Improved encrypted paper backup guide

Added secret confirmation, BIP39 test and word split features

how-to-create-encrypted-paper-backup/README.md

@@ -122,12 +122,16 @@ sudo systemctl reboot
 
 ### Create encrypted paper backup
 
+> Heads-up: use `--bip39` to test secret against BIP39 [dictionary](https://raw.githubusercontent.com/bitcoin/bips/master/bip-0039/english.txt).
+
 ```shell
 qr-backup.sh
 ```
 
 ### Restore encrypted paper backup
 
+> Heads-up: use `--split-words` to split secret into word list.
+
 ```shell
 qr-restore.sh
 ```

how-to-create-encrypted-paper-backup/qr-backup.sh

@@ -2,23 +2,54 @@
 
 set -e
 
+positional=()
+while [[ $# -gt 0 ]]; do
+  argument="$1"
+  case $argument in
+    --bip39)
+    bip39=true
+    shift
+    ;;
+    *)
+    positional+=("$1")
+    shift
+    ;;
+  esac
+done
+
+set -- "${positional[@]}"
+
 bold=$(tput bold)
 red=$(tput setaf 1)
 normal=$(tput sgr0)
 
+basedir=$(dirname "$0")
+
 dev="/dev/sda1"
 tmp="/home/pi/tmp"
 usb="/home/pi/usb"
 
-waitForUsb () {
+tput reset
+
+waitForUsbThumbDrive () {
   if [ ! -e $dev ]; then
     printf "Insert USB thumb drive and press enter"
     read -r confirmation
-    waitForUsb
+    waitForUsbThumbDrive
   fi
 }
 
-waitForUsb
+waitForUsbThumbDrive
+
+printf "%s\n" "Format USB thumb drive? (y or n)? "
+
+read -r answer
+if [ "$answer" = "y" ]; then
+  if mount | grep $usb > /dev/null; then
+    sudo umount $dev
+  fi
+  sudo mkfs -t vfat $dev
+fi
 
 sudo mkdir -p $tmp
 if ! mount | grep $tmp > /dev/null; then
@@ -31,8 +62,37 @@ if ! mount | grep $usb > /dev/null; then
 fi
 
 if [ -z $secret ]; then
+  tput sc
   printf "%s\n" "Type secret and press enter"
   read -r secret
+  tput rc
+  tput ed
+  printf "%s\n" "Type secret and press enter (again)"
+  read -r secret_confirmation
+  if [ ! "$secret" = "$secret_confirmation" ]; then
+    printf "$red%s$normal\n" "Secrets do not match"
+    exit 1
+  fi
+fi
+
+function exists {
+  bip39_words=($(cat "$basedir/bip39.txt"))
+  for bip39_word in ${bip39_words[@]}; do
+    if [ "$bip39_word" = "$1" ]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+if [ "$bip39" = true ]; then
+  words=($secret)
+  for word in ${words[@]}; do
+    if ! exists $word; then
+      printf "$red%s$normal\n" "Invalid word $bold$word$normal"
+      exit 1
+    fi
+  done
 fi
 
 encrypted_secret=$(echo -n "$secret" | gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor)

how-to-create-encrypted-paper-backup/qr-restore.sh

@@ -1,11 +1,28 @@
 #! /bin/bash
 
+set -e
+
+positional=()
+while [[ $# -gt 0 ]]; do
+  argument="$1"
+  case $argument in
+    --split-words)
+    split_words=true
+    shift
+    ;;
+    *)
+    positional+=("$1")
+    shift
+    ;;
+  esac
+done
+
+set -- "${positional[@]}"
+
 bold=$(tput bold)
 red=$(tput setaf 1)
 normal=$(tput sgr0)
 
-set -e
-
 printf "%s\n" "Scan QR code…"
 
 data=""
@@ -37,7 +54,17 @@ read -r answer
 if [ "$answer" = "y" ]; then
   secret=$(echo -e "$encrypted_secret" | gpg --decrypt)
   gpg-connect-agent reloadagent /bye > /dev/null 2>&1
-  printf "Secret: $bold%s$normal\n" "$secret"
+  if [ "$split_words" = true ]; then
+    printf "%s" "Secret: "
+    array=($secret)
+    for i in ${!array[@]}; do
+      position=$(($i + 1))
+      printf "%s" "$position.$bold${array[$i]}$normal "
+    done
+    printf "\n"
+  else
+    printf "Secret: $bold%s$normal\n" "$secret"
+  fi
 fi
 
 printf "%s\n" "Done"