TLDR: This post proposes the idea to use a recovery kit, a small encrypted file prepared and distributed to friends, to help restore your (digital) life after a total data loss, for example in case of a police raid. It aims to discuss what to include in the recovery kit and gives a detailed description on how to prepare it.
Request for Comments: So far I only discussed this idea with a very small number of people and this is the first time I’m writing it down in detail. If you think I’m missing something or didn’t consider something important please let me know. If you want to provide feedback or input anonymously you can use this cryptpad form Also feel free to comment on fedi or use the contact details in my profile.
Motivation
When discussing digital security in political/activist circles, the most common answer to the question of how to prepare for a police raid is “Encrypt all of your devices and have encrypted backups stored in an off-site location”. As if the question how to best realize encrypted off-site backups wouldn’t be hard enough (this includes having to be usable enough to keep the backup up-to-date regularly!), it falls short of planning ahead for what steps to take immediately after a police raid has happened. How to do secure off-site backups is out of scope for this blog post.
Goals
During a raid police might seize basically anything, in particular police will seize any electronic devices and storage media. What they might take or not take depends on many factors and often seems quite random. So let’s assume a worst-case scenario here: You are left with nothing. Without any possibilty to contact anyone, the best option seems to go to a place where you can rest and recover, e.g. the home of a friend who lives nearby. Ideally, a collection of contact data of further friends and other people you want to ask for help or inform would be waiting for you there. This Recovery Kit can help you to get support and restore your backups.
Threat Model
Assumptions
- modern cryptography works, and so do the implementations you use
- you can remember one (additional) secure passphrase
Attacker compromising a recovery kit recipient
Can
- deduce that the person knows you and is storing some file for you
Can not
- read/modify your recovery kit
Attacker compromising the recovery kit
Can not
- read the data in your main backup (assumed main backup is encrypted)
- modify your main backup (assumed main backup uses authenticated encryption)
Can
- delete your main backup (if cloud storage cedentials included)
- gain limited information about your social network (through contacts included)
Limitations
Psychological/Mental health aspects
A police raid is a very stressful, possibly traumatic, experience. While this text does try to include considerations on what to do to recover from this on a personal/mental level, I will not be able to cover this here appropriately. I’m not an expert on this. The first step is probably to get support from friends. But also consider looking for professional support. In some German cities there are out-of-action groups, specialized on emotional support for activists who face repression. This article (in German) by one of these groups provides some basics on how to support someone, but also what you can do for yourself.
Legal aspects
I’m not a lawyer. For legal advice and how to behave during a police raid, I recommend the resources linked below (limited to the legal situation in Germany).
Talks:
- Sie haben das Recht zu schweigen
- Verhalten bei Hausdurchsuchungen
- Spielregeln für den unfreiwilligen Kontakt mit der Polizei
No long-term archival solution
The Recovery Kit approach does not aim to serve as a long-term archive for your data. The data is expected to be restoreable during a timeframe of a few years after it was created and distributed. I would recommend to review/update the content and distribute a new recovery kit every 2-3 years. Otherwise people might lose and forget the file or the contacts you stored in it might have changed their phone number in the meantime.
Does not cover hardware tokens
Of course a recovery kit can not help you to recover your FIDO2 hardware tokens (yubikeys,…). Many platforms allow you to configure an alternative login method, e.g. otp. If you don’t want this, you can of course place backup hardware tokens at secure locations. However keeping those updated (i.e. regularly enrolling new accounts) seems very time consuming, especially if you have more than one.
Recovery Kit Creation
Data Selection
Which contacts to include?
People who can support you (provide you a safe space, support you emotionally, help geting new devices)
Warning: You should assume that the police will monitor closely who you contact after a raid. Making you reveal metadata they can gather through surveillance might even have been part of the motivation for the raid.
People with whom you are doing activism together or other things that might lead to repression might not be the best choice.
Consider that it might be enough to include one or two people from each social circle, since they can pass on information to each other or provide you with the contact details of others.
How to contact people?
As always, ways of communication that reduce metadata should be preferred. From this perspective calling people by phone is not optimal, but might in practice be the more reliable and faster way to contact them. Some people might be easy to contact using email, matrix or signal. But remember that at this point you won’t have access to your accounts and would need to use the accounts of friends or create new ones. For some contacts like your parents, your bank or your employer you probably don’t need to care about metadata because police is able to find out about them easily anyway.
Technical Steps
Use a password manager like KeePassXC with a secure passphrase.
You can modify some settings to frustrate brute force attacks. You won’t need to unlock the database regularly, so it’s ok if it takes a few more seconds to open.
The state of the art for file encryption seems to be age. If you feel comfortable using command line tools, this is probably the way to go. An age encrypted archive also gives you the flexibility to include additional files in the recovery kit. Both can also be combined easily by encrypting the KeePassXC database with age.
Recovery Kit Content List
Contacts
- bank (order new bank card)
- family/close friends
- lawyer
- therapist
- your employer/boss
- people who are your off-site backup store (if offline)
- people who could help you acquire new devices
Credentials
- online banking
- online payment provider (paypal,…)
- mobile phone SIM provider (order new SIM card)
- credentials for your (online) off-site backup store (not the encryption passphrase!)
Other
- config files to set up a system you’re comfortable with (e.g. your NixOS config)
- scans of important documents(?)
Recovery Kit Distribution
Send the file to people you know using a messenger (Signal, Matrix,…). Ask them to keep it in the chat history (remember to disable disappearing messages) and/or to put it where they keep their own documents.
Recovery kit receiver selection
Criteria
- easily reachable for you by non-digital means (e.g. living nearby)
- reliable regarding storing your file somewhere and finding it again when you ask for it multiple years later
Non-criteria
- is a IT security expert who will safeguard your recovery kit in a safe location
- high personal trust
Example message
Hi, I’m currently working on improving my data backup strategy. Therefore I would ask you to store this small encrypted file for me. In case I lose all my devices (house fire, police raid) it will help me to regain access to my digital life. Please just put it where you normally put important documents you don’t want to lose and/or just keep it here stored in our chat history. Don’t worry, if you lose the file it will not cause trouble for you or me. I placed copies in multiple locations.
Alternative approaches
I don’t think Recovery Kits are a one-size-fits-all solution. Here are some alternative approaches for recovering after a police raid.
Optimize for fast restore of full backup
If you have your off-site backup at a friend’s home nearby, you can just walk over, open your full backup at their computer and have everything you need. This approach assumes significant trust in other people’s computers. Even if they are a friend you trust, you may not (want to) trust them to keep their devices safe from compromise. You might instead prefer to trust their devices with only a tiny bit of information, just enough to get a new laptop and set up a secure system configuration on it. This is, in parts, what the recovery kit is about.
Re-collect all your contacts through friends
If your friends are basically one large goup where everyone knows everyone, it might work well to just contact/go to one friend and ask them for the contact info you need to contact the rest of them.
This has the limitation that not all people you might need to contact are friends. For example you might also need to contact your therapist, your parents or your employer. Also it does not allow for storing credentials.
Know everything by heart
Nice if it works for you to keep all the information proposed for the recovery kit in your head. E.g. some people can remember large amounts of phone numbers easily. For me this does not work.