LaraunaManaged automation & care
Advanced · optional safety net

Break-Glass Recovery
Your backup key's last-resort safety net

You already keep two everyday copies of your backup key. Break-glass is the emergency layer behind them: a copy locked with a passphrase only you know — so even if both everyday copies are ever lost, you can still recover. Here's how to set it up and use it.

Prepared for    Set up by    Date   

What break-glass is

It's a small file — your escrow file — that holds your backup key locked behind a passphrase you memorise. On its own the file is useless; with your passphrase it hands the key back. That means the file is safe to keep anywhere, and the only thing you truly have to protect is a phrase in your head.

Passphrase (in your head) + Escrow file (store anywhere) = Your key, back again
When would you reach for it? Only in a bad day: you've lost the password-manager copy and the offline copy from your setup guide. Break-glass is the pane you break when the everyday copies are gone.

1 Create your escrow file Administrator sets up You pick the passphrase

Your Larauna administrator runs one command on the machine that holds your key. It asks for a passphrase twiceyou type it (the administrator doesn't need to see it). Choose a long, memorable phrase.

$ node key-escrow.js wrap --out larauna-key-escrow.json Passphrase: •••••••••••••••••••• Confirm : •••••••••••••••••••• ✓ escrow written: larauna-key-escrow.json

That produces one small file, larauna-key-escrow.json. Nothing secret is shown on screen; the passphrase is never stored.

2 Keep the escrow file Your copy

Because the file is locked by your passphrase, it's safe to keep almost anywhere — pick a place you won't lose:

  • Your cloud storage (Google Drive, iCloud, Dropbox) — even a shared drive is fine.
  • Email it to yourself, or keep it in your notes.
  • Print it and file it. (It's just text — it can be re-typed.)
The escrow file alone can't unlock anything, so you don't have to hide it — you just have to be able to find it.

3 Memorise your passphrase The one thing to protect

This is the whole point — and the one thing you must not lose. A good passphrase is long but memorable: a short sentence you'll always recall, e.g. "my first car was a blue corolla 1998". Longer beats complicated.

Do

  • Use a long phrase only you would know.
  • Keep it in your head — or, at most, in your password manager as a separate entry.
  • Optionally, share it with one deeply trusted person as a fallback.

Don't

  • Write the passphrase on or next to the escrow file — that defeats it entirely.
  • Use something guessable (a birthday, "password123").
  • Assume you'll remember a random one — make it memorable.

4 Test it once, now

Prove your passphrase works while it's fresh. This checks the passphrase without revealing the key:

$ node key-escrow.js verify --in larauna-key-escrow.json Passphrase: •••••••••••••••••••• ✓ passphrase is correct and the escrow is valid

If you ever need it — recovering

On the bad day — both everyday copies gone — this brings your key back. Find your escrow file, then:

$ node key-escrow.js recover --in larauna-key-escrow.json Passphrase: •••••••••••••••••••• ✓ recovered backup key: a3f8…7c1e

That's your key back. From there, a restore is the normal process — your Larauna administrator can take it from here.

The honest limit: there's still no back door. If you forget the passphrase and you've lost both everyday copies, nothing can recover the key — not even us. That's exactly why the passphrase must be one you'll never forget.