this post was submitted on 13 Jun 2025
1 points (100.0% liked)

Self-Hosted Alternatives to Popular Services

222 readers
2 users here now

A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web...

founded 2 years ago
MODERATORS
bot@lemmit.online
1
Built a cold storage solution for your most critical secrets - mathematical secret splitting (old.reddit.com)
submitted 2 months ago by bot@lemmit.online to c/selfhosted@lemmit.online
0 comments fedilink hide all child comments
 
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/cyrbevos on 2025-06-13 09:17:20+00:00.

How do you handle long-term storage of your most critical infrastructure secrets?

The cold storage problem I needed to solve:

As someone running a homelab with increasingly critical infrastructure, I realized I had secrets that were too important for regular password managers but needed long-term secure storage.

What qualifies as "cold storage secrets":

  • Backup encryption master keys: Your borg/restic/duplicity passphrases that protect TBs of data
  • Root CA private keys: For your internal PKI infrastructure
  • Cryptocurrency cold wallets: Seeds for long-term holdings you rarely touch
  • Emergency recovery credentials: Break-glass admin accounts for when everything goes wrong
  • Encrypted drive masters: LUKS/BitLocker keys for archived storage
  • Legal/financial documents: Scanned copies of critical papers you hope to never need

Why regular password managers aren't enough: These aren't daily-use passwords. They're "nuclear option" secrets you might not touch for years, but when you need them, you REALLY need them. They require different security assumptions.

Mathematical cold storage approach: Split each critical secret into N pieces using Shamir's Secret Sharing, store across different secure locations. Need K pieces to recover, but fewer than K gives zero information.

My personal cold storage setup:

  • Backup master key: 5 pieces, need 3
    • 2 pieces in different fire safes at home
    • 1 piece with parents (different state)
    • 1 piece in bank safety deposit box
    • 1 piece with trusted friend

Why this beats traditional approaches:

  • No single point of failure: Unlike hardware tokens or single encrypted files
  • Survives disasters: Fire, theft, family issues, forgotten passwords
  • No vendor dependency: Works forever, no subscription or cloud service
  • Mathematically proven: Not just "hard to break" - literally impossible below threshold

Implementation for self-hosters:

  • Complete offline operation (Docker --network=none)
  • Self-contained shares that work independently
  • No network dependencies ever
  • Cross-platform/OS for different recovery scenarios

Perfect for the self-hosted mindset:

  • You control everything - no external dependencies
  • Mathematical guarantees instead of trusting vendors
  • Works on all OSs, portable bundle you can store on USB key

Here is the GitHub repo: https://github.com/katvio/fractum

Security architecture docs: https://fractum.katvio.com/security-architecture/

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here