Sotring encryption keys offline securely

So, watching @LTS_Tom’s video on FreeNAS 11.2 Cloud Backup, Restore & Encryption With Backblaze & SFTP and it occurred to me that if I was to store encryption keys for multiple people (say, a client with 10 or so people in the office each with their own encryption key) what would be the best, most secure way to persist the keys offline.

Now, currently I’m taking this more as a thought experiment and not an actual solution. And I guess this is more of a discussion on policy and procedure than implementation.

Anyway, if each user were to print/write down the encryption key (or backup access key(s)) and seal it in a privacy envelope with their name on it and store that in a safe that is restricted access - like owner/manager only, or even off site and access restricted to the MSP managers, or similar. Would this be a safe and secure way to safeguard encrypted data from key loss? We take the time to make sure that there are backups of backups (redundant storage servers along with off site and/or cloud storage), but what about the encryption keys?

Maybe I’m just a fruit that just now started really thinking about this and I’m slow getting here, but I’ve never really heard anyone make anything more than a passing comment about the keys in the context of data storage and redundancy (if the keys are even mentioned at all!). Actually, if it’s not just me than that’s kind of scary!

Thoughts? Comments? Lashings?

I think you have the right ideas, in a safe maybe two sets in different locations and very restricted access. Plus the keepers do not need to know the contents of the packages if other than owner, senior manager.

1 Like