honestly thinking about doing that, i use Google Chrome and Microsoft Edge and i can't keep the passwords in both browsers synced.
how do you keep the text file up to date on your devices?
Conversation
I keep my main FIDO2 security key on my keychain and leave it plugged into top workstation so when I go out I take it with me and have that.
Backup FIDO2 security key is my Trezor Model T which can also be restored via 2-of-3 seed phrase backups + set FIDO2 counter to Unix time.
1
3
I have a backup system for my most critical files (GrapheneOS signing keys, documents including passwords, etc.) which get automatically backed up as an age-encrypted file with diceware passphrase. Have that backed up to my main phone, backup phone, 2nd workstation and elsewhere.
1
3
My laptop and phone have sftp-only access to a directory with shared data and it's used as a crude pull-based sync system instead of pushing changes to them immediately. If I really needed something sooner I'd just trigger it earlier or send it to myself via an E2EE Matrix chat.
1
4
I don't consider service passwords particularly sensitive and it's just a plain text file encrypted via disk encryption on each device. I have a single strong diceware passphrase remembered and used to encrypt SSH keys, GrapheneOS signing keys and the minimal backup tarball.
1
3
Main workstation syncs a bunch of data to older workstation which it controls which SSH. I wouldn't lose anything if either died. If both died, I can fairly easily set up a fresh workstation from minimal backup tarball combined with non-sensitive data from GitHub repositories.
1
3
I know that because I set up my new workstation that way and then a couple months later wiped and set up my old workstation from scratch the same way to make sure that I had everything covered. Gave up on making 2TB+ full backups instead of just automated backup of ~50M of data.
1
3
Having the new workstation sync to the legacy workstation is just a convenience thing. If it dies, it won't completely disrupt everything. If the entire building burns down and everything is lost then I'll make a new workstation via minimal backup tarball + GitHub repositories.
1
3
Can see how we do automated encrypted backups for attestation.app, discuss.grapheneos.org and matrix.grapheneos.org:
github.com/GrapheneOS/Att
github.com/GrapheneOS/dis
github.com/GrapheneOS/mat
Currently those only back up to 1 location but it'd be trivial to add more.
1
2
So, imagine the same thing but my workstation makes a similar backup-$timestamp.tar.zst.age locally, pushes to cloud archive and puts them in an sftp-accessible directory for laptop/phone. passwords.txt master copy is also in there directly. Laptop/phone pull that on schedule.
1
1
Main difference is that for the GrapheneOS servers, the backup encryption uses a public key and I have the private key on my workstations. For workstation, backups, it's using a passphrase which I enter daily since it's the same one used for SSH keys and GrapheneOS signing keys.