Develop Disaster Recovery Strategy
- to ensure that I can actually always recover from my backups I should develop and document a disaster recovery strategy
- have backup keys in password manager
- regularly back up password manager to obsidian
- separately from borg backups obviously
- on otherwise unencrypted device!
- how to do the pw manager backups?
- can I automate that?
- I'd probably want something that works without a working vaultwarden installation
- default encrypted exports only work in the same account, not feasible if homeserver is down
- can't automate exports with normal passphrase because I'd have to store that passphrase in clear text somewhere, I don't want that
- so export manually, encrypt with age for easy decryption, then save?
- or, honestly, is this totally dumb? maybe just encrypt the relevant backup keys with my passphrase with age to have that as single thing to remember and put that on obsidian?
- regularly check that I remember password manager master password
- also backup config repo there regularly
- document in backups.nix
- then in case my entire house explodes and I loose everything except obsidian I could:
- get a loaner notebook
- travel to my parents
- hook up backup drive
- decrypt password manager
- deploy config from there to my laptop
- gotcha: agenix secrets
- if I lose all devices I lose access to some secrets
- add a special key that's only in my password manager to all secrets that I could use to recover?
- alternatively just add my normal SSH private keys to my password manager
- might make sense anyway for access to stuff like git
- restore backup onto that device
- now I have access to all backup data and a running device again
- could get new homeserver / desktop / ... now and deploy config there and restore backups on there
- now I should be back up fully
- does backing up anything there to extra optical media make sense?
- a somwhat regular extra backup of the password manager in encrypted form couldn't hurt
- for stuff I might want an extra layer for if I lost everything else
- if encrypted, encrypted with a password in my pw manager that's right on there as well
- some other of my most important data maybe as well
- git repos that are important to me? thesis, pictures, nixos config for "recovery", blah...?
- but backup passphrases suffice in password manager update on obsidian – if obsidian's gone, the passphrases are gone, but so is the backup
- really, I got to remember my pw manager passphrase
- regular reminder?
- include device LUKS passphrases?
(this all assumes I'm alive, death "recovery" process should be worked out as well, but that's not this issue)