2021-02-24 06:18:01 -05:00
<!--
Title: How to create encrypted paper backup
Description: Learn how to create encrypted paper backup.
Author: Sun Knudsen < https: / / github . com / sunknudsen >
2021-04-19 10:28:02 -04:00
Contributors: Sun Knudsen < https: / / github . com / sunknudsen > , Alex Anderson < https: / / github . com / Serpent27 > , Nico Kaiser < https: / / github . com / nicokaiser > , Daan Sprenkels < https: / / github . com / dsprenkels >
2021-02-24 06:18:01 -05:00
Reviewers:
2021-04-19 10:28:02 -04:00
Publication date: 2021-04-19T14:05:38.426Z
2021-04-21 09:45:19 -04:00
Listed: true
2021-02-24 06:18:01 -05:00
-->
# How to create encrypted paper backup
2021-07-10 13:53:01 -04:00
[](https://www.youtube.com/watch?v=2Em7jpxRrrk "The world’
2021-02-24 06:18:01 -05:00
## Requirements
2021-05-04 10:47:42 -04:00
- [Hardened Raspberry Pi ](../how-to-configure-hardened-raspberry-pi )
2021-02-24 06:18:01 -05:00
- [Adafruit PiTFT monitor ](https://www.adafruit.com/product/2423 ) (optional)
2021-04-21 09:45:19 -04:00
- [Compatible USB webcam ](https://elinux.org/RPi_USB_Webcams ) (720P or 1080P, powered directly by Raspberry Pi)
- USB keyboard ([Raspberry Pi keyboard and hub ](https://www.raspberrypi.org/products/raspberry-pi-keyboard-and-hub/ ) recommended)
- USB flash drive (faster is better)
2021-03-02 16:44:24 -05:00
- macOS computer
2021-02-24 06:18:01 -05:00
## Caveats
- When copy/pasting commands that start with `$` , strip out `$` as this character is not part of the command
## Setup guide
### Step 1: log in to Raspberry Pi
Replace `10.0.1.248` with IP of Raspberry Pi.
```shell
ssh pi@10 .0.1.248 -i ~/.ssh/pi
```
2021-05-21 14:01:15 -04:00
### Step 2: configure console font
```console
$ sudo sed -i 's/FONTFACE=""/FONTFACE="TerminusBold"/' /etc/default/console-setup
$ sudo sed -i 's/FONTSIZE=""/FONTSIZE="10x20"/' /etc/default/console-setup
```
### Step 3: configure keyboard layout
2021-05-11 09:32:13 -04:00
> Heads-up: following instructions are for [Raspberry Pi keyboard](https://www.raspberrypi.org/products/raspberry-pi-keyboard-and-hub/) (US model).
> Heads-up: when asked to reboot, select “No” and press enter.
```shell
sudo raspi-config
```
Select “Localisation Options”, then “Keyboard”, then “Generic 105-key PC (intl.)”, then “Other”, then “English (US)”, then “English (US)”, then “The default for the keyboard layout”, then “No compose key” and finally “Finish”.
2021-05-21 14:01:15 -04:00
### Step 4: install dependencies available on repositories
2021-05-11 09:32:13 -04:00
```console
$ sudo apt update
2021-05-20 06:04:59 -04:00
$ sudo apt install -y bc expect fim imagemagick python3-pip python3-rpi.gpio
2021-05-11 09:32:13 -04:00
2021-07-22 08:59:02 -04:00
$ pip3 install --user mnemonic pillow qrcode
2021-05-11 09:32:13 -04:00
$ echo -e "export GPG_TTY=\"\$(tty)\"\nexport PATH=\$PATH:/home/pi/.local/bin" >> ~/.bashrc
$ source ~/.bashrc
```
2021-05-21 14:01:15 -04:00
### Step 5 (optional): install [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) drivers and disable console auto login
2021-02-24 06:18:01 -05:00
2021-04-21 09:45:19 -04:00
#### Install Adafruit PiTFT monitor drivers
2021-02-24 06:18:01 -05:00
> Heads-up: don’
2021-03-02 16:44:24 -05:00
> Heads-up: when asked to reboot, type `n` and press enter.
```console
2021-02-24 06:18:01 -05:00
$ sudo apt update
2021-05-11 09:32:13 -04:00
$ sudo apt install -y git python3-pip
2021-02-24 06:18:01 -05:00
2021-03-04 09:23:37 -05:00
$ sudo pip3 install adafruit-python-shell click==7.0
2021-02-24 06:18:01 -05:00
$ git clone https://github.com/adafruit/Raspberry-Pi-Installer-Scripts.git
$ cd Raspberry-Pi-Installer-Scripts
$ sudo python3 adafruit-pitft.py --display=28c --rotation=90 --install-type=console
2021-03-03 15:10:07 -05:00
$ cd ~
$ rm -fr Raspberry-Pi-Installer-Scripts
2021-02-24 06:18:01 -05:00
```
#### Disable console auto login
2021-03-02 16:44:24 -05:00
> Heads-up: when asked to reboot, select “No” and press enter.
2021-02-24 06:18:01 -05:00
```shell
sudo raspi-config
```
Select “System Options”, then “Boot / Auto Login”, then “Console” and finally “Finish”.
2021-05-21 14:01:15 -04:00
### Step 6: install [zbar](https://github.com/mchehab/zbar) from source
2021-04-15 12:53:41 -04:00
#### Install zbar dependencies
```console
$ sudo apt update
2021-04-15 19:41:12 -04:00
$ sudo apt install -y autopoint build-essential git libjpeg-dev libmagickwand-dev libtool libv4l-dev
2021-04-15 12:53:41 -04:00
```
#### Clone zbar repository
2021-11-27 11:20:35 -05:00
Replace `0.23.90` with [latest release ](https://github.com/mchehab/zbar/releases/latest ) semver.
2021-04-19 10:28:02 -04:00
2021-04-15 12:53:41 -04:00
```console
$ cd ~
$ git clone https://github.com/mchehab/zbar
$ cd zbar
$ git checkout 0.23.90
```
#### Configure, compile and install zbar
```console
$ autoreconf -vfi
$ ./configure --without-python
$ make
$ sudo make install
$ sudo ldconfig
2021-04-19 10:28:02 -04:00
$ cd ~
$ rm -fr zbar
2021-04-15 12:53:41 -04:00
```
2021-05-21 14:01:15 -04:00
### Step 7: install [sss-cli](https://github.com/dsprenkels/sss-cli) from source
2021-04-15 12:53:41 -04:00
#### Install [Rust](https://www.rust-lang.org/)
2021-04-19 10:28:02 -04:00
> Heads-up: when asked for installation option, select “Proceed with installation (default)”.
2021-04-15 12:53:41 -04:00
2021-04-19 10:28:02 -04:00
```shell
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
2021-04-15 12:53:41 -04:00
2021-04-19 10:28:02 -04:00
$ source ~/.bashrc
2021-04-15 12:53:41 -04:00
```
#### Install sss-cli
```console
$ cargo install --git https://github.com/dsprenkels/sss-cli --branch v0.1
$ cp ~/.cargo/bin/secret-share* ~/.local/bin/
```
2021-05-21 14:01:15 -04:00
### Step 8: install [Electrum](https://electrum.org/#home) (used to generate Electrum mnemonics)
2021-03-04 09:23:37 -05:00
2021-04-09 13:57:09 -04:00
#### Install Electrum dependencies
```shell
2021-04-19 10:28:02 -04:00
$ sudo apt update
$ sudo apt install -y libsecp256k1-0 python3-cryptography
2021-04-09 13:57:09 -04:00
```
2021-06-21 09:07:17 -04:00
#### Import ThomasV’
```console
$ curl https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc | gpg --import
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4739 100 4739 0 0 22459 0 --:--:-- --:--:-- --:--:-- 22459
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) < thomasv @electrum .org > " imported
gpg: Total number processed: 1
gpg: imported: 1
```
imported: 1
👍
2021-04-09 13:57:09 -04:00
#### Set Electrum release semver environment variable
2021-11-27 11:20:35 -05:00
Replace `4.1.2` with [latest release ](https://electrum.org/#download ) semver.
2021-04-09 13:57:09 -04:00
```shell
ELECTRUM_RELEASE_SEMVER=4.1.2
```
2021-07-21 19:48:34 -04:00
#### Download Electrum release and associated PGP signature
2021-04-09 13:57:09 -04:00
```shell
2021-04-19 10:28:02 -04:00
$ cd ~
2021-12-13 10:58:47 -05:00
$ curl --remote-name "https://download.electrum.org/$ELECTRUM_RELEASE_SEMVER/Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz"
2021-04-19 10:28:02 -04:00
2021-12-13 10:58:47 -05:00
$ curl --remote-name "https://download.electrum.org/$ELECTRUM_RELEASE_SEMVER/Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz.asc"
2021-04-09 13:57:09 -04:00
```
2021-05-09 10:25:43 -04:00
#### Verify Electrum release (learn how [here](../how-to-verify-pgp-digital-signatures-using-gnupg-on-macos))
2021-04-09 13:57:09 -04:00
```console
$ gpg --verify Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz.asc
gpg: assuming signed data in 'Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz'
gpg: Signature made Thu 08 Apr 2021 09:47:30 EDT
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) < thomasv @electrum .org > " [unknown]
gpg: aka "ThomasV < thomasv1 @gmx .de > " [unknown]
gpg: aka "Thomas Voegtlin < thomasv1 @gmx .de > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
```
Good signature
👍
#### Install Electrum
```shell
2021-04-19 10:28:02 -04:00
$ pip3 install --user Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz
$ rm Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz*
2021-04-09 13:57:09 -04:00
```
2021-07-10 13:53:01 -04:00
### Step 9: install `tmux` and [trezorctl](https://wiki.trezor.io/Using_trezorctl_commands_with_Trezor) (used to verify integrity of and restore [Trezor](https://trezor.io/) devices)
2021-03-04 09:23:37 -05:00
```console
2021-04-19 10:28:02 -04:00
$ sudo apt update
2021-04-21 09:45:19 -04:00
$ sudo apt install -y tmux
2021-03-04 09:23:37 -05:00
2021-07-22 08:59:02 -04:00
$ pip3 install --user attrs trezor
2021-03-04 09:23:37 -05:00
2021-12-13 10:58:47 -05:00
$ sudo curl --fail --output /etc/udev/rules.d/51-trezor.rules https://data.trezor.io/udev/51-trezor.rules
2021-03-04 09:23:37 -05:00
```
2021-05-21 14:01:15 -04:00
### Step 10: import Sun’
2021-02-25 14:06:45 -05:00
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/sunknudsen.asc https://sunknudsen.com/sunknudsen.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
2021-06-06 10:12:01 -04:00
100 6896 100 6896 0 0 7569 0 --:--:-- --:--:-- --:--:-- 7561
$ gpg --import /home/pi/sunknudsen.asc
2021-04-15 12:53:41 -04:00
gpg: key C1323A377DE14C8B: public key "Sun Knudsen < hello @sunknudsen .com > " imported
gpg: Total number processed: 1
gpg: imported: 1
2021-02-25 14:06:45 -05:00
```
2021-04-15 12:53:41 -04:00
imported: 1
2021-03-07 05:46:55 -05:00
2021-04-15 12:53:41 -04:00
👍
2021-05-21 14:01:15 -04:00
### Step 11: download and verify [create-bip39-mnemonic.py](./create-bip39-mnemonic.py)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/create-bip39-mnemonic.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/create-bip39-mnemonic.py
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 149 100 149 0 0 138 0 0:00:01 0:00:01 --:--:-- 138
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/create-bip39-mnemonic.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/create-bip39-mnemonic.py.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 681 0 0:00:01 0:00:01 --:--:-- 681
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/create-bip39-mnemonic.py.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/create-bip39-mnemonic.py'
2021-04-19 10:28:02 -04:00
gpg: Signature made Thu 15 Apr 2021 12:54:22 EDT
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 600 /home/pi/.local/bin/create-bip39-mnemonic.py
2021-03-07 05:46:55 -05:00
```
2021-04-15 12:53:41 -04:00
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-02-24 06:18:01 -05:00
2021-04-15 12:53:41 -04:00
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 12: download and verify [validate-bip39-mnemonic.py](./validate-bip39-mnemonic.py)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/validate-bip39-mnemonic.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/validate-bip39-mnemonic.py
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6217 100 6217 0 0 8234 0 --:--:-- --:--:-- --:--:-- 8234
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/validate-bip39-mnemonic.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/validate-bip39-mnemonic.py.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6217 100 6217 0 0 10361 0 --:--:-- --:--:-- --:--:-- 10344
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/create-bip39-mnemonic.py.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/create-bip39-mnemonic.py'
2021-04-19 10:28:02 -04:00
gpg: Signature made Thu 15 Apr 2021 12:54:22 EDT
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 600 /home/pi/.local/bin/validate-bip39-mnemonic.py
2021-02-24 06:18:01 -05:00
```
2021-04-15 12:53:41 -04:00
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-02-24 06:18:01 -05:00
2021-04-15 12:53:41 -04:00
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 13: download and verify [tmux-buttons.py](./tmux-buttons.py)
2021-04-21 09:45:19 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/tmux-buttons.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/tmux-buttons.py
2021-04-21 09:45:19 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 149 100 149 0 0 138 0 0:00:01 0:00:01 --:--:-- 138
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/tmux-buttons.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/tmux-buttons.py.asc
2021-04-21 09:45:19 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 681 0 0:00:01 0:00:01 --:--:-- 681
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/tmux-buttons.py.asc
2021-04-21 09:45:19 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/tmux-buttons.py'
2021-04-22 09:33:45 -04:00
gpg: Signature made Thu Apr 22 09:13:47 2021 EDT
2021-04-21 09:45:19 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 600 /home/pi/.local/bin/tmux-buttons.py
```
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 14: download and verify [qr-backup.sh](./qr-backup.sh)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-backup.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-backup.sh
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3956 100 3956 0 0 3971 0 --:--:-- --:--:-- --:--:-- 3967
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-backup.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-backup.sh.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 620 0 0:00:01 0:00:01 --:--:-- 620
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/qr-backup.sh.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/qr-backup.sh'
2021-04-19 10:28:02 -04:00
gpg: Signature made Sun 18 Apr 2021 19:03:07 EDT
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/qr-backup.sh
2021-02-24 06:18:01 -05:00
```
2021-04-15 12:53:41 -04:00
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-02-24 06:18:01 -05:00
2021-04-15 12:53:41 -04:00
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 15: download and verify [qr-restore.sh](./qr-restore.sh)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-restore.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-restore.sh
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1904 100 1904 0 0 1715 0 0:00:01 0:00:01 --:--:-- 1715
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-restore.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-restore.sh.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 908 0 --:--:-- --:--:-- --:--:-- 908
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/qr-restore.sh.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/qr-restore.sh'
2021-04-19 10:28:02 -04:00
gpg: Signature made Sun 18 Apr 2021 18:47:17 EDT
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/qr-restore.sh
2021-02-24 06:18:01 -05:00
```
2021-04-15 12:53:41 -04:00
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-03-02 16:46:45 -05:00
2021-04-15 12:53:41 -04:00
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 16: download and verify [qr-clone.sh](./qr-clone.sh)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-clone.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-clone.sh
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 481 100 481 0 0 440 0 0:00:01 0:00:01 --:--:-- 440
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/qr-clone.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-clone.sh.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 783 0 0:00:01 0:00:01 --:--:-- 784
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/qr-clone.sh.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/qr-clone.sh'
2021-04-19 10:28:02 -04:00
gpg: Signature made Sat 17 Apr 2021 15:37:07 EDT
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/qr-clone.sh
```
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 17: download and verify [secure-erase.sh](./secure-erase.sh)
2021-04-15 12:53:41 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/secure-erase.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
2021-06-06 10:12:01 -04:00
100 1350 100 1350 0 0 992 0 0:00:01 0:00:01 --:--:-- 992
2021-04-15 12:53:41 -04:00
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/secure-erase.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh.asc
2021-04-15 12:53:41 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
2021-06-06 10:12:01 -04:00
100 833 100 833 0 0 805 0 0:00:01 0:00:01 --:--:-- 805
2021-04-15 12:53:41 -04:00
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/secure-erase.sh.asc
2021-04-15 12:53:41 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/secure-erase.sh'
2021-06-06 10:12:01 -04:00
gpg: Signature made Thu 03 Jun 2021 19:34:35 BST
2021-04-15 12:53:41 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/secure-erase.sh
2021-03-02 16:46:45 -05:00
```
2021-04-15 12:53:41 -04:00
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 18: download and verify [trezor-verify-integrity.sh](./trezor-verify-integrity.sh) (used to verify integrity of Trezor devices)
2021-04-21 09:45:19 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/trezor-verify-integrity.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-verify-integrity.sh
2021-04-21 09:45:19 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1283 100 1283 0 0 1189 0 0:00:01 0:00:01 --:--:-- 1189
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/trezor-verify-integrity.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-verify-integrity.sh.asc
2021-04-21 09:45:19 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 944 0 --:--:-- --:--:-- --:--:-- 944
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/trezor-verify-integrity.sh.asc
2021-04-21 09:45:19 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/trezor-verify-integrity.sh'
2021-04-22 09:33:45 -04:00
gpg: Signature made Thu Apr 22 09:13:56 2021 EDT
2021-04-21 09:45:19 -04:00
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/trezor-verify-integrity.sh
```
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-04-22 09:33:45 -04:00
👍
Good signature
👍
2021-05-21 14:01:15 -04:00
### Step 19: download and verify [trezor-restore.sh](./trezor-restore.sh) (used to restore Trezor devices)
2021-04-22 09:33:45 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/trezor-restore.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-restore.sh
2021-04-22 09:33:45 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1283 100 1283 0 0 1189 0 0:00:01 0:00:01 --:--:-- 1189
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/trezor-restore.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-restore.sh.asc
2021-04-22 09:33:45 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 944 0 --:--:-- --:--:-- --:--:-- 944
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/trezor-restore.sh.asc
2021-04-22 09:33:45 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/trezor-restore.sh'
gpg: Signature made Thu Apr 22 09:14:04 2021 EDT
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/trezor-restore.sh
```
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
2021-04-21 09:45:19 -04:00
👍
Good signature
👍
2021-07-05 14:58:28 -04:00
### Step 20: download and verify [update.sh](./update.sh)
2021-06-06 10:12:01 -04:00
```console
2021-12-13 10:58:47 -05:00
$ curl --fail --output /home/pi/.local/bin/update.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh
2021-06-06 10:12:01 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1494 100 1494 0 0 1498 0 --:--:-- --:--:-- --:--:-- 149
2021-12-13 15:28:46 -05:00
$ curl --fail --output /home/pi/.local/bin/update.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh.asc
2021-06-06 10:12:01 -04:00
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 833 100 833 0 0 929 0 --:--:-- --:--:-- --:--:-- 928
2021-12-13 15:28:46 -05:00
$ gpg --verify /home/pi/.local/bin/update.sh.asc
2021-06-06 10:12:01 -04:00
gpg: assuming signed data in '/home/pi/.local/bin/update.sh'
gpg: Signature made Sat 05 Jun 2021 16:01:37 BST
gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305
gpg: Good signature from "Sun Knudsen < hello @sunknudsen .com > " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B
Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305
$ chmod 700 /home/pi/.local/bin/update.sh
```
Primary key fingerprint matches [published ](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint ) fingerprints
👍
Good signature
👍
### Step 21: make filesystem read-only
2021-03-03 15:10:07 -05:00
> Heads-up: shout-out to Nico Kaiser for his amazing [guide](https://gist.github.com/nicokaiser/08aa5b7b3958f171cf61549b70e8a34b) on how to configure a read-only Raspberry Pi.
#### Disable swap
2021-04-22 11:59:21 -04:00
```console
$ sudo dphys-swapfile swapoff
$ sudo dphys-swapfile uninstall
$ sudo systemctl disable dphys-swapfile.service
2021-03-03 15:10:07 -05:00
```
2021-05-21 14:02:00 -04:00
#### Remove `dphys-swapfile`, `fake-hwclock` and `logrotate`
2021-03-03 15:10:07 -05:00
```shell
sudo apt remove -y --purge dphys-swapfile fake-hwclock logrotate
```
#### Link `/etc/console-setup` to `/tmp/console-setup`
2021-04-22 11:59:21 -04:00
```console
2021-05-21 14:02:00 -04:00
$ sudo rm -fr /etc/console-setup
2021-04-22 11:59:21 -04:00
$ sudo ln -s /tmp/console-setup /etc/console-setup
2021-03-03 15:10:07 -05:00
```
2021-05-21 14:02:00 -04:00
#### Link `/home/pi/.electrum` to `/tmp/pi/.electrum`
2021-03-03 15:10:07 -05:00
2021-04-22 11:59:21 -04:00
```console
2021-05-21 14:02:00 -04:00
$ ln -s /tmp/pi/.electrum /home/pi/.electrum
2021-03-03 15:10:07 -05:00
```
#### Link `/home/pi/.gnupg` to `/tmp/pi/.gnupg`
2021-04-22 11:59:21 -04:00
```console
2021-05-21 14:02:00 -04:00
$ rm -fr /home/pi/.gnupg
2021-04-22 11:59:21 -04:00
$ ln -s /tmp/pi/.gnupg /home/pi/.gnupg
2021-03-03 15:10:07 -05:00
```
2021-03-04 11:09:01 -05:00
#### Enable `tmp.mount` service
2021-03-03 15:10:07 -05:00
2021-04-22 11:59:21 -04:00
```console
2021-05-21 14:02:00 -04:00
$ echo -e "D /tmp 1777 root root -\nD /tmp/console-setup 1700 root root -\nD /tmp/pi 1700 pi pi -\nD /tmp/pi/.electrum 1700 pi pi -\nD /tmp/pi/.gnupg 1700 pi pi -\nD /var/tmp 1777 root root -" | sudo tee /etc/tmpfiles.d/tmp.conf
2021-04-22 11:59:21 -04:00
$ sudo cp /usr/share/systemd/tmp.mount /etc/systemd/system/
$ sudo systemctl enable tmp.mount
2021-03-03 15:10:07 -05:00
```
#### Edit `/boot/cmdline.txt`
2021-03-02 17:19:42 -05:00
2021-04-22 11:59:21 -04:00
```console
$ sudo cp /boot/cmdline.txt /boot/cmdline.txt.backup
$ sudo sed -i 's/fsck.repair=yes/fsck.repair=skip/' /boot/cmdline.txt
$ sudo sed -i '$ s/$/ fastboot noswap ro systemd.volatile=state/' /boot/cmdline.txt
2021-03-03 15:10:07 -05:00
```
#### Edit `/etc/fstab`
2021-04-22 11:59:21 -04:00
```console
$ sudo cp /etc/fstab /etc/fstab.backup
$ sudo sed -i -e 's/vfat\s*defaults\s/vfat defaults,ro/' /etc/fstab
$ sudo sed -i -e 's/ext4\s*defaults,noatime\s/ext4 defaults,noatime,ro,noload/' /etc/fstab
2021-03-03 15:10:07 -05:00
```
2021-06-06 10:12:01 -04:00
### Step 22: disable Wi-Fi (if not using ethernet)
2021-03-03 15:10:07 -05:00
```shell
2021-03-04 11:09:01 -05:00
echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt
2021-03-03 15:10:07 -05:00
```
2021-06-06 10:12:01 -04:00
### Step 23: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug
2021-03-02 17:19:42 -05:00
2021-03-04 11:44:37 -05:00
```console
$ sudo systemctl disable dhcpcd networking wpa_supplicant
$ sudo rm /etc/profile.d/wifi-check.sh
2021-03-02 17:19:42 -05:00
```
2021-06-06 10:12:01 -04:00
### Step 24: delete macOS hidden files (if present)
2021-03-04 09:23:37 -05:00
```shell
2021-03-04 11:09:01 -05:00
sudo rm -fr /boot/.fseventsd /boot/.DS_Store /boot/.Spotlight-V100
2021-03-04 09:23:37 -05:00
```
2021-06-06 10:12:01 -04:00
### Step 25: reboot
2021-02-24 06:18:01 -05:00
```shell
2021-03-05 10:33:51 -05:00
sudo systemctl reboot
2021-02-24 06:18:01 -05:00
```
2021-05-11 21:25:58 +02:00
> WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW “READ-ONLY” AND “COLD”).
2021-03-03 15:10:07 -05:00
2021-06-06 10:12:01 -04:00
### Step 26 (optional): disable auto-mount of `boot` volume (on macOS)
2021-04-21 09:45:19 -04:00
2021-06-10 07:13:10 -04:00
> Heads-up: done to prevent macOS from writing [hidden files](#step-24-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of microSD card.
2021-04-21 09:45:19 -04:00
2021-06-10 07:13:10 -04:00
#### Enable read-only mode using switch on microSD to SD adapter
2021-03-03 15:10:07 -05:00
2021-04-21 09:45:19 -04:00
2021-03-03 18:36:34 -05:00
2021-06-10 07:13:10 -04:00
#### Insert microSD card into adapter and insert adapter into computer
2021-04-21 09:45:19 -04:00
2021-06-10 07:13:10 -04:00
#### Run following and eject microSD card
2021-03-03 18:36:34 -05:00
```shell
volume_path="/Volumes/boot"
2021-03-16 14:23:21 -04:00
volume_uuid=$(diskutil info "$volume_path" | awk '/Volume UUID:/ { print $3 }')
2021-04-19 14:55:32 -04:00
echo "UUID=$volume_uuid none msdos ro,noauto" | sudo tee -a /etc/fstab
2021-03-03 18:36:34 -05:00
```
2021-06-06 10:12:01 -04:00
### Step 27 (optional): compute SHA512 hash of SD card and store in password manager (on macOS)
2021-03-03 18:36:34 -05:00
2021-06-10 07:13:10 -04:00
Run `diskutil list` to find disk ID of microSD card with “Raspberry Pi OS Lite” installed (`disk2` in the following example).
2021-03-03 15:10:07 -05:00
2021-04-19 14:55:32 -04:00
Replace `diskn` and `rdiskn` with disk ID of SD card (`disk2` and `rdisk2` in the following example).
2021-03-03 15:10:07 -05:00
```console
$ diskutil list
/dev/disk0 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.3 GB disk0
1: EFI EFI 209.7 MB disk0s1
2: Apple_APFS Container disk1 500.1 GB disk0s2
/dev/disk1 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +500.1 GB disk1
Physical Store disk0s2
1: APFS Volume Macintosh HD - Data 340.9 GB disk1s1
2: APFS Volume Preboot 85.9 MB disk1s2
3: APFS Volume Recovery 529.0 MB disk1s3
4: APFS Volume VM 3.2 GB disk1s4
5: APFS Volume Macintosh HD 11.3 GB disk1s5
/dev/disk2 (internal, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *15.9 GB disk2
1: Windows_FAT_32 boot 268.4 MB disk2s1
2: Linux 15.7 GB disk2s2
2021-03-04 11:44:37 -05:00
$ sudo diskutil unmountDisk /dev/diskn
2021-03-03 15:10:07 -05:00
Unmount of all volumes on disk2 was successful
2021-03-04 11:44:37 -05:00
$ sudo openssl dgst -sha512 /dev/rdiskn
2021-03-03 18:36:34 -05:00
SHA512(/dev/rdisk2)= 353af7e9bd78d7d98875f0e2a58da3d7cdfc494f2ab5474b2ab4a8fd212ac6a37c996d54f6c650838adb61e4b30801bcf1150081f6dbb51998cf33a74fa7f0fe
2021-03-03 15:10:07 -05:00
```
2021-02-24 06:18:01 -05:00
👍
---
## Usage guide
### Create encrypted paper backup
2021-03-02 16:44:24 -05:00
```console
$ qr-backup.sh --help
Usage: qr-backup.sh [options]
Options:
2021-04-09 13:57:09 -04:00
--create-bip39-mnemonic create BIP39 mnemonic
--create-electrum-mnemonic create Electrum mnemonic
--validate-bip39-mnemonic validate if secret is valid BIP39 mnemonic
2021-04-15 12:53:41 -04:00
--shamir-secret-sharing split secret using Shamir Secret Sharing
--number-of-shares number of shares (defaults to 5)
--share-threshold shares required to access secret (defaults to 3)
2021-04-15 19:41:12 -04:00
--no-qr disable show SHA512 hash as QR code prompt
2021-04-09 13:57:09 -04:00
--label < label > print label after short hash
-h, --help display help for command
2021-03-02 16:44:24 -05:00
$ qr-backup.sh
2021-04-21 09:45:19 -04:00
Format USB flash drive (y or n)?
2021-03-02 16:44:24 -05:00
y
mkfs.fat 4.1 (2017-01-24)
2021-04-21 09:45:19 -04:00
Please type secret and press enter, then ctrl+d (again)
2021-03-02 16:44:24 -05:00
this is a test yo
2021-04-21 09:45:19 -04:00
Please type passphrase and press enter
Please type passphrase and press enter (again)
Show passphrase (y or n)?
n
Encrypting secret…
2021-03-02 16:44:24 -05:00
-----BEGIN PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
jA0ECQMKkp57QW3BWCD/0kUBFlMcOcvR1PPNf+SEXrHKsNgpmAadIHyf+1SGDSLl
AidLaa1d1+V5vFQowNv/6IyN+nDe/bS+qTFdPI5PptW+rVg+Rw0=
=dWxd
2021-03-02 16:44:24 -05:00
-----END PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
SHA512 hash: 0ed162fe43bedf052f5af54e0dc3861ec87b579d1b8f28d85daa93c8316546cf997cd5656a69baa41fbf65b25f1a9fe7626504d480c4103903d32536b61d715a
SHA512 short hash: 0ed162fe
Show SHA512 hash as QR code (y or n)?
2021-03-02 16:44:24 -05:00
n
Done
2021-02-24 06:18:01 -05:00
```
2021-03-25 06:38:48 -04:00
Done
👍
2021-03-02 16:44:24 -05:00
The following image is now available on USB flash drive.
2021-04-21 09:45:19 -04:00
2021-03-02 16:44:24 -05:00
2021-02-24 06:18:01 -05:00
### Restore encrypted paper backup
2021-02-25 15:00:00 -05:00
> Heads-up: use `--word-list` to split secret into word list.
2021-02-25 14:03:38 -05:00
2021-03-02 16:44:24 -05:00
```console
2021-04-09 13:57:09 -04:00
$ qr-restore.sh --help
2021-03-02 16:44:24 -05:00
Usage: qr-restore.sh [options]
Options:
2021-04-15 19:41:12 -04:00
--shamir-secret-sharing combine secret using Shamir Secret Sharing
2021-04-15 12:53:41 -04:00
--share-threshold shares required to access secret (defaults to 3)
--word-list split secret into word list
-h, --help display help for command
2021-03-02 16:44:24 -05:00
$ qr-restore.sh
2021-04-21 09:45:19 -04:00
Scanning QR code…
2021-03-02 16:44:24 -05:00
-----BEGIN PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
jA0ECQMKkp57QW3BWCD/0kUBFlMcOcvR1PPNf+SEXrHKsNgpmAadIHyf+1SGDSLl
AidLaa1d1+V5vFQowNv/6IyN+nDe/bS+qTFdPI5PptW+rVg+Rw0=
=dWxd
2021-03-02 16:44:24 -05:00
-----END PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
SHA512 hash: 0ed162fe43bedf052f5af54e0dc3861ec87b579d1b8f28d85daa93c8316546cf997cd5656a69baa41fbf65b25f1a9fe7626504d480c4103903d32536b61d715a
SHA512 short hash: 0ed162fe
Please type passphrase and press enter
2021-03-02 16:44:24 -05:00
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
2021-04-21 09:45:19 -04:00
Show secret (y or n)?
y
Secret:
this is a test yo
2021-03-02 16:44:24 -05:00
Done
2021-02-24 06:18:01 -05:00
```
2021-03-25 06:38:48 -04:00
Done
👍
2021-02-24 06:18:01 -05:00
### Clone encrypted paper backup
2021-03-02 16:44:24 -05:00
```console
$ qr-clone.sh --help
Usage: qr-clone.sh [options]
Options:
2021-04-15 19:41:12 -04:00
--duplicate duplicate content
--qr-restore-options see `qr-restore.sh --help`
--qr-backup-options see `qr-backup.sh --help`
-h, --help display help for command
2021-03-02 16:44:24 -05:00
$ qr-clone.sh
2021-04-21 09:45:19 -04:00
Restoring…
Scanning QR code…
2021-03-02 16:44:24 -05:00
-----BEGIN PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
jA0ECQMKkp57QW3BWCD/0kUBFlMcOcvR1PPNf+SEXrHKsNgpmAadIHyf+1SGDSLl
AidLaa1d1+V5vFQowNv/6IyN+nDe/bS+qTFdPI5PptW+rVg+Rw0=
=dWxd
2021-03-02 16:44:24 -05:00
-----END PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
SHA512 hash: 0ed162fe43bedf052f5af54e0dc3861ec87b579d1b8f28d85daa93c8316546cf997cd5656a69baa41fbf65b25f1a9fe7626504d480c4103903d32536b61d715a
SHA512 short hash: 0ed162fe
Please type passphrase and press enter
2021-03-02 16:44:24 -05:00
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
2021-04-21 09:45:19 -04:00
Show secret (y or n)?
n
2021-03-02 16:44:24 -05:00
Done
Backing up…
2021-04-21 09:45:19 -04:00
Format USB flash drive (y or n)?
2021-03-02 16:44:24 -05:00
y
mkfs.fat 4.1 (2017-01-24)
2021-04-21 09:45:19 -04:00
Please type passphrase and press enter
Please type passphrase and press enter (again)
Show passphrase (y or n)?
n
Encrypting secret…
2021-03-02 16:44:24 -05:00
-----BEGIN PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
jA0ECQMKx+JfTW34bTr/0kUBtxsz8phqCf3sSzUHqR/n2wGfZJka5hvt7vE/PQdm
rXRpJmlufEyx4t1XXIidQbQjGGm11BXHjBQwhsgMSKC++NAr/PE=
=DFgX
2021-03-02 16:44:24 -05:00
-----END PGP MESSAGE-----
2021-04-21 09:45:19 -04:00
SHA512 hash: 305ca16cbcd23f782050c2ae5b0f440f549340b9d95826df2f4259100e12d4da076468a4e167070307e26b714de1587ba4d9828dbcebfd9af2e6ee345c56bd60
SHA512 short hash: 305ca16c
Show SHA512 hash as QR code (y or n)?
2021-03-02 16:44:24 -05:00
n
Done
```
2021-03-25 06:38:48 -04:00
Done
👍
2021-03-02 16:44:24 -05:00
The following image is now available on USB flash drive.
2021-04-21 09:45:19 -04:00
2021-03-02 16:44:24 -05:00
### Secure erase flash drive
```console
$ secure-erase.sh --help
Usage: secure-erase.sh [options]
Options:
2021-03-06 15:07:57 -05:00
--rounds < rounds > overwrite n times (defauls to 3)
--zero overwrite with zeros obfuscating secure erase
-h, --help display help for command
2021-03-02 16:44:24 -05:00
$ secure-erase.sh
2021-04-21 09:45:19 -04:00
Secure erase USB flash drive (y or n)?
2021-03-02 16:44:24 -05:00
y
2021-04-21 09:45:19 -04:00
Overwriting with random data… (round 1 of 3)
2021-03-02 16:44:24 -05:00
dd: error writing '/dev/sda1': No space left on device
1868+0 records in
1867+0 records out
2021-04-21 09:45:19 -04:00
1957691392 bytes (2.0 GB, 1.8 GiB) copied, 180.327 s, 10.9 MB/s
Overwriting with random data… (round 2 of 3)
2021-03-02 16:44:24 -05:00
dd: error writing '/dev/sda1': No space left on device
1868+0 records in
1867+0 records out
2021-04-21 09:45:19 -04:00
1957691392 bytes (2.0 GB, 1.8 GiB) copied, 179.563 s, 10.9 MB/s
Overwriting with random data… (round 3 of 3)
2021-03-02 16:44:24 -05:00
dd: error writing '/dev/sda1': No space left on device
1868+0 records in
1867+0 records out
2021-04-21 09:45:19 -04:00
1957691392 bytes (2.0 GB, 1.8 GiB) copied, 179.09 s, 10.9 MB/s
2021-03-02 16:44:24 -05:00
Done
2021-02-24 06:18:01 -05:00
```
2021-03-25 06:38:48 -04:00
Done
2021-02-24 06:18:01 -05:00
👍
