Use cases

Use cases are not just “what k/n should I pick?”. They are about people, logistics, and what you can actually pull off when recovery matters.

Tip

If you need a starting point: k=2, n=3 for personal recovery, k=3, n=5 for teams.

Caution

Safeparts does not stop someone who holds k shares from reconstructing. The security boundary is where shares live and who can access them.

Scenarios

Use this page to pick a plan you can execute under pressure: who holds which share, what happens if someone is unavailable, and how you’ll practice recovery.

Password manager recovery

Recommended: k=2, n=3. Two locations you control, plus one off-site fallback.

Family / executor planning

Recommended: k=2, n=4. Recovery without any single person holding full access.

Small team infra secret

Recommended: k=3, n=5. Split across roles, plus one offline vault.

Break-glass procedure

Recommended: k=2, n=4. Keep one share offline; require two parties during incidents.

Two-factor backup codes

Recommended: k=2, n=3. Store shares so a single device compromise doesn’t disable 2FA.

Agency / client handoff

Recommended: k=2, n=3. Split between agency vault, client vault, and a sealed offline copy.

Pattern: personal recovery (k=2, n=3)

Good for password manager recovery keys, 2FA backup codes, and other personal secrets.

Suggested distribution:

• Share A: a place you can reach quickly (password manager note, separate device/account)
• Share B: sealed offline copy (paper/metal)
• Share C: off-site fallback (trusted person, safe deposit box)

1. Split with k=2, n=3.
2. Put the shares in the three locations.
3. Do a recovery drill using any 2 shares.
4. Write down where the third share lives and how to access it.

Pattern: team secret (k=3, n=5)

Good when you want separation of duties: no one person can act alone, but the team can still recover during an incident.

Suggested distribution (by role):

• Share 1: operations
• Share 2: security
• Share 3: engineering lead
• Share 4: executive sponsor
• Share 5: offline vault

1. Document who holds each share (role + backup contact).
2. Write an incident runbook: who initiates, how approval happens, where shares are gathered.
3. Practice once before using the plan for production secrets.

Pattern: break-glass (k=2, n=4)

Good when recovery should be rare and auditable.

Suggested distribution:

• Share 1: on-call lead (rotates)
• Share 2: security lead
• Share 3: offline vault
• Share 4: backup executive or compliance

Caution

After any break-glass event, rotate the underlying secret and re-split. Treat gathered shares as compromised.

How to choose holders

Prefer independent failures

Different people, devices, and locations. Avoid “same safe, two envelopes”.

Design for the worst day

Recovery happens when you’re stressed: outages, travel, illness, or loss.

Write down the runbook

Document who has each share and what to do if a holder is unavailable.

When to add a passphrase

If the risk of share theft is high (travel, shared environments, hostile endpoints), add a passphrase. That changes the attack from “steal k shares” to “steal k shares and the passphrase”.

See Security.