Running a fire drill

A backup you’ve never restored is a hope, not a backup. The fire drill is a guided annual test that walks you (or better, one of your circle members) through a complete recovery using throwaway test secrets, so you can watch the whole mechanism work without touching your real vault.

What the drill does

  1. Generates a test secret and test shares. A disposable vault key is created and split exactly the way your real one was, using your real circle structure. Your actual cards and vault are never involved.
  2. Walks through offline reconstruction. You (or your chosen tester) open the offline recovery tool, ideally from a saved copy on a machine with Wi-Fi turned off, because that’s the honest condition. Then you enter the test shares. The tool shows quorum progress filling in, then decrypts a small test bundle.
  3. Verifies the tool itself. The drill has you check the tool’s SHA-256 hash against the value printed on your cards, the same check your family would do. (Full verification guide.)
  4. Logs the result. Success lands in your audit trail and on your coverage map, with a date. Next year, the app reminds you.

Why do this annually

  • You learn the feel of it. The first recovery anyone in your family ever performs should not be the real one.
  • It catches rot. A browser that won’t open the tool, a saved copy that went missing, a holder who quietly moved and left their card behind — the drill surfaces these while they’re trivia.
  • It builds justified confidence. After one drill you stop wondering whether the system works, because you’ve watched it work.

The better version: have a holder run it

The most valuable drill is one where a circle member does the reconstruction while you watch (or don’t). It answers the question that actually matters: can this person, with their computer, follow the sheet? Choose whoever would most likely lead a real recovery (typically your spouse or eldest child) and let them drive. Resist narrating. The instruction sheet should be enough; where it isn’t, that’s a finding.

What a drill is not

The drill uses test shares, so it does not prove your physical cards are intact and readable; the quarterly health checks cover that. And it does not touch the real ceremony machinery (notifications, veto window), so nobody in your circle gets an alarming email. It proves the path: tool, shares, bundle, packet. Health checks prove the artifacts. Together they cover the whole chain.

When to also run one

Beyond annually: after any re-share, after changing your circle structure, and after a major device change (new family computer, new browser). Five minutes each time.