Last updated: March 16, 2026

You can transfer access to VPNs, password managers, 2FA systems, and self-hosted security tools by documenting credentials, enabling emergency access features, provisioning SSH keys, and creating management runbooks for family members. This guide covers technical steps for preparing WireGuard configurations, Bitwarden/1Password/KeePassXC vaults, TOTP seeds, YubiKey backup registration, and self-hosted infrastructure access, ensuring continuity and security when family members need to take over.

4.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Documenting VPN Access

When preparing VPN credentials for transfer, you need to consider whether you’re using a commercial VPN service or a self-hosted solution like WireGuard, OpenVPN, or Outline.

Commercial VPN Services

For commercial VPNs like Mullvad, Proton VPN, or IVPN, the account credentials are typically tied to an email address and payment method. Document the following:

Most modern privacy-focused VPNs support account recovery through email. Make sure your family member knows which email address receives the VPN invoices and account communications.

Self-Hosted WireGuard Configurations

If you run your own WireGuard VPN on a VPS, the configuration is more complex. Each WireGuard client needs a private key and corresponding public key registered on the server. Here’s how to export and document a client configuration:

On the WireGuard server, list active peers
sudo wg show wg0 peers

Export a specific client's configuration
sudo wg show wg0 peer <public-key>

Create a configuration file for your family member:

family-member-vpn.conf
[Interface]
PrivateKey = <your-family-members-private-key>
Address = 10.0.0.5/24
DNS = 1.1.1.1

[Peer]
PublicKey = <servers-public-key>
Endpoint = your-vpn-server.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Store this configuration securely, preferably in a password manager or encrypted storage that your family member can access.

Step 2 - Password Manager Emergency Access

Most password managers have built-in emergency access or vault inheritance features. This is the single most important security tool to prepare for transfer.

Bitwarden Emergency Access

Bitwarden offers a native emergency access feature. Your designated family member can request access to your vault, and you’ll have a waiting period (you configure 1-7 days) to deny the request before automatic release:

Bitwarden CLI command to set up emergency access (requires web vault for initial setup)
In the web vault:
1. Go to Settings > Emergency Access
2. Enter your family member's Bitwarden email
3. Set the waiting period (recommended: 3-7 days)
4. Confirm the invitation

The family member must also have a Bitwarden account and enable emergency access from their own account settings.

KeePassXC Database Transfer

For KeePassXC users, the database file itself needs to be transferred along with the master password. Unlike cloud-based managers, KeePassXC offers no automatic inheritance mechanism. You’ll need to:

  1. Store the KeePassXC database file in a secure, accessible location (encrypted USB drive, safe deposit box, or encrypted cloud storage)
  2. Document the master password separately, ideally in a sealed envelope or with an attorney
  3. Consider splitting the password using Shamir’s Secret Sharing if you want multiple family members to collaborate on access

1Password Families

1Password offers a built-in families plan where you can add family members directly. They inherit access to shared vaults automatically. If you’re on an individual plan, convert to a families plan and add your family member as an adult member:

1Password Families structure:
- Family Organizer (you): Full access, can manage other members
- Adult Member (family member): Access to shared vaults
- Optional: Children can have restricted access

Step 3 - Two-Factor Authentication Backup Transfer

2FA is critical for security, but it creates a single point of failure if not properly documented. When transferring 2FA access, you have several options depending on the authenticator app used.

TOTP Seed Transfer

Time-based one-time passwords (TOTP) are generated from a shared secret seed. If your family member needs to receive codes from the same accounts, you must transfer the TOTP seeds, not just the screenshots of QR codes.

Extract TOTP seeds from various authenticator apps

For andotp (Android):
Export encrypted backup, decrypt with your password
Seeds are stored in JSON format

For 2FAS (iOS/Android):
Export to JSON, look for "secret" fields

Document each TOTP seed in a structured format:

{
  "service": "GitHub",
  "account": "your-email@example.com",
  "totp_seed": "JBSWY3DPEHPK3PXP",
  "issuer": "GitHub",
  "algorithm": "SHA1",
  "digits": 6,
  "period": 30
}

Store this file encrypted, separate from where you store the decryption key.

YubiKey Configuration

If you use hardware security keys like YubiKeys for 2FA, you need to register a second key with your accounts. Not all services support multiple security keys, but many do:

Register a backup YubiKey to your important accounts and document its location separately from your primary key.

Step 4 - Self-Hosted Security Tools

If you run security tools on your own infrastructure, Pi-hole for DNS filtering, a self-hosted VPN, or a firewall configuration, document the administrative access thoroughly.

SSH Key Administration

For servers accessed via SSH, ensure your family member has their own SSH key provisioned:

Generate a new SSH key for your family member
ssh-keygen -t ed25519 -C "family-member@email.com"

Add their public key to the server
ssh-copy-id -i ~/.ssh/family_member_key.pub user@your-server.com

On the server, restrict their key to specific commands if needed
In ~/.ssh/authorized_keys:
command="/usr/bin/sudo /usr/bin/systemctl status vpn-service",no-agent-forwarding,no-port-forwarding ssh-ed25519 AAAA...

Firewall and VPN Server Documentation

Create a runbook for your family member that includes:

#!/bin/bash
family-vpn-management.sh
Common commands for managing the family VPN

Check VPN service status
sudo systemctl status wg-quick@wg0

View active connections
sudo wg show

Restart the VPN service
sudo systemctl restart wg-quick@wg0

Check firewall rules
sudo iptables -L -n -v

View recent connection logs
sudo journalctl -u wg-quick@wg0 -n 50 --no-pager

Store this runbook alongside your other documentation, and walk your family member through the basics before they need to use it.

Step 5 - Structured Credential Handoff

Rather than scattering credentials across password managers, text files, and USB drives, create a structured handoff document. Use age-encryption or GPG to encrypt the document, then store it in a location your family member can access:

Encrypt credentials using age (modern GPG alternative)
age -p -o credentials.age <<EOF
VPN Configuration:
- Server: vpn.yourdomain.com
- Username: admin
- WireGuard Config: See attached file

Password Manager:
- Service: Bitwarden
- Emergency Contact - family-member@email.com

2FA Backup:
- TOTP Seeds: See encrypted seeds.json
- Backup YubiKey: Safe deposit box, Box #3

Server Access:
- SSH Key Location: USB drive in filing cabinet
- Management Script - See family-vpn-management.sh
EOF

Step 6 - Test the Handoff

Before you need the transfer to work, test it. Have your family member attempt to:

  1. Log into the password manager using emergency access
  2. Connect to the VPN using the documented configuration
  3. Access one server via SSH using their provisioned key
  4. Generate a TOTP code from the transferred seed

Document any friction points and refine your documentation accordingly. The goal is a smooth transition when it becomes necessary.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to prepare vpn and security tool credentials for family?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles

Built by theluckystrike. More at zovo.one