All posts

Where the world's root keys live

7 min read
securitycold-storagethreshold-cryptography

The DNS Security Extensions root key, which signs the cryptographic chain of trust for the entire global Domain Name System, is protected by an arrangement that looks, from a distance, like an elaborate piece of theatre. A small group of cryptographic officers gathers four times a year at one of two secure facilities, in Los Angeles and in Culpeper, Virginia. They open a cage inside a ceremony room. Inside the cage is a safe. Inside the safe are smart cards in tamper-evident bags. Each smart card holds an encrypted backup of a piece of the root key. The ceremony is filmed. The doors are double-locked. Two physical keys are needed to open each safe-deposit box: one held by IANA, one held by the Crypto Officer for that box.

Behind the procedure is a real cryptographic property. The encrypted backup of the key signing key is reconstructed from a 5-of-7 threshold scheme. Seven Recovery Key Share Holders worldwide each hold a smart card, and any five of them are sufficient to restore the key under disaster recovery. Fewer than five reveal nothing.

The procedural detail is the easy thing to notice. The architectural choice underneath it is more important: there is no cloud storage in this picture. There is no password manager, no customer-support recovery flow, no vendor account, no network-connected machine. The most important key in the global DNS hierarchy is protected by physical objects, in physical locations, requiring physical presence to recover. The same pattern repeats wherever institutions take key custody seriously. Certificate authority root keys, HSM master keys, code signing keys, central bank reserve key material, machine-readable travel document root keys. They live on physical media, kept offline, distributed across facilities, with multi-person physical controls.

Why physical media earns the bottom of the stack

Every digital storage technology trades durability for convenience. The convenience layer breaks down on the time horizons that matter for foundational secrets. Pick almost any digital substrate and walk it forward thirty years.

  • Hard drives and SSDs. Consumer SSDs lose charge if left unpowered for more than a few years. Spinning disks have mechanical failure rates that compound with time. Either kind requires periodic refresh and migration to current hardware, which is a process that needs an active human in the loop, indefinitely, on a horizon that may exceed any individual's attention span.
  • Cloud accounts. Every account is a relationship with a vendor. Vendors change pricing, change ownership, change terms, suspend accounts on automated signals, shut down product lines. None of this is unusual; all of it is incompatible with a backup that needed to outlive any of these events.
  • Encrypted file containers. A VeraCrypt or LUKS container made today probably opens in 2055. Probably is not a strong enough guarantee for a recovery substrate. Format obsolescence, decryption tool availability, and operating-system compatibility all need to be tracked, and almost no individual tracks them.
  • Encrypted email and messaging. Anything that depends on reaching a specific server, a specific protocol version, or a specific identity provider is a backup whose recovery path can be cut at the network layer.

Paper, by comparison, is uninteresting. Acid-free archival paper, kept dry and dark, is rated in centuries. Laser toner is fused to the page; it does not fade in the way inkjet ink does. The encoding format is similarly uninteresting in the right way: a QR code is a published open standard (ISO/IEC 18004), and anyone can implement a decoder from the specification regardless of what tooling is available at the time. The format also carries Reed-Solomon error correction, so a code printed at the highest correction level remains readable with around 30% of its area damaged or obscured. As a convenient side effect, every smartphone made in the last decade can scan a QR code natively, without an app, without a network, and without any further infrastructure.

The institutional practice is consistent with all of this. ICANN, certificate authorities, HSM vendors, central banks, and passport-issuing authorities all converge on the same architectural pattern for keys that genuinely matter. Encode the key into a physical token, distribute the tokens, keep them offline, require multi-person physical access for recovery. The choice of token varies across smart cards, paper, and microSD cards in tamper-evident bags. The choice of substrate is always physical, always offline, always distributed.

What this means for an individual

Few individuals will ever organise a quarterly ceremony with seven officers across two secure facilities. The architectural pattern still works at smaller scale. Three properties of paper carry over directly from the institutional practice.

  1. It does not depend on a vendor. A printed QR code does not have an account. It cannot be suspended. It cannot have its terms changed. It is yours regardless of what happens to any company.
  2. It does not depend on a network. Recovery requires no identity provider, no working email, and no functioning second device.
  3. It is durable in the dumb-but-reliable sense. Stored in a fireproof safe or a safe-deposit box, archival paper is rated for a century. Stored in an envelope at the back of a drawer, it is rated for as long as the drawer survives. Either is longer than any consumer digital storage of the same vintage.

For daily use, paper is far less convenient than a password manager. It is not the layer you reach for to log into Netflix. It is the layer underneath, whose job is to make sure the layers above it can fail without the chain unrecoverably breaking.

Compared to what?

The honest question is whether an individual has a better option than paper for the same job. Run through the candidates.

USB drives and SSDs lose charge within a few years if left unpowered. They require periodic refresh, and the connector standard in use today is unlikely to be the standard in thirty years.

Encrypted file containers (VeraCrypt, LUKS, age-encrypted files) depend on the decryption tool, the file format, and operating-system compatibility all surviving the time horizon. Most digital file formats do not last that long without active maintenance.

Archival optical media like M-DISC outperform magnetic storage but cost meaningfully more per copy, and the optical drives required to read them are already disappearing from consumer hardware.

Smart cards and HSMs are robust but designed for institutional use. They require proprietary readers, vendor relationships, and operational infrastructure that an individual is unlikely to maintain.

Engraved metal plates are durable but expensive per copy, and their data capacity is too small to hold a meaningfully sized encrypted vault. They are commonly used for seed phrases and not much else.

Memorisation is not a backup. It is a single point of failure.

Against this landscape, paper holds up well on the axes that matter at the scale of an individual:

  • Cost of copies. A QR code costs pennies to print, and arbitrarily many copies can be made without any loss of fidelity. The economics of redundancy scale far better than for any digital substrate, and orders of magnitude better than for smart cards, HSMs, optical discs, or metal plates.
  • Format readability. A QR code is a published open standard. A decoder can be implemented from the specification regardless of what tooling exists at the time, which is not a property any proprietary digital format can match.
  • Failure-mode parity. Fire, water, and theft destroy paper. They also destroy USB drives, HSMs, and the contents of safe-deposit boxes. The defence against those failures is not a more durable substrate. It is distribution across uncorrelated locations, plus a threshold scheme that absorbs the loss of any single share. The substrate question and the resilience question are independent.

The world's most consequential keys live on physical objects in safes because nothing else has been found that does the job better. At the scale of an individual, the same answer, in simpler form, is encrypted paper secured by threshold cryptography. There is no better option.