data.day
cryptography / operations / governance

Key Ownership Without Drama: A Practical Key Ceremony for Normal Teams

You do not need a clean room and hooded robes to generate a master key. You need a simple, repeatable process that removes the vendor from the loop.

Lars Parse Lars Parse

The Origin of Trust

Who created the lock on your front door? You bought it. But who created the key?

In the digital world, if you sign up for a service and they say “We encrypted your data,” they created the key. They are the landlord. You are the tenant.

To become the owner, you must generate the Master Key. This is the root of all trust in your system. If the vendor generates it, they can copy it. If you generate it, they cannot.

We call this “The Key Ceremony.” It is not magic. It is a procedure.

The Risk: The Silent Copy.

When a key is generated on a server, it exists in the server’s memory for a split second. A malicious vendor, or a compromised vendor, can capture it in that second.

Furthermore, if a single employee knows the Master Key, that employee holds the life of the firm in their hands. They can be coerced. They can be bribed.

The Defense: The 20-Minute Ceremony.

We need a laptop that is offline, a pair of dice, and two envelopes.

Step 1: The Environment. Take a laptop. Disconnect the WiFi. Ideally, never connect it again. This is your “Air Gapped” machine.

Step 2: The Entropy. Do not ask a computer to pick a random number. Computers are deterministic. Ask the universe. Roll the dice. Flip a coin. Generate a string of characters that is truly chaotic. This is your “Seed.”

Step 3: The Split. We do not write the full key on one piece of paper. We use “Shamir’s Secret Sharing” or a simple split.

  • Partner A writes down the first half of the phrase.
  • Partner B writes down the second half.

Step 4: The Storage. Partner A puts their half in an envelope. They sign the seal. It goes into Safe A. Partner B does the same for Safe B.

Now, to restore the data or authorize a major change, both partners must be present. They must physically travel to the safes. They must agree to open the envelopes.

This creates a “Two-Person Rule.” It prevents the rogue insider. It prevents the remote hacker. It proves, mathematically, that the vendor cannot access your data, because the key literally does not exist in their universe. It exists on paper, in Bærum or Berlin, under your control.

Do this once. Sleep well forever.

FAQs

Can't I just use a password manager?

For your daily login, yes. For the Root Key that encrypts the entire organization, no. That key must not touch the internet.

What happens if we lose the paper?

You lose the data. This terror is necessary. It forces you to treat the paper with the respect it deserves.

Why two people?

To prevent the 'rogue actor' scenario. No single person should have the power to destroy or ransom the company.