Backup strategy
What to back up, what NOT to back up, and how often.
What to back up
| Item | Frequency | Why |
|---|---|---|
<vault>.lbx |
Whenever contents change | The actual encrypted data |
<vault>.lbx.hdr (if detached) |
Once per keyslot change | Required to unlock |
<vault>.lbx.hybrid (if hybrid-PQ) |
Once per keyslot change | Sidecar with ML-KEM data |
<vault>.lbx.anchor |
Whenever vault is modified | Rollback-detection metadata |
.kyber seed file (if hybrid-PQ) |
At creation, then never modified | Required to derive PQ shared secret |
What NOT to back up to the same place
The fundamental rule: don't co-locate everything an attacker would need to brute-force the vault.
| Don't put together with the .lbx | Why |
|---|---|
| Your passphrase written down | Defeats the entire vault |
The .kyber seed file |
Defeats the PQ layer (becomes a passphrase-only vault to an attacker) |
| Your FIDO2 device | A device + a vault file gets the attacker past the second factor |
| The detached header | Defeats the "vault file is opaque" property of --header |
The point of --header, .kyber, and FIDO2 is that compromise of
ONE storage location doesn't compromise the vault. Backing up
everything to one S3 bucket undoes that.
Recommended setups
Personal vault (one user, one machine)
vault.lbxlives wherever you use itvault.lbx.anchornext to it (regenerated by every operation)- Backup of
vault.lbxto a different drive / cloud (encrypted at rest by you, not by the cloud provider) - Passphrase memorised + written on paper in a safe place (separate from the vault file itself)
- FIDO2 device on your keychain; backup FIDO2 device in a safe deposit box
High-value vault (financial, legal, archival)
- Detached header (
--header)- Vault file: any storage (the file is opaque without the header)
- Header file: USB stick + cloud-encrypted backup
- Hybrid-PQ keyslot
.kyberseed: a SECOND USB stick, kept somewhere different
- Two FIDO2 devices enrolled (primary + safe-deposit backup)
- Backup passphrase, written on paper, in a third safe location
Team vault (multiple people, shared)
- Each team member enrolls their own FIDO2 keyslot
- One emergency-passphrase slot, custodian-held + sealed envelope
- Detached header on a TPM-protected file share
- Anchor + sidecars in the same place as the .lbx
- Document the recovery procedure where the team can find it (NOT in the vault!)
Restoring from backup
# Copy all the pieces back into place
cp /backups/vault.lbx ~/secure/
cp /usb-key/vault.lbx.hdr ~/secure/ # if detached
cp /backups/vault.lbx.anchor ~/secure/ # rollback metadata
cp /usb-key/vault.lbx.hybrid ~/secure/ # if hybrid-PQ
# .kyber stays on its separate trusted storage; reference at unlock
# Verify it opens
luksbox open ~/secure/vault.lbx --header ~/secure/vault.lbx.hdr \
--pq-hybrid /usb-key-2/vault.kyber
Things to test BEFORE you need them
Twice a year, do a recovery dry run:
- Restore from your backup to a scratch directory
- Unlock using your backup passphrase (NOT your daily one)
- Read a known file via
luksbox get - Compare bytes against the original
If this fails, the time to find out is during a calm Sunday afternoon, not at 2 AM during an actual incident.