasonable latency will have to involve software at some stage, so saying "get an attorney" really means "don't trust software you've written yourself, get an attorney to write it instead".

(Okay, the attorney would pay someone else to write the software they use, but in any case, suggesting reliance on an attorney leaves unanswered the technically interesting part of the question, and doesn't really allow us to speculate about what role would actually be left to the attorney).

> How does an attorney know whether you are incapacitated?

You realize that the system to deal with this already exists? It's called the legal system, and it hooks into various specialized professions, including medical ones. As in, the partner brings the lawyer some papers from doctors that say you're out of commission, and the lawyer executes whatever procedure you prescribed for such a case. The same way as when you're dead, just without the death part (hopefully).

(Cue HNers saying that the papers can be forged, etc.—if that's the worry, one has more immediate problems in their relationship than the arrangement of a ‘dead man switch’.)

Sometimes I have to wonder if a bunch of hackers from ~2000s decided to live entirely in computer systems, and forgot that the ‘hacker ethos’ pertains also to researching and using existing systems.

Fortunately I've never had to try procuring legally-verifiable paperwork from a doctor to prove that a loved one is too sick to tell me their password, but I have to admit that such a process probably does exist, and someone could navigate their way through it during an emotional difficult time. Thank you for bringing it to my attention.
Interestingly some banks provide this facility. I was once talking to my "financial assets manager"(I didn't know I had one until I went to the nearest branch for some other work!).

Anyway, during my discussion with him he asked me whether I would like to avail the "will creating and custody service". And he mentioned that in addition to financial assets they also have an option for safe custody of digital assets with them. Here digital assets are anything like usernames, emails, passwords, URLs, digital photos, backups etc that you would like to pass it on to the nominees.