Digital Asset Executor
I wrote back in February 2009 about the idea of a personal digital legacy. It’s something I’ve spent some time thinking about and in some ways planning for. So much of our lives are in bytes now and preserving them in a lasting way is going to be a challenge. This post is about an aspect that is of more immediate concern. In my family I and the techie. I build my own computers, fix them for others and I keep the important electronic records and pay the bills electronically. This means I’m the one with all the online account passwords. I am the one with all of our financial records on my hard drive and just as important I am the one with the digital photo and video archives of our lives for the last 15+ years.
Being the techie I am, I use Linux, do plenty of backing up, practice safe password policies and in some of the above examples I use strong encryption to safeguard our personal and sensitive information. If something were to happen to me suddenly, be it amnesia, death or worse; there is the potential for some significant loss of digital assets. The data will survive me but will be inaccessible without the passwords and decryption keys that only I can use. So, this is something that has occupied my thoughts from time to time and I will share with you my current solution. I think it’s a pretty good start and welcome any ideas or criticism.
I’ve not yet settled on a name or term but the idea is something of a Digital Godfater or Digital Asset Executor. You get the idea. Someone who has been chosen to take on the responsibility of unlocking and releasing your digital assets to your heirs, or in any case the people that need them after you are out of the picture.
In my case, at this point in time no member of my immediate family has the tech know-how to handle this task. They may in the future but not now, so I have chosen someone else for the job. I’ll refer the them as “DAE” (Digital Asset Executor). I have known my DAE for long enough to know that they have the tech chops for the job and long enough to trust them. In this role, trust is important but there can be measures put in place to make sure that if DAE were to become untrustworthy they can still perform their duties reliably and securely. Regarding the DAE, it is essential that they have agreed to participate and are willing to perform this service. They have some responsibility of their own to maintain in order for this to work.
After the DAE is chosen the next step is to collect and organize all your digital assets. For myself, I have kept for years now a text file that I maintain with all current online accounts and their corresponding passwords. That file is in a folder along with many other digital assets including copies of Social Security cards, drivers licenses, credit cards, passports, tax returns, firearms paperwork and bank account numbers. Each one if those files is encrypted with GnuPG strong encryption. You may wonder why I have some of those things in digital form. Essentially it’s for disaster preparedness reasons. In the case of a disaster weather we have to leave home in a hurry or the house is destroyed, I have access to some important personal and financial data. Because I have backups in multiple geographic locations, even if I loose my laptop I can likely still get at it.
Next is preparing these assets for recovery in my absence. Here is what I have done it in a step by step process (this is after you have a willing and capable participant agreeable to act as your DAE) :
- Create a working folder, i.e. “DigitalAssetRecovery”
- Assemble copies of all digital assets (files) into one folder i.e. “assets”. Make sure all files are encrypted (GnuPG in my case) and compress that folder into a .tar or .zip file.
- Assemble copies of your encryption keys both public and private into a folder i.e “keys” and compress that folder.
- Write a short text document outlining your intent and instructions for your DAE.
- Write another text document that contains only and exactly, your pass-phrase for use of your encryption keys.
- Now, place the two compressed folders (keys and assets) along with the two text files into the working folder and compress the working folder.
- Encrypt the compressed working folder with the public key of your DAE (it is critical to the process that you use the DAEs’ public key and not your own).
- Delete the uncompressed/unencrypted copy of the working folder.
- Copy the encrypted working folder onto two types of media (CD-RW and USB key in my case). Attach instructions written on paper for how to contact the DAE and the importance of the data contained on the media and place them in a secure location such as a safe or safety deposit box that your survivors have access to. Delete the encrypted copy from your computer.
- Share your procedure with those that need to know.
Now what you have is a way for only your DAE (not even yourself) to access those assets that lie in the secure location. You will be relying on them to maintain their own encryption keys so that in the future when you need their services they will be able to perform the task. If you are concerned about their reliability, you can always have more than one DAE and just duplicate the process for each one. The only person in the world besides yourself that can get to your information now is your DAE. In that regard your data are not as secure as before because if your DAE (and only the DAE) had physical access to the CD or USB stick you created, they could expose that data. This is why they don’t get access to the data until it is initiated by your heirs. In my case I have left written instructions on how to have the recovery session supervised and for no copies to be retained by the DAE after they have performed their duties. Trust but verify.
This is a bit of a tedious process and will require you to make an updated version from time to time and perhaps even change your DAE. It is however the most secure and reasonable procedure I have developed so far. This reminds me, I have an update to do.