Secrets & Identity — L0

Secrets & Identity — What You’re Building

You are building:

1. One Secret Box → a KeePass vault file (my-secrets.kdbx)
2. One Master Key → a strong sentence you can say but others can’t guess
3. Two Helper Tools (optional but recommended)
   • A TOTP app (like Aegis)
   • A file-encryption tool (age) and/or identity tool (GPG) [ADVANCED]

Everything else = copies and safety nets.

Decide Your Devices

Pick which devices you have:

Computer

• Windows
• macOS
• Linux (preferred)

Phone

• Android (degoogled preferred) → use KeePassDX + Aegis
• iPhone → use KeePassium (no Aegis; keep TOTPs in KeePass for now)

You only need one computer and one phone to complete BASIC.

Prepare Physical Stuff

Get:

• 📝 Paper (2–4 sheets)
• ✍️ Pen
• 💾 2 USB sticks (or external drives)
• 📁 1 envelope (or small folder)

You’ll use these for:

• Writing down your master password
• Writing down a simple map of where things are
• Copying your vault to multiple places

Create Your Master Password (The One Ring)

This password protects everything. Do this slowly.

3.1 Build the sentence

1. Think of:
   • 1 private memory (that no one else knows in detail)
   • 1 random object
   • 1 random number
2. Combine them into a weird sentence, e.g.:

   Yellow_tractor!fence 47 ghosts sing slowly

3.2 Write it down

On paper, write exactly:

MASTER PASSWORD #1
Yellow_tractor!fence 47 ghosts sing slowly

Do this twice on two separate sheets.

• Put each sheet into its own envelope:
  • MASTER PASSWORD COPY A
  • MASTER PASSWORD COPY B
• You will store them in two different safe places later.

Install KeePass on the Computer (Root Secret Box)

1. On your computer: open your browser.
2. Search for “KeePassXC download”.
3. Download from the official site (or your distro’s package manager).
4. Install and open KeePassXC.

4.1 Create the vault

1. In KeePassXC: click Database → New Database…
2. Name it: my-secrets.kdbx
3. When asked for Master Password, type your sentence exactly.
4. Save the file in a new folder, for example:

   Documents/Secrets/my-secrets.kdbx

Create Your First Entry (Test Entry)

1. Inside KeePassXC, click “Add New Entry” (usually a + icon).
2. Fill:
   • Title: TEST ACCOUNT
   • Username: test@example.com
   • Password: click generate (random, long, e.g. 20–30 chars).
3. Click Save.

5.1 Test copy–paste

1. Double-click the TEST ACCOUNT entry.
2. Click the icon to copy the password.
3. Paste it into a blank text editor just to see it works, then delete it.

Make Your First Copies (Backups of Vault)

Now copy my-secrets.kdbx to two USB sticks.

1. Plug in USB #1:
   • Make a folder: SecretsBackup
   • Copy my-secrets.kdbx into it
2. Eject USB #1.
3. Repeat on USB #2.

Now you have:

• Original: on computer (e.g. Documents/Secrets/my-secrets.kdbx)
• Backup 1: on USB #1
• Backup 2: on USB #2

6.1 Store them in different places

• USB #1 → hide at home (not obvious).
• USB #2 → hide in a different place (trusted family, safe, office locker).

Put KeePass on the Phone

7A. Android (KeePassDX + optional Aegis)

1. On your Android phone: open Play Store or F-Droid.
2. Install KeePassDX.
3. Move your vault file (my-secrets.kdbx) to the phone:
   • Simplest for BASIC:
     • Plug phone into computer.
     • Copy my-secrets.kdbx to Downloads/ or a Secrets/ folder.
   • Or use a local network method.
4. Open KeePassDX:
   • Tap Open or Import.
   • Find my-secrets.kdbx.
   • Enter your master password.

You should now see TEST ACCOUNT on the phone too.

7A.1 TOTP app (Aegis) – BASIC

1. Install Aegis Authenticator on Android.
2. For every account where a website offers “Authenticator app / TOTP”:
   • Turn it on.
   • Scan the QR code using Aegis.
3. Aegis will now show a 6-digit code rotating every 30 seconds.

We’ll tie this to KeePass usage in Section 9.

7B. iPhone (KeePassium)

1. On your iPhone: open App Store.
2. Install KeePassium (free or paid; both share an open-source core).
3. Move my-secrets.kdbx to the phone:
   • Easiest: plug phone into computer and use Finder (macOS) or iTunes (Windows) “Files” section.
   • Copy into KeePassium’s app folder.
4. Open KeePassium, pick my-secrets.kdbx, enter your master password.

You now see TEST ACCOUNT on iPhone.

Daily Use: Simple Rules

Rule 1 – No more “remembering” passwords

When a website asks for a password:

1. In KeePass:
   • Click “Add New Entry”.
   • Let KeePass generate a long random password (20+ chars).
2. Save the entry with:
   • Title: site name (e.g. ProtonMail).
   • Username: your login or email.

You never manually invent passwords again.

Rule 2 – Login flow (everyday use)

1. Open KeePass (computer or phone).
2. Unlock with master password.
3. Find the entry (e.g. ProtonMail).
4. Copy username → paste into site.
5. Copy password → paste into site.

Rule 3 – TOTPs (2FA codes)

If you have Android and Aegis (recommended):

• Use Aegis for TOTPs.
• Flow:
  1. Log in with username + password from KeePass.
  2. Open Aegis → copy the 6-digit code → paste.

If you’re on iPhone only (no Aegis):

• Store the TOTP secret inside KeePass entry (KeePassXC & KeePassium support TOTP):
  • When adding 2FA, choose “manual setup”, enter the secret key in KeePass’s TOTP field.
  • Then KeePass generates the 6-digit code when you open the entry.

Maintenance: Simple Checklists

9.1 Weekly

• Open KeePass on computer.
• Open KeePass on phone.
• Confirm they both open with the same master password.
• Add any new accounts created that week (if you forgot, add them now).

9.2 Monthly

• Plug in USB #1, copy new my-secrets.kdbx (overwrite old one).
• Plug in USB #2, same copy.
• Check TEST ACCOUNT entry exists in all 3 copies (PC + 2 USBs).
• Check paper master-password envelopes still exist.

“Oh No!” Scenarios (Foolproof Branches)

Scenario A – You forget the master password

• If both paper copies are gone → vault is lost forever. That’s by design.
• If at least one paper exists:
  • Go read it.
  • Use it to open the vault.
  • Optionally, change master password and update both papers.

Scenario B – Computer dies / stolen

• Vault is safe if the master password is strong.
• Use your phone or one USB backup on a new computer:
  1. Install KeePassXC again.
  2. Copy my-secrets.kdbx from USB or phone to new computer.
  3. Open with master password.

Scenario C – Phone dies / stolen

• Install KeePass again on new phone.
• Move my-secrets.kdbx from computer or USB to the new phone.
• Use the master password.

Scenario D – One USB lost

• The other USB still has a backup.
• Make a new third copy from computer and store it somewhere new if needed.

Simple “Heir / Trusted Person” Instructions (One Page)

Write one more paper with the title:

HOW TO OPEN MY SECRET BOX

1. “There is a file called my-secrets.kdbx”
   • It is on:
     • [ ] My computer (location: __________)
     • [ ] USB #1 (location: __________)
     • [ ] USB #2 (location: __________)
2. “There is a Master Password for this file”
   • It is written on:
     • [ ] Envelope MASTER PASSWORD COPY A (location: __________)
     • [ ] Envelope MASTER PASSWORD COPY B (location: __________)
3. “To open the file, you must:”
   • Install KeePassXC (computer) or KeePassDX/KeePassium (phone).
   • Open my-secrets.kdbx.
   • Type the master password from the envelope.

Put this paper somewhere obvious: with your will, in a safe, etc.

ADVANCED — age & GPG

When you're ready for stronger armor and can handle 1–2 extra steps, add this.

12.1 Install GPG (identity & signatures)

1. On your main computer, install GPG:
   • Windows: Gpg4win
   • macOS: GPG Suite or gpg via Homebrew
   • Linux: gpg via package manager (often preinstalled)
2. Create one primary key:
   • Real name or pseudonym, simple email.
   • Strong passphrase (can be different from vault master password).
3. Write in KeePass:
   • Entry: GPG MASTER KEY
   • Store:
     • Key fingerprint.
     • Where key is stored (path).
     • Passphrase.

12.2 Install age (simple file encryption)

1. On your main computer, install age (via package manager, Homebrew, or binary).
2. Run once to create a key:

   age-keygen -o age.key

3. Store age.key path and any passphrase inside KeePass in an entry AGE KEY.

12.2.1 Encrypt your vault backups

Instead of copying my-secrets.kdbx directly to USB, do:

1. On computer:

   age -r YOUR_AGE_PUBLIC_KEY -o my-secrets.kdbx.age my-secrets.kdbx

2. Copy my-secrets.kdbx.age to USBs instead of the raw file.

Now, if someone steals the USB, they see only encrypted data. They would need:

• The age key, and
• The KeePass master password

Final Checklist

If someone only wants the shortest “DO THESE THINGS” list:

1. Make one strong sentence (master password) and write it on two papers.
2. Install KeePassXC on your computer; make my-secrets.kdbx.
3. Install KeePassDX (Android) or KeePassium (iPhone); open my-secrets.kdbx on phone.
4. For every website:
   • Let KeePass generate passwords.
   • Store username + password in KeePass.
5. Install Aegis (Android) and use it for 2FA codes (or KeePass TOTPs if on iPhone).
6. Copy my-secrets.kdbx onto 2 USBs and hide them in two different places.
7. Once a month, update both USBs with the latest my-secrets.kdbx.
8. Once a month, test a restore from a USB onto KeePass on your computer.