Safely Sharing Passkeys

Best practices for securely transmitting your Cryptovox passkeys to recipients.

The Importance of Passkey Security

Your passkey is the only key to unlock an encrypted Cryptovox message.

  • If Lost: The message becomes permanently unrecoverable. Cryptovox cannot help you retrieve lost passkeys.
  • If Compromised: Anyone with the passkey and the corresponding .cryptovox.json file can decrypt and listen to your message.

Treat your passkeys with the utmost care, similar to how you would treat physical keys to a safe.

Best Practices for Sharing Passkeys

1. Use a Secure Channel

The method you use to share the passkey should be as secure, or ideally more secure, than the information the passkey protects.

  • End-to-End Encrypted (E2EE) Messaging Apps: Signal, WhatsApp, Telegram (Secret Chats), Threema are good options. Ensure E2EE is active for the conversation.
  • Password Managers with Secure Sharing: Some password managers (e.g., Bitwarden Send, 1Password Secure Sharing) offer features to securely share sensitive text like passkeys, often with options for expiry and view limits.
  • In-Person Communication: Verbally telling the recipient or writing it down on a piece of paper that is then securely destroyed is highly secure for physical proximity.
  • PGP/GPG Encrypted Email: If both parties use PGP/GPG, this is a secure method for email.

2. Separate Passkey from File

Crucially, NEVER send the passkey in the same message, email, or package as the encrypted .cryptovox.json file.

Send them via different communication channels or at significantly different times. For example, email the file and share the passkey via an E2EE messaging app.

3. Consider One-Time or Limited-Use Passkeys

For highly sensitive messages, consider agreeing on a passkey that will be used for only that specific message or a small batch of messages. Afterward, switch to a new passkey. This minimizes the impact if an old passkey is ever compromised.

4. Create Strong, Unique Passkeys

While Cryptovox uses robust key derivation, a stronger base passkey is always better. Aim for length and a mix of character types. Avoid common words or easily guessable phrases. Using a password manager to generate these can be helpful.

5. Confirm Secure Receipt

Ensure the intended recipient has received the passkey and understands how to store it securely on their end.

What to Avoid When Sharing Passkeys
  • Unencrypted Email or SMS: These are generally not secure for sensitive information like passkeys.
  • Public Chat Platforms (without E2EE): Avoid platforms where messages might be stored unencrypted or be visible to others.
  • Writing Passkeys Down Insecurely: Don't leave passkeys on sticky notes, in unsecured documents, or anywhere they could be easily found.
  • Sharing via Public Wi-Fi (without a VPN): If sharing electronically, ensure your connection is secure.
  • Reusing Passkeys: Avoid reusing the same passkey for multiple highly sensitive Cryptovox messages if the threat model warrants it, and especially don't reuse passkeys from other online accounts.
  • Sending Passkey and File Together: (Reiterated for emphasis) This defeats the purpose of two-factor (knowledge of passkey + possession of file) security.
Communication is Key

Before sharing, discuss with your recipient the method you'll use to share the passkey and the file. Ensure they understand the importance of keeping the passkey secure on their end.