rsorssae

You're system sounds well thought out and more than secure enough for most people's needs, so if that is what works for you I would go for it. I also like the fun idea for the duress passphrase, I just hope a friend doesn't get tempted to try and unlock your phone and accidentally wipe everything! Overall, the only comments I would make are:

• be wary of using biometrics for ring 0, in countries like the US the cops can force you to use your biometrics, by law. GrapheneOS does have ways to quickly disable biometric unlock in emergencies, or automatically disable it after a set period of time
• you are using both a security key and a passphrase for securing the ring 0 database. Perhaps commit to one of them, to reduce complexity. The more complicated the system, the more places there can be vulnerabilities
• getting access into the ring 0 device is effectively compromising the database, even if you have a password on the database. There are numerous things that an attacker can do once in control of the device, like enabling internet, flash a custom rom and copy all the files over to make it look identical, installing a keylogger, changing the UI to hide any modifications, etc. This is also why I try to use my ring 0 device as little as possible, every time I enter the password is another chance for the password to be stolen
• putting your Aegis TOTP app on ring 0 means you have to constantly use your ring 0 device. I prefer to use my ring 0 device as little as possible, both for security and convenience. My TOTP app is on a ring 1 device instead, and is only used to secure online accounts (which I consider ring 2). If you want to use 2FA for ring 1 then I suppose you are forced to put your TOTP app on ring 0, though I find the inconvenience not worth it.

I'm more than happy to share more about my setup and thought process, so ask away. I'm glad I can finally share and discuss these ideas somewhere. I'll try to separate my responses into sections:

Convenience and Backups

Remembering the passphrase for the ring 0 device is risky at best, especially with an added duress passphrase and second factor PIN (if applicable)

I talk about duress and 2fa codes below, but as for remembering the master passphrase, it's risky but unavoidable. Your entire digital life is made up of information. Devices can be discarded, exchanged, but the information is what matters. There must be a "root" piece of information that unlocks all the rest. If that root key is stored in your brain, nobody else can access it. If the key is anywhere else (like in a physical safe), then anybody with access to that safe can unlock everything else. Maybe you hide the safe somewhere in the ground. Where it is hidden is now your "root key", stored in your brain. Maybe you write the safe's coordinates on a piece of paper. That is now your root key. There is always a root, either you store it in your brain and risk forgetting, or you store it outside and risk it stolen. I don't mind the burden of remembering one piece of information for the rest of my life, if it means the security of everything else.

Keeping the database automatically backed up seemed impossible

In my system automatic backups are not needed. This is the advantage of having a small ring 1. The ring 0 database only stores the passwords for ring 1, and ring 1 rarely changes. For my personal setup, I only need to update the ring 0 database when I buy a new ring 1 device, which is like once a year at most. Then I just update my backup usb manually.

The added expense and inconvenience of buying and carrying a separate phone was an issue

I don't see a way around this, aside from the Qubes solution mentioned in my post.

Handling 2FA

Where are 2FA recovery codes and other backup methods stored?

If the root key is air-gapped device or virtual machine (like the Qubes password vault), then it is already 2FA. To access the contents requires both posession of the device and knowledge of the password. I don't use 2FA for my ring 1 devices either, I don't see much benefit and just added risk. You do have to be wary for a thief that tries to see you typing in your password before stealing your device, but if a thief is that persistent, they could also see you use your 2FA key and steal that as well. I generally use 2FA for important online accounts, where the password can be easily stolen via phishing, database breaches, etc. These 2FA keys are considered ring 1 or ring 2, so their recovery codes can be stored in ring 0 or ring 1. Same with keyfiles, if you use those. Remember, the root is simply the master password, everything else can be derived from that.

Storing other information such as the duress passphrase or the unlock method for the database had no clear solution

As mentioned in my post, the database has the same password as the phone. I don't see a need for a different one. The phone password is already used for encrypting the entire phone, so you could technically avoid putting a password on the keepass database, but keeping the keepass database encrypted makes backups easier since you can just copy the file to the usb drive. The duress passphrase can be stored in the ring 0 device as well, as long as you periodically revisit it to refresh your memory.

Trust Rings

The system you came up with is good. Whether or not you want to isolate KeePass databases and accounts is up to you, though if you want that level of isolation I would just use Qubes and VMs, much easier than juggling devices.

Though I noticed your system only has two rings. One important thing I should mention is that the ring system is not just for passwords. It is for trust, access, and control in general. Higher rings are more trusted, and can access and control lower rings. For example, my ring 1 PC has ssh access into my ring 2 devices. It would not make sense the other way around. This is why I have multiple rings. Information in lower rings is less trusted. I would not pass an executable from a lower ring to a higher ring unless I have a way to re-validate it, using checksums or PGP keys. Hierarchies of trust are common in security and I find them easy to reason about and very powerful.

Great write-up, I remember going through this chain of thought myself a few years back and the conclusion I ended at was: you need at minimum one password that you never forget. If you try to create a recovery mechanism, like using a physical safe like OP suggested, then now all your security efforts just shift towards securing that safe instead. Not to mention in some countries the cops can break open your safe but they can't force you to give up your password (aside from using rubber-hose cryptoanalysis).

The good news is, you only need to remember one master password. At least with the system I've been using (feedback welcome). I organize everything into a hierarchy of trust rings. At the root, ring 0, is a single device secured with the master password, and it stores the passwords needed for things in ring 1. Then the devices in ring 1 store passwords and credentials for ring 2, etc. If I ever forget a password I can always go up a ring to find it. Here's a rough idea of my rings:

Ring 0

I use a Pixel phone with GrapheneOS, and a very strong master password. It is permanently in airplane mode so that it is effectively air-gapped. GrapheneOS also supposed a "duress" password, a fake password which can be used to surreptitiously wipe the device if somebody tries to force you to unlock the device. Thus, it is the most secure device I have. It's also a phone so that it's portable enough to carry while traveling. The only thing on it is a KeePass database (which uses the same password as the device itself, for simplicity). This KeePass database contains the disk encryption passwords, login passwords, and BIOS/UEFI passwords for my ring 1 devices

Ring 1

Ring 1 devices are still relatively secure but they are connected to the internet so not as secure as ring 0. I only have 4 things in ring 1: my everyday password manager, my main PC, my phone (also GrapheneOS), and my backup NAS. My everyday password manager contains passwords for things in ring 2.

Ring 2

Ring 2 is for things that I consider untrusted and insecure. This includes online accounts, which are ultimately out of my control. Or devices that run untrusted operating systems, like from Microsoft or Apple.

Ring 3?

Sometimes on my ring 2 devices I make throwaway accounts and store the passwords on the device itself, so I guess you could call these throwaway accounts ring 3. But generally everything I own is in ring 0, ring 1, and ring 2.

So there you have it, everything secured with a single password, and I consider it secure enough for most threat models. No need to for physical safes or hiding 2fa keys. It's a little expensive since you have a pixel phone just for storing passwords, but I think it's worth it. It's also a little inconvenient to have to read passwords off the screen and then manually type them in, but I found that I usually remember the passwords for my ring 1 devices so I rarely need to use my ring 0 device.

Some tips:

• for ring 0, you don't need a separate device if you use Qubes OS. Just use the built-in password vault in Qubes, which I consider as secure as an air-gapped device
• to prevent an attacker from disabling airplane mode on my ring 0 Pixel phone, I couldn't find a way to disable the Android quick settings from the lockscreen, so instead I just removed all airplane/wifi/cellular/bluetooth related toggles from the quick settings
• for the master password, I recommend using a passphrase. The GrapheneOS community recommends 6 random diceware words (KeePass can generate these for you completely offline), but at least for my master passphrase I prefer to create my own phrase, to make it more memorable. However since humans are unreliable sources of randomness, I make my passphrase 8 words or longer to compensate
• make sure to have a backup of your ring 0 device contents. I store a backup of my pixel phone's KeePass database on a usb drive. No need for any extra security there, the KeePass database is already encrypted with the master password
• if you find yourself rarely needing your ring 0 device, you might want to schedule a monthly routine to unlock it just so you don't forget your master password
• if you use a Pixel phone as your ring 0 device like I do, you will want to replace it every few years. Cops have Celebrite machines that can crack any phone except newer Pixel phones.