homelab-optimized/docs/troubleshooting/offline-password-access.md

# 🔐 Offline Password Access Guide

**🟡 Intermediate Guide**

This guide covers how to access your passwords and credentials when your Vaultwarden server is down, ensuring you can still recover your homelab during emergencies.

## 🎯 Why You Need Offline Access

### **Common Scenarios**
- 🔥 **Router failure** - Need router admin passwords to reconfigure
- 💾 **Storage failure** - Vaultwarden database is corrupted or inaccessible
- 🔌 **Power outage** - Services are down but you need to access them remotely
- 🌐 **Network issues** - Can't reach Vaultwarden server from current location
- 🖥️ **Host failure** - Atlantis (Vaultwarden host) is completely down

### **What You'll Need Access To**
- Router admin credentials
- Service admin passwords
- SSH keys and passphrases
- API keys and tokens
- Database passwords
- SSL certificate passphrases

---

## 🛡️ Multi-Layer Backup Strategy

### **Layer 1: Vaultwarden Client Offline Cache**

Most Vaultwarden clients cache passwords locally when you're logged in:

#### **Desktop Applications**
```bash
# Bitwarden Desktop (Windows)
%APPDATA%\Bitwarden\data.json

# Bitwarden Desktop (macOS)
~/Library/Application Support/Bitwarden/data.json

# Bitwarden Desktop (Linux)
~/.config/Bitwarden/data.json
```

**Access Cached Passwords:**
```bash
# 1. Open Bitwarden desktop app (must be previously logged in)
# 2. If offline, you can still view cached passwords
# 3. Search for the credentials you need
# 4. Copy passwords to temporary secure location
```

#### **Browser Extensions**
```bash
# Chrome/Edge
chrome://extensions/ → Bitwarden → Details → Extension options

# Firefox
about:addons → Bitwarden → Preferences

# Note: Browser extensions have limited offline access
# Desktop app is more reliable for offline use
```

#### **Mobile Apps**
```bash
# iOS/Android Bitwarden apps cache passwords
# 1. Open Bitwarden mobile app
# 2. Must have been logged in recently
# 3. Can view cached passwords even without internet
# 4. Use mobile hotspot to access homelab if needed
```

### **Layer 2: Encrypted Emergency Backup**

Create an encrypted backup of essential passwords:

#### **Create Emergency Password File**
```bash
# Create secure backup of critical passwords
mkdir -p ~/homelab-recovery/passwords
cd ~/homelab-recovery/passwords

# Create emergency password list (plain text temporarily)
cat > emergency-passwords.txt << 'EOF'
# EMERGENCY PASSWORD BACKUP
# Created: $(date)
# 
# CRITICAL INFRASTRUCTURE
Router Admin: [router-admin-password]
Router WiFi: [wifi-password]
ISP Account: [isp-account-password]

# HOMELAB HOSTS
Atlantis SSH: [ssh-password-or-key-location]
Calypso SSH: [ssh-password-or-key-location]
Concord SSH: [ssh-password-or-key-location]

# ESSENTIAL SERVICES
Vaultwarden Master: [vaultwarden-master-password]
GitLab Root: [gitlab-root-password]
Grafana Admin: [grafana-admin-password]
Portainer Admin: [portainer-admin-password]

# EXTERNAL SERVICES
DDNS Account: [ddns-service-password]
Domain Registrar: [domain-registrar-password]
Cloud Backup: [backup-service-password]

# RECOVERY KEYS
Tailscale Auth Key: [tailscale-auth-key]
WireGuard Private Key: [wireguard-private-key]
SSH Private Key Passphrase: [ssh-key-passphrase]
EOF
```

#### **Encrypt the Password File**
```bash
# Method 1: GPG Encryption (Recommended)
# Install GPG if not available
sudo apt install gnupg  # Ubuntu/Debian
brew install gnupg      # macOS

# Create GPG key if you don't have one
gpg --gen-key

# Encrypt the password file
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
    --s2k-digest-algo SHA512 --s2k-count 65536 --symmetric \
    --output emergency-passwords.txt.gpg emergency-passwords.txt

# Securely delete the plain text file
shred -vfz -n 3 emergency-passwords.txt

# Test decryption
gpg --decrypt emergency-passwords.txt.gpg
```

```bash
# Method 2: OpenSSL Encryption (Alternative)
# Encrypt with AES-256
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 100000 \
    -in emergency-passwords.txt \
    -out emergency-passwords.txt.enc

# Securely delete original
shred -vfz -n 3 emergency-passwords.txt

# Test decryption
openssl enc -aes-256-cbc -d -pbkdf2 -iter 100000 \
    -in emergency-passwords.txt.enc
```

#### **Store Encrypted Backup Safely**
```bash
# Copy to multiple secure locations:

# 1. USB drive (keep in safe place)
cp emergency-passwords.txt.gpg /media/usb-drive/

# 2. Cloud storage (encrypted, so safe)
cp emergency-passwords.txt.gpg ~/Dropbox/homelab-backup/
cp emergency-passwords.txt.gpg ~/Google\ Drive/homelab-backup/

# 3. Another computer/device
scp emergency-passwords.txt.gpg user@backup-computer:~/

# 4. Print QR code for ultimate backup (optional)
qrencode -t PNG -o emergency-passwords-qr.png < emergency-passwords.txt.gpg
```

### **Layer 3: Physical Security Backup**

#### **Secure Physical Storage**
```bash
# Create a physical backup for ultimate emergencies

# 1. Write critical passwords on paper
# 2. Store in fireproof safe or safety deposit box
# 3. Include:
#    - Router admin credentials
#    - Master password for password manager
#    - SSH key locations and passphrases
#    - Emergency contact information
```

#### **QR Code Backup**
```bash
# Create QR codes for quick mobile access
# Install qrencode
sudo apt install qrencode  # Ubuntu/Debian
brew install qrencode      # macOS

# Create QR codes for critical passwords
echo "Router: admin / [password]" | qrencode -t PNG -o router-qr.png
echo "Vaultwarden: [master-password]" | qrencode -t PNG -o vault-qr.png

# Print and store securely
# Can scan with phone camera when needed
```

---

## 📱 Mobile Emergency Access

### **Setup Mobile Hotspot Access**
```bash
# Prepare for scenarios where home internet is down

# 1. Ensure mobile device has Bitwarden app installed
# 2. Login and sync passwords while internet is working
# 3. Test offline access to cached passwords
# 4. Configure mobile hotspot on phone
# 5. Test accessing homelab services via mobile hotspot
```

### **Mobile Recovery Kit**
```bash
# Install essential apps on mobile device:

# Password Management
- Bitwarden (primary)
- Authy/Google Authenticator (2FA)

# Network Tools
- Network Analyzer (IP scanner)
- SSH client (Termius, JuiceSSH)
- VPN client (WireGuard, Tailscale)

# Utilities
- QR Code Scanner
- Text Editor
- File Manager with cloud access
```

---

## 🔧 Emergency Access Procedures

### **Scenario 1: Vaultwarden Server Down**

#### **Step 1: Try Cached Access**
```bash
# 1. Open Bitwarden desktop app
# 2. If logged in, cached passwords should be available
# 3. Search for needed credentials
# 4. Copy to secure temporary location
```

#### **Step 2: Use Encrypted Backup**
```bash
# If cached access fails, decrypt emergency backup

# GPG method:
gpg --decrypt ~/homelab-recovery/passwords/emergency-passwords.txt.gpg

# OpenSSL method:
openssl enc -aes-256-cbc -d -pbkdf2 -iter 100000 \
    -in ~/homelab-recovery/passwords/emergency-passwords.txt.enc
```

#### **Step 3: Physical Backup**
```bash
# If digital methods fail:
# 1. Retrieve physical backup from safe
# 2. Use QR code scanner on phone
# 3. Manually type passwords from written backup
```

### **Scenario 2: Complete Network Failure**

#### **Mobile Hotspot Recovery**
```bash
# 1. Enable mobile hotspot on phone
# 2. Connect laptop to mobile hotspot
# 3. Access router admin via: http://192.168.1.1
# 4. Use emergency password backup to login
# 5. Reconfigure network settings
# 6. Test connectivity to homelab services
```

#### **Direct Connection Recovery**
```bash
# If WiFi is down, connect directly to router
# 1. Connect laptop to router via Ethernet
# 2. Access router admin interface
# 3. Use emergency passwords to login
# 4. Diagnose and fix network issues
```

### **Scenario 3: SSH Key Access**

#### **SSH Key Recovery**
```bash
# If you need SSH access but keys are on failed system

# 1. Check for backup SSH keys
ls -la ~/.ssh/
ls -la ~/homelab-recovery/ssh-keys/

# 2. Use password authentication if enabled
ssh -o PreferredAuthentications=password user@host

# 3. Use emergency SSH key from backup
ssh -i ~/homelab-recovery/ssh-keys/emergency_key user@host

# 4. Generate new SSH key if needed
ssh-keygen -t ed25519 -C "emergency-recovery-$(date +%Y%m%d)"
```

---

## 🔄 Vaultwarden Recovery Procedures

### **Restore from Backup**

#### **Database Backup Restoration**
```bash
# If Vaultwarden database is corrupted

# 1. Stop Vaultwarden container
docker stop vaultwarden

# 2. Backup current (corrupted) database
cp /volume1/docker/vaultwarden/data/db.sqlite3 \
   /volume1/docker/vaultwarden/data/db.sqlite3.corrupted

# 3. Restore from backup
cp /volume1/docker/vaultwarden/backups/db.sqlite3.backup \
   /volume1/docker/vaultwarden/data/db.sqlite3

# 4. Fix permissions
chown -R 1000:1000 /volume1/docker/vaultwarden/data/

# 5. Start Vaultwarden
docker start vaultwarden

# 6. Test access
curl -I https://atlantis.vish.local:8222
```

#### **Complete Vaultwarden Reinstall**
```bash
# If complete reinstall is needed

# 1. Export data from backup or emergency file
# 2. Deploy fresh Vaultwarden container
docker-compose -f ~/homelab/Atlantis/vaultwarden.yaml up -d

# 3. Create new admin account
# 4. Import passwords from backup
# 5. Update all client devices with new server URL
```

### **Alternative Password Managers**

#### **Temporary KeePass Setup**
```bash
# If Vaultwarden is down for extended period

# 1. Install KeePass
sudo apt install keepass2  # Ubuntu/Debian
brew install keepass       # macOS

# 2. Create temporary database
# 3. Import critical passwords from emergency backup
# 4. Use until Vaultwarden is restored
```

#### **Browser Built-in Manager**
```bash
# As last resort, use browser password manager
# 1. Import passwords into Chrome/Firefox
# 2. Enable sync to access from multiple devices
# 3. Use temporarily until proper solution restored
```

---

## 🔐 Security Considerations

### **Emergency Backup Security**
```bash
# Ensure emergency backups are secure:

# ✅ Encrypted with strong passphrase
# ✅ Stored in multiple secure locations
# ✅ Access limited to authorized personnel
# ✅ Regular testing of decryption process
# ✅ Updated when passwords change
# ✅ Secure deletion of temporary files
```

### **Access Logging**
```bash
# Track emergency access for security:

# 1. Log when emergency procedures are used
echo "$(date): Emergency password access used - Router failure" >> \
    ~/homelab-recovery/access-log.txt

# 2. Change passwords after emergency if compromised
# 3. Review and update emergency procedures
# 4. Update backups with any new passwords
```

### **Cleanup After Emergency**
```bash
# After emergency is resolved:

# 1. Change any passwords that may have been compromised
# 2. Update emergency backup with new passwords
# 3. Test all access methods
# 4. Document lessons learned
# 5. Improve procedures based on experience
```

---

## 🧪 Testing Your Emergency Access

### **Monthly Testing Routine**
```bash
#!/bin/bash
# ~/homelab-recovery/test-emergency-access.sh

echo "🔐 Testing emergency password access..."

# Test 1: Decrypt emergency backup
echo "📁 Testing encrypted backup decryption..."
if gpg --decrypt ~/homelab-recovery/passwords/emergency-passwords.txt.gpg >/dev/null 2>&1; then
    echo "✅ Emergency backup decryption successful"
else
    echo "❌ Emergency backup decryption failed"
fi

# Test 2: Check Bitwarden offline cache
echo "💾 Testing Bitwarden offline cache..."
# Manual test: Open Bitwarden app offline

# Test 3: Verify backup locations
echo "📍 Checking backup locations..."
locations=(
    "~/homelab-recovery/passwords/emergency-passwords.txt.gpg"
    "/media/usb-drive/emergency-passwords.txt.gpg"
    "~/Dropbox/homelab-backup/emergency-passwords.txt.gpg"
)

for location in "${locations[@]}"; do
    if [ -f "$location" ]; then
        echo "✅ Backup found: $location"
    else
        echo "❌ Backup missing: $location"
    fi
done

echo "🎯 Emergency access test complete"
```

### **Quarterly Full Test**
```bash
# Every 3 months, perform complete test:

# 1. Disconnect from internet
# 2. Try accessing passwords via Bitwarden offline
# 3. Decrypt emergency backup file
# 4. Test mobile hotspot access to homelab
# 5. Verify all critical passwords work
# 6. Update any changed passwords
# 7. Document any issues found
```

---

## 📋 Emergency Access Checklist

### **🔐 Password Recovery Checklist**
```bash
☐ Try Bitwarden desktop app offline cache
☐ Check mobile app cached passwords
☐ Decrypt emergency password backup file
☐ Check physical backup location
☐ Scan QR codes if available
☐ Use mobile hotspot for network access
☐ Test critical passwords work
☐ Document which method was used
☐ Plan password updates after recovery
☐ Update emergency procedures if needed
```

### **🛠️ Vaultwarden Recovery Checklist**
```bash
☐ Check if container is running
☐ Verify database file integrity
☐ Restore from most recent backup
☐ Test web interface access
☐ Verify user accounts exist
☐ Test password sync to clients
☐ Update client configurations if needed
☐ Create new backup after recovery
☐ Document cause of failure
☐ Implement prevention measures
```

---

## 🚨 Emergency Contacts

### **When All Else Fails**
```bash
# If you can't access any passwords:

# 1. Router manufacturer support (for reset procedures)
# 2. ISP technical support (for connection issues)
# 3. Hardware vendor support (for device recovery)
# 4. Trusted friend/family with backup access
# 5. Professional IT recovery services (last resort)
```

### **Recovery Services**
```bash
# Professional services for extreme cases:

# Data Recovery Services
- For corrupted storage devices
- Database recovery specialists
- Hardware repair services

# Security Services  
- Password recovery specialists
- Forensic data recovery
- Security audit services
```

---

## 📚 Related Documentation

- [Disaster Recovery Guide](disaster-recovery.md) - Complete disaster recovery procedures
- [Vaultwarden Service Guide](../services/individual/vaultwarden.md) - Detailed Vaultwarden configuration
- [Security Model](../infrastructure/security.md) - Overall security architecture
- [Backup Strategies](../admin/backup-strategies.md) - Comprehensive backup planning

---

**💡 Pro Tip**: The best time to set up emergency password access is before you need it! Create and test these procedures while everything is working normally. Practice the recovery process quarterly to ensure you're familiar with it when an emergency strikes.