public
/
disaster-recovery-website
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

many updates

This commit is contained in:
Anton Livaja 2024-09-05 12:59:32 -04:00
parent ee1da77356
commit 8d80909c0d
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
6 changed files with 323 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
_config.yml
View File

@ -29,6 +29,9 @@ header_pages:
- index.md
- about.md
- pricing.md
- recovery_policy.md
- data_storage.md
- q&a.md
- contact.md
style: dark # dark (default), light or hacker

227
_layouts/landing.html
View File

@ -3,106 +3,165 @@
{%- include head.html -%}
<body>
<div class="container">
<div class="container">
{%- include header.html -%}
{%- include header.html -%}
<main>
<section class="flex-container">
<div class="flex-container-inner">
<h1>Distrust Key Escrow</h1>
<p>The only fully open source, technology agnostic key escrow service.</p>
<a href="/contact.html" class="action-button">Documentation</a>
<a href="/contact.html" class="action-button">Join Waitlist</a>
<br />
</div>
</section>
<main>
<section class="flex-container">
<div class="flex-container-inner">
<h1>Distrust Disaster Recovery</h1>
<p>
The only fully open source, technology agnostic disaster
recovery and key escrow service.
</p>
<a href="https://docs.distrust.co/qkm" class="action-button">Documentation</a>
<a href="/contact.html" class="action-button">Join Waitlist</a>
<br />
</div>
</section>
<br />
<section class="flex-container">
<div class="flex-container-inner">
<style>
.cta-well {
background: white;
border-radius: 20px;
}
.cta-well > p {
color: blue;
}
</style>
<div class="cta-well">
<!--TODO: put this in a white well with blue text to draw attention to it, border radius 15px-->
<h1>Quick Start</h1>
<p>If you are ready to protect your data, you can use the <a href="dke.distrust.co/wizard">wizard</a> which will walk you through the process.</p>
</div>
</div>
</section>
<br />
<br />
<section class="flex-container">
<div class="flex-container-inner">
<h1>Quick Start</h1>
<div class="cta-well">
<p>
If you are ready to protect your data, you can use
the Wizard which will walk you through the process.
</p>
<a href="/contact.html" class="action-button">Quick Start</a>
</div>
</div>
</section>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">How it Works</h1>
<br />
<h2>Backup</h2>
<h3>1. Generate a recovery key</h3>
<p>Any kind of key may be used, but recommendations for the type of key to use and how to manage its lifecycle can be found <a href="todo">here</a></p>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">How it Works</h1>
<p>
Distrust used the <a href="https://docs.distrust.co/qkm/">
Quorum Key Management</a> specification to generate
entropy offline and used it to derive a
<a href="/public_key">PGP key</a> which anyone can
encrypt to.
</p>
<h3>2. Define recovery rules.</h3>
<p>The standardized Distrust Key Escrow policy can be used to set rules for conditions under which the key can reclaimed.</p>
<p>
The only way to reconstruct the private key which is
used to decrypt is by bringing together multiple shard
holders who are in separate geographical locations.
</p>
<h3>3. Encrypt data and back it up.</h3>
<p>The client is responsible for redundantly backing up data. This is to ensure that Distrust Key Escrow has no way to access the data.</p>
</div>
</section>
<p>
Distrust Disaster Recovery will always verify the
<a href="/recovery-rules">recovery rules</a> before
decrypting any client data.
</p>
<section class="flex-container">
<div class="flex-container-inner">
<h1>Recovery</h1>
<p>
Clients may choose to generate their own encryption key,
encrypt data, then encrypt that key to the
<a href="/public-key">Distrust Disaster Recovery Public
Key</a>. In this way the data is never exposed to
anyone, but can be protected using a form of
"crypto-shredding".
</p>
</div>
</section>
<h3>1. Lose access to your data (oops...)</h3>
<p>Data loss, even with great controls sometimes isn't fully prevented.</p>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">Security</h1>
<p>
Distrust Disaster recovery focuses on removing single points
of failure on all levels.
</p>
<h3>2. Submit verifiable recovery request.</h3>
<p>Submit a request to recover the data, which will be checked against the recovery rules.</p>
<h3>3. Your recovery key is returned.</h3>
<p>The key which is held in escrow by Distrust Key Escrow is re-encrypted to a key provided by the client and released from escrow. This is to ensure that we never have access to your data in plaintext, only the key that you used to encrypt it.</p>
</div>
</section>
<h3>Reproducible Builds</h3>
<p>
Being able to ensure that all of the software that's
used is deterministic is essential. Learn more about
why <a href="https://en.wikipedia.org/wiki/Reproducible_builds">here</a>
<!-- TODO: write our own doc about this -->
</p>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">Security</h1>
<h3>Reproducible Builds</h3>
<p>Being able to ensure that all of the software that's used for the QKM system is essential. Learn more about why <a href="todo">here</a></p>
<h3>Full Source Bootstrapped</h3>
<p>
Being able to verify the compiler by
<a href="https://en.wikipedia.org/wiki/Bootstrapping_(compilers)">
bootstrapping</a> it in order to ensure it is not
capable of injection malicious code at runtime is an
essential part of supply chain security - and often
ignored.
<!-- TODO: write our own doc about this -->
</p>
<h3>Full Source Bootstrapped</h3>
<p>Being able to verify the compiler by <a href="">bootstrapping</a> it in order to ensure it is not capable of injection malicious code at runtime is an essential part of supply chain security.</p>
<h3>Side Channel Attack Resistance</h3>
<p>
Attacks that are able to exfiltrate data via
non-standard channels is an important consideration
when handling sensitive cryptographic material.
Because of this, HSMs are leveraged.
</p>
<h3>Side Channel Attack Resistance</h3>
<p>Attacks that are able to exfiltrate data via non standard channels is an important consideration when handling sensitive cryptographic material.</p>
<h3>Cold Key Management</h3>
<p>
Ensuring that the lifecycle of cryptographic material is
handled in a fully air-gapped environment helps
drastically reduce surface area for attacks.
</p>
<h3>Cold Key Management</h3>
<p>Ensuring that the lifecycle of cryptographic material is handled in a fully air-gapped environment helps drastically reduce surface area for attacks.</p>
<h3>Multi Party Access Control</h3>
<p>
Because eliminating single points of failure is an
effective way to reduce the likelihood of compromise
use of quorums where multiple individuals are required
to carry out actions is a core control mechanism for
Distrust Disaster Recovery.
</p>
</div>
</section>
<h3>Multi Party Access Control</h3>
<p>Because eliminating single points of failure is an effective way to reduce the likelihood of compromise is a core control mechanism for DKM.</p>
</div>
</section>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">The Approach</h1>
<p>
Distrust Key Escrow has been designed with the utmost
care to eliminate single points of failure to ensure
that your backups are inaccessible by any single
individual, under any circumstances.
</p>
<p>
This may seem like a big claim, but all our processes
and software are fully open source - so yo can verify
for yourself. If you still don't trust us, that's okay,
you can use our blueprint to set up the system yourself
- and we invite you to do so. You can find the
documentation on how QKM works
<a href="https://docs.distrust.co/qkm">here</a></p>
<section class="flex-container">
<div class="flex-container-inner">
<h1 style="text-align: center">The Approach</h1>
<p>Distrust Key Escrow has been designed with the utmost care to eliminate single points of failure to ensure that your backups are inaccessible by any single individual, under any circumstances.</p>
<p>This may seem like a big claim, but all our processes and software are fully open source - so you can verify for yourself. If you still don't trust us, that's okay, you can use our blueprint to set up the QKM system youself - and we invite you to do so. You can find the documentation on how QKM works <a href="https://docs.distrust.co/qkm">here</a></p>
<p>Most, if not all current commercial backup/disaster recovery systems have many single points of failure and sell a service which is simply not suited for many contexts - especially for backing up digital asset wallets. The lack of transparency on how their systems work means that you as the end user can't verify whether their approach to security matches your desired threat model, and you are left with blind trust, rather with transparency.</p>
</div>
</section>
</main>
{%- include footer.html -%}
</div>
<p>
Most, if not all current commercial backup/disaster
recovery systems have many single points of failure and
sell a service which is simply not suited for many
contexts - especially for backing up digital asset
wallets. The lack of transparency on how their systems
work means that the end user can't verify whether their
approach to security matches your desired threat model,
and security properties, and what remains is blind trust,
rather with transparency.
</p>
<p>
We invite you to question any part of our system.
</p>
</div>
</section>
</main>
{%- include footer.html -%}
</div>
</body>
</html>
</html>

19
_layouts/pricing.html
View File

@ -13,14 +13,17 @@
<section class="flex-container">
<div class="flex-container-inner">
<h1>Pricing</h1>
<p>USD $10,000/yr base subscription</p>
<p>USD $25,000 for a recovery ceremony within 72h</p>
<p>USD $50,000 for a recovery ceremony within 48h</p>
<p>USD $100,000 for a recovery ceremony within 24h</p>
<p>Ceremony recoveries are only performed in person, in a secure location, with the client present.</p>
<p>Storage of the encrypted data is always the responsibility of the client. Refer to <a href="todo">this</a> document to learn more.</p>
<p>The encrypted data is not available to Distrust except for during the ceremony.</p>
<p>
We use simple pricing. There is no setup fee. Our flat
fee is USD $10,000/yr which includes up to 10mb of
storage. All paying customers additionally get
discounted expedited recoveries.
</p>
<p>
Expedited recoveries start at $30,000, and depend on the
complexity of the Recovery Rules the client uses. You
may contact `sales at distrust.co` for more details.
</p>
</div>
</section>

44
data_storage.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Data Storage
layout: default
permalink: /data-storage.html
---
# Data Storage
As a disaster recovery service, Distrust offers several different options for
different threat models. An inconvenient truth that the current solutions in the
market don't share with you is that they have the ability to access your data in
plaintext. Additionally, they do not use geographical separation for their
decryption key, exposing your data to single points of failure. Our system is
fully transparent and we have nothing to hide about any aspect of how it works
as it's cryptographically sound.
## Trust Based
In this setup, Distrust is responsible for backing up your encrypted data, and
being able to recover it on your behalf upon request. This does mean that
Distrust has the ability to access your data without your approval. In order to
do this, Distrust would have to gather key material from several different
geographical locations and re-assemble it before being able to decrypt your
data, adding a highly resilient protection mechanism. Additionally, Distrust is
not motivated to break client trust as our entire careers are built on
protecting people's freedom, security and privacy.
## Distrust Based
In this setup, the encrypted data is never shared with Distrust, and it remains
redundantly backed up to several online data storage services as well as offline
storage. Because Distrust does not hold your encrypted data, there is no way for
the data to be decrypted without your interaction. This offers a more risk
averse approach.
## Custom
If you would like, you can work with a third party of your choosing or one of
our partners, to have your encrypted data backed up with them, while we protect
the encryption key for it. This way you achieve a threat model where instead of
trusting Distrust only, you select a third party which removes single points of
failure.
If there is a different threat model you are interested in, feel free to reach
out at sales@distrust.co

60
q&a.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Q&A
layout: default
permalink: /q&a.html
---
# Q&A
#### How does the Distrust Disaster Recovery system work?
The Distrust Disaster Recovery system is based on
[Quorum Key Management (QKM)](https://docs.distrust.co/qkm), a highly
opinionated framework for managing cryptographic material securely in offline,
hardened environments. One of the core tenants of QKM is that the cryptographic
material is sharded (split up), and distributed in different geographical
locations, so that it takes the cooperation of multiple individuals from
different regions in order to reconstruct the key which allows for decryption.
#### Where is the data stored?
You may choose to have Distrust Disaster Recovery redundantly store your
encrypted data, but this means that Distrust Disaster Recovery staff would be
able to decrypt your data, although it would require a quorum of
[Shard Bearers](#what-are-shard-bearers) to assemble physically as all
cryptographic material is stored fully offline. This is very much unlike the
current market offerings which store both your encrypted data, and the keys used
to decrypt it in online environments, with questionable security, and certainly
no transparency into how they actually manage your data. With Distrust, the key
for decryption and any decryption is always performed in fully air-gapped
environments, and is the reason that recovery is slower - but far more secure.
Alternatively, you may opt to generate an encryption key, encrypt your data
using this key, then encrypt that key using the Distrust Disaster Recovery
public key. You could then destroy the key you used for encrypting your data,
effectively creating a setup where the only way to decrypt the data is to
recover the encryption key via DDR. In this setup DDR has no way to decrypt your
data in plaintext, but you are responsible for encrypted data backups.
You can learn more about data storage [here](/data-storage.html)
#### What are "Shard Bearers"?
Shard Bearers are Distrust Disaster Recovery employees who are responsible for
managing a shard which is used to reconstruct the private key which can
decrypt client data. At least 2 shard bearers are required in order to perform
this task, and the shards are stored offline, and never exposed to any
environments other than specifically tailored air-gapped environments according
to [Quroum Key Management](https://docs.distrust.co/qkm) specification.
#### What quorum threshold does DDR use?
2 of 3 threshold is used, with [Shard Bearers](#what-are-shard-bearers) located
in 2 states in the USA, and in Canada.
#### Can Distrust Disaster Recovery be used instead of Coincover or Keyternal?
Yes, it can, although the speed of recovery is slower, the security guarantees
far surpass those currently available in the market. Additionally, Distrust
Disaster Recovery is the first offering of its kind that allows encryption of
*any* data as opposed to only blockchain wallet data.

62
recovery_policy.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Recovery
layout: default
permalink: /recovery.html
---
# Recovery
Distrust performs recovery ceremonies 4 times a year, and paying customers can
be part of these recovery ceremonies for free.
During the quarterly ceremony, Distrust will publish a signature of the latest
bitcoin block to prove control of the decryption keys.
If a client requires an expedited recovery, additional fees apply (available
on the pricing page (TODO)).
## Recovery Policy
The recovery policy is a document which is a set of rules or conditions under
which the recovery may be made. The different conditions can be sufficient on
their own, or a multitude of them has to be satisfied in order to constitute a
valid recovery request.
The main conditions of a Recovery Policy are:
* Time lock until year/month/day
* n of m cryptographic signatures (PGP)
* n of m KYC verifications
At least one of cryptographic signature or kyc verification is always required.
One may choose to require both.
If you are interested in different or custom rules, please reach out to use at
sales@distrust.co (TODO make sure we have this email set up / catchall).
## Time Lock
Time locks allow the user to set a date after which the recovery will be
possible. The data will not be recoverable until the day after the lock date.
## Cryptographic Signature Verification
This method supports PGP, BTC, and ETH cryptographic signatures. One may
register as many as 32 public keys, and set how many of those keys are required
for a valid recovery request, for example, 3 of 7.
## KYC Verification
KYC Verification is based on verifying both the individuals identity and their
intent to recover data.
- The data is gathered at the beginning of the relationship. The [Distrust Disaster Recovery Wizard](todo) can be used. Distrust will verify your data once it's submitted.
- The identity of authorized individuals is verified in person by Distrust staff
or legal council representatives. They will verify the individual in person
using visual verification, ID documentation, and record a video of the
individual's intent to recover.
- The KYC verification is threshold based, so one may list any number of
individuals, and require any number of individuals to express intent to recover.
For example, the total number of individuals may be 7, and 3 of them are
required to initialize the recovery process.