How to Use DiceKeys as a Root of Trust

A few years ago there was a crowd funding campaign on CrowdSupply¹ for an interesting project called DiceKeys. The concept was that with 25 specially labeled/numbered die you could create an offline secret value with 192-bits of entropy.

Using this entropy and a special app you could scan a dice roll into your phone or computer and use it to generate other secrets and passwords based on a very random value.

I thought, even if I didn’t specifically need it, it was worth funding because this would be the kind of thing that makes encryption and strong passwords much more secure for a regular person.

Their main flaw is:

1. If you lose your dice key, and didn’t back it up to the provided sticker sheet, you lose your root encryption key and then lose access to all your accounts.
2. If someone were to find your dice key and take a photo then with some work they could use it to generate all your passwords and gain access to your accounts.

That said:

• It is still way better than writing the actual passwords down on paper
• You can store a copy of the DiceKey set on the app in your phone or computer
• Regenerating the password without the name you used + which sequence still provides some minor security
• It requires no power and no trust in complex Pseudo-random generators. It’s just random dice.

Building on Dice Keys Link to heading

I have secrets, recovery codes, and etc all over the place. Even the things which would make it easy to protect them² all suffer from “What do you use to recover them? You need some secure password behind them” question.

So I have been figuring out the best way for me to use DiceKeys to simplify my life and act as a “root of trust” for these other things.

Assumed Risks Link to heading

When trying to figure out the best way to use my DiceKeys I’ve taken on some risks which I pessimistically assume will be true at some point while I am using the DiceKeys:

1. Despite trying, I’ll fail to make sure I am the only person with the ability to see my DiceKeys and possibly take a photo for later
2. Quantum Computing becomes a practical reality in 5 years
3. My YubiKey, DiceKey, and phone will be
   • Destroyed (wear+tear or accident); unrecoverable
   • Lost (assumed stolen)
   • Stolen by a capable actor
4. I will be searched and have copies taken of secrets I have on my person
5. My personal spaces will be searched

The Life of “Max” Link to heading

Trying to figure out all the ways I could be compromised I’ve made up a hypothetical young kid in school with a horrible life to simulate a practical worst-case scenario for this system to stand up against.

Max is a kid who is in middle school and goes to a special school that teaches kids about cyber security. He lives with his parents who do not trust him and try to invade his privacy at every chance they get. As security professionals they’re very capable of this (and also lack a lot of ethics…). They have given him a phone, but require him to tell them his pass code as well as let them be able to recover his phone.

The neighborhood he lives in has a lot of crime and walking/biking to or from school could get him mugged as well as whenever he’s going to places to hangout with friends like the Mall or to get some Pizza together.

His school teachers and administrators are also extremely out to get Max. They have the ability and authority to search his possessions at any time and force him to unlock his phone.

In short, Max has zero privacy and daily advanced + persistent threats.

Shopping List Link to heading

Here is a shopping list of we need. I’ve kept it purposefully spartan to minimize the cost for “Max”, but honestly I’d recommend a 2nd DiceKey and YubiKey 5C NFC ($60) if you can afford it.

• (1) DiceKey [$25] + an Extra Sticker Sheet [$6] -> $31
• (1) USB Stick >=8GB -> $10

The Plan Link to heading

Here is a summary of the plan:

1. Roll the dice. This is our “Main Key”.
2. Open the DiceKeys App on your phone and scan it in. Follow the steps to back it up to a sticker sheet.
3. Dump the dice and roll the dice again. This is our “Root Key”
4. Scan this dice roll into your phone. Follow the steps to back it up to the extra sticker sheet.
5. Completely shave off the clips from the top of the DiceKeys Case (entirely; don’t even leave a bump. Use a sharp knife and shave it down completely flat).
6. Lock the DiceKeys case
7. Create a KeePassXC vault and use the “Main Key” to generate a password for it on your phone.
8. Take a photo of the 2nd DiceKey roll; Be sure to not sync this to any photo sync service
9. Add the photo to the Root KeePassXC Vault.
   • Verify using the app that you put the Dice in correctly before closing in-case you didn’t shave the clips down enough.
10. Generate passwords using the 2nd DiceKey on your phone and write them down in the root vault
    • Apple iCloud
    • Google
    • etc.

We’re using one roll of the DiceKeys only for securing a root KeePass vault where we’re going to store backups of all our most important secrets and recovery information. This won’t be a vault we access very often and should be kept as offline as possible (e.g. an Encrypted USB Stick).

The 2nd DiceKeys roll we’re using to securely generate a root secret value for creating the passwords of our accounts, but not keeping it around so we don’t have to worry about someone getting access to our accounts by simply seeing our DiceKey.

Benefits of this plan:

1. We get real random entropy of the DiceKeys to generate secret values
2. As long as the DiceKeys rolls themselves are still secure; we can keep generating new values and rotating the keys
3. We have a physical DiceKey that doesn’t rely on electricity or our memory to let us recover our Root KeePass vault
   • If we’re incapacitated our instructions to our family members could help them gain proper access to all our things
   • If we’re being asked how to get access to things we can say we do not know the secret values
   • The secret will not degrade with time because we haven’t plugged it in
4. Our KeePass vault can be easily and properly backed up and the secret protecting it could be Shamir-Secret-Sharded to ensure we could recover access if our DiceKey was lost or destroyed.
5. Our 2nd DiceKeys roll acts as a completely separate source of entropy so we can limit the amount that would be at risk if either DiceKeys were compromised.

Securing our Life with DiceKeys Link to heading

Now that we’ve reviewed the plan time to set things up

Gather all the things we’ll need:

• An iPhone or Android device with the DiceKeys app
  • Put it in Air Plane mode and make sure Wifi/Bluetooth are disabled
  • We don’t want any automatic syncing or cross device traffic while we do this.
• A laptop
  • KeePassXC installed
  • VeraCrypt installed
• A USB Stick
• Your DiceKeys + Sticker Sheets

Setting up our Root Vault Link to heading

1. Download and install KeePassXC
2. Download and install the DiceKey App on your iPhone or Android
3. Turn on Air Plane mode and disable Wifi/Bluetooth if they’re still enabled. Then turn off your phone entirely.
4. Shave the clips off the top part of the DiceKeys case. Make sure to shave it down completely flat otherwise it’ll be extremely difficult to open again without damaging the case.
5. Toss the dice in the carrying bag and roll the dice into the DiceKey; This is our Main Key.
   • This is what we’re going to use to generate passwords for our most important accounts
6. Turn your phone back on (You did turn it off, right?)
7. Scan the key into the DiceKeys app and follow the steps to back it up to one of the two Sticker Sheets.
8. Label the sheet as “Main Key”
9. Dump the dice back into the bag
10. Roll dice into the DiceKey; This is our Root Key
    • Do not use this to generate normal passwords. Only for the Root KeePass vault and VeraCrypt container for storing secret/recovery files or USB Sticks
    • If it was ever compromised the ability to change the password of the root vault without needing to redo all your accounts at once is important. It gives you time to rotate those passwords instead of being instantly pwned.
11. Scan the dice with your phone and follow the steps to back it up to a sticker sheet.
12. Label the sheet as “Root Key”
13. Lock-in the DiceKeys case
14. Using the “Root Key”, generate a custom password on the DiceKeys app with the purpose as "root keepassxc vault"
15. Create a new KeePassXC vault using that new password

Securing our Important Accounts Link to heading

Now we’ll go through and secure all our most important accounts starting with whatever main account we use for our phone and whatever service we use as a password manager.

In my case that is Apple and 1Password. But for you it could be Google and BitWarden.

Security Checklist Link to heading

Now that we’ve completed these steps here is a checklist of things you need to do or check.

• I have saved my KeePass Root Vault in a safe/encrypted place
• I have not shown the layout of any of my DiceKeys to someone else
• I made sure I can unlock my KeePass Root Vault using my root Dice Key
• I wiped all the DiceKeys rolls from my phone or computer
• I took a photo of my Main Key and stored it in KeePassXC
• I have a physically secure place to store the DiceKeys
  • My DiceKey is physically secured in this place.
• I have stored the Sticker Sheet backups in a secure place
• I have saved account recovery information for my phone’s main account
• I have saved account recovery information for my password manager
• I have saved the recovery key for my main computer’s encrypted hard drive

Next Steps Link to heading

Now that we have a well secured Root Vault to store recovery information in we can start using things like YubiKeys with HMAC Secrets to do Challenge Response authentication, generate and store PGP Private Keys, and generating SSH keys to use with age³.

We can also generate passwords for other KeePass vaults that can unlock and mount VeraCrypt volumes and more. One place you can use these is for storing a CA key for your personal infrastructure.

The DiceKeys project also has special FIDO Security Keys which can be seeded by a DiceKey allowing you to recover a lost FIDO security key by simply buying a new one.

I’m also going to be using this for things like properly securing the Root password of my Precursor that enables flashing new firmware and the configuration options to unlock my most important PDDB layers.