# 35 Witnessed ceremonies + tamper-evident custody

> v0.0.2 · role: Assure · [policy: #16 · #13](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Recovery credentials — break-glass backup codes, hardware keys, key material — are stored in tamper-evident packaging and handled only in witnessed ceremonies that are logged: which seal serial, opened by whom, before which witnesses, on what date. The safe-and-seal inventory is the auditable record, and it is the evidence layer that every offline-custody control in this catalog leans on.

Documentation: [Security best practices for administrator accounts](https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts) · [Recover an account protected by 2-Step Verification](https://knowledge.workspace.google.com/admin/security/recover-an-account-protected-by-2-step-verification)

## Caveats

- There is no console surface and therefore no console evidence — the artefact is a signed ceremony log, so if nobody keeps the log, nothing shows the control ever ran.
- Packaging alone proves nothing — it is the seal serial numbers, the named custodians and the dated openings that make tampering detectable.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[requires a human]** Per schedule: run the witnessed ceremony and update the custody register.

## How to verify

1. Inspect the most recent ceremony record: witnesses signed, tamper-evident bag serials match the register, and the record is within its scheduled interval.
