• caglararli@hotmail.com
  • 05386281520

Offline, multi-machine, 2-factor authentication information vault?

Çağlar Arlı      -    8 Views

Offline, multi-machine, 2-factor authentication information vault?

I think this should be the right SE, apologies otherwise

I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded incredibly inconvenient to use so I would like to get a confirmation of the simplest way to meet my use case - which I think is rather common.

Use case:

  1. I may not be a network or even IT engineer, but as a robotics engineer I am comfortable with pretty much any solution I have seen - it's just a matter of daily convenience
  2. I need to be able to store my personal administrative documents (including important ones) and various account credentials somewhere safe where I can be confident they will not be accessed nor damaged (within reason)
  3. I need to read/write my credentials from my personal computer (Windows), my mobile phone (Android), and my work laptop (usually Windows, sometimes Linux). It's okay if I can't access my documents on my mobile phone.
  4. I don't want a solution based on a cloud service, I'm really not comfortable depending on anyone for something as critical as this. I'm not a fan of a self-hosted server solution either but if that's what it takes I'm ok with it.

Edit: taking your advice into consideration, here is what I came up with. What do you think?

proposed archi

All terminals have the veracrypt container (for documents) and the keepass database (for credentials) 2-way synced using SyncThing (peer to peer). I can access the credentials and the documents using 2 factor auth, the master password (something I know) and the Yubikey (something I have). Both encrypted containers are 1-way-synced with file versioning ("staggered", i.e. with timestamp) to 2 NAS, each set up as RAID1 and in different locations. Incidentally, both NAS will receive non-critical backups. And since I'm not arrogant enough to consider myself more reliable than Google, each NAS will 1-way sync to my Google Drive in their own subfolder (I'm not sure it's safe to target the same folder). Once it's set up, I will plug my yubikey in the machine I want, open either encrypted container with the master password, and for credentials use the browser's Keepass plugin to auto-fill login & password for me. When I need to add an account, I generate a random one from Keepass.

The reason I didn't use Google Drive instead of SyncThing is that I don't rely on my devices being auto-connected to Google Drive to access my credentials, and if my devices get stolen I don't rely on a third party to provide me with a backup.

Oh, and I've covered added malware protection because that's obviously a prerequisite to Keepass and Veracrypt. Not too sure whether magikeyboard is not a vulnerability still here.