From 1965eca7f6da7a06ac2db9fa19e6f0e60d6c25de Mon Sep 17 00:00:00 2001 From: Sun Knudsen Date: Mon, 10 Jan 2022 08:16:25 -0500 Subject: [PATCH] Refactored guide, implemented ckcc and passphraseme and deprecated Electrum --- .../README.md | 531 +++++++----------- .../cleanup.sh | 20 +- .../cleanup.sh.asc | 16 - .../create-bip39-mnemonic.py.asc | 17 +- .../pack.sh.asc | 17 +- .../qr-backup.sh | 36 +- .../qr-backup.sh.asc | 17 +- .../qr-clone.sh.asc | 17 +- .../qr-restore.sh.asc | 17 +- .../secure-erase.sh.asc | 17 +- how-to-create-encrypted-paper-backup/test.sh | 2 +- .../tests/bip39.exp | 14 +- .../tests/electrum.exp | 32 -- .../tests/passphrase.exp | 61 ++ .../tmux-buttons.py.asc | 17 +- .../trezor-restore.sh.asc | 17 +- .../trezor-verify-integrity.sh.asc | 17 +- .../update.sh.asc | 17 +- .../validate-bip39-mnemonic.py.asc | 17 +- 19 files changed, 351 insertions(+), 548 deletions(-) delete mode 100644 how-to-create-encrypted-paper-backup/cleanup.sh.asc delete mode 100644 how-to-create-encrypted-paper-backup/tests/electrum.exp create mode 100644 how-to-create-encrypted-paper-backup/tests/passphrase.exp diff --git a/how-to-create-encrypted-paper-backup/README.md b/how-to-create-encrypted-paper-backup/README.md index 83aa431..535ba21 100644 --- a/how-to-create-encrypted-paper-backup/README.md +++ b/how-to-create-encrypted-paper-backup/README.md @@ -29,10 +29,10 @@ Listed: true ### Step 1: log in to Raspberry Pi -Replace `10.0.1.248` with IP of Raspberry Pi. +Replace `10.0.1.181` with IP of Raspberry Pi. ```shell -ssh pi@10.0.1.248 -i ~/.ssh/pi +ssh pi@10.0.1.181 -i ~/.ssh/pi ``` ### Step 2: configure console font @@ -55,105 +55,45 @@ sudo raspi-config Select “Localisation Options”, then “Keyboard”, then “Generic 105-key PC (intl.)”, then “Other”, then “English (US)”, then “English (US)”, then “The default for the keyboard layout”, then “No compose key” and finally “Finish”. -### Step 4: install dependencies available on repositories +### Step 4: install dependencies ```console $ sudo apt update -$ sudo apt install -y bc expect fim imagemagick python3-pip python3-rpi.gpio - -$ pip3 install --user mnemonic pillow qrcode +$ sudo apt install -y bc expect fim git imagemagick python3-pip python3-rpi.gpio tmux zbar-tools $ echo -e "export GPG_TTY=\"\$(tty)\"\nexport PATH=\$PATH:/home/pi/.local/bin" >> ~/.bashrc $ source ~/.bashrc ``` -### Step 5 (optional): install [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) drivers and disable console auto login - -#### Install Adafruit PiTFT monitor drivers - -> Heads-up: don’t worry about `PITFT Failed to disable unit: Unit file fbcp.service does not exist.`. - -> Heads-up: when asked to reboot, type `n` and press enter. +### Step 5: install [ckcc](https://github.com/Coldcard/ckcc-protocol) (used to manage [COLDCARD](https://coldcard.com/) devices, see [docs](https://coldcardwallet.com/docs/cli)) ```console -$ sudo apt update +$ pip3 install --user ckcc-protocol[cli] -$ sudo apt install -y git python3-pip - -$ sudo pip3 install adafruit-python-shell click==7.0 - -$ git clone https://github.com/adafruit/Raspberry-Pi-Installer-Scripts.git - -$ cd Raspberry-Pi-Installer-Scripts - -$ sudo python3 adafruit-pitft.py --display=28c --rotation=90 --install-type=console - -$ cd ~ - -$ rm -fr Raspberry-Pi-Installer-Scripts +$ sudo curl --fail --output /etc/udev/rules.d/51-coinkite.rules https://raw.githubusercontent.com/Coldcard/ckcc-protocol/master/51-coinkite.rules ``` -#### Disable console auto login - -> Heads-up: when asked to reboot, select “No” and press enter. +### Step 6: install [mnemonic](https://github.com/trezor/python-mnemonic) (used to create and validate BIP39 mnemonics) ```shell -sudo raspi-config +pip3 install --user mnemonic ``` -Select “System Options”, then “Boot / Auto Login”, then “Console” and finally “Finish”. +### Step 7: install [passphraseme](https://github.com/micahflee/passphraseme) (used to create passphrases using [EFF](https://www.eff.org/dice) wordlists) -### Step 6: install [zbar](https://github.com/mchehab/zbar) from source - -#### Install zbar dependencies - -```console -$ sudo apt update - -$ sudo apt install -y autopoint build-essential git libjpeg-dev libmagickwand-dev libtool libv4l-dev +```shell +pip3 install --user passphraseme ``` -#### Clone zbar repository - -Replace `0.23.90` with [latest release](https://github.com/mchehab/zbar/releases/latest) semver. - -```console -$ cd ~ - -$ git clone https://github.com/mchehab/zbar - -$ cd zbar - -$ git checkout 0.23.90 -``` - -#### Configure, compile and install zbar - -```console -$ autoreconf -vfi - -$ ./configure --without-python - -$ make - -$ sudo make install - -$ sudo ldconfig - -$ cd ~ - -$ rm -fr zbar -``` - -### Step 7: install [sss-cli](https://github.com/dsprenkels/sss-cli) from source +### Step 8: install [sss-cli](https://github.com/dsprenkels/sss-cli) from source (used to split and join secrets using Shamir Secret Sharing) #### Install [Rust](https://www.rust-lang.org/) > Heads-up: when asked for installation option, select “Proceed with installation (default)”. -```shell +```console $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $ source ~/.bashrc @@ -167,135 +107,70 @@ $ cargo install --git https://github.com/dsprenkels/sss-cli --branch v0.1 $ cp ~/.cargo/bin/secret-share* ~/.local/bin/ ``` -### Step 8: install [Electrum](https://electrum.org/#home) (used to generate Electrum mnemonics) - -#### Install Electrum dependencies - -```shell -$ sudo apt update - -$ sudo apt install -y libsecp256k1-0 python3-cryptography -``` - -#### Import ThomasV’s PGP public key +### Step 9: install [trezorctl](https://wiki.trezor.io/Using_trezorctl_commands_with_Trezor) (used to manage [Trezor](https://trezor.io/) devices, see [docs](https://wiki.trezor.io/Using_trezorctl_commands_with_Trezor)) ```console -$ curl https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc | gpg --import - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 4739 100 4739 0 0 22459 0 --:--:-- --:--:-- --:--:-- 22459 -gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created -gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported -gpg: Total number processed: 1 -gpg: imported: 1 -``` - -imported: 1 - -👍 - -#### Set Electrum release semver environment variable - -Replace `4.1.2` with [latest release](https://electrum.org/#download) semver. - -```shell -ELECTRUM_RELEASE_SEMVER=4.1.2 -``` - -#### Download Electrum release and associated PGP signature - -```shell -$ cd ~ - -$ curl --remote-name "https://download.electrum.org/$ELECTRUM_RELEASE_SEMVER/Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz" - -$ curl --remote-name "https://download.electrum.org/$ELECTRUM_RELEASE_SEMVER/Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz.asc" -``` - -#### Verify Electrum release (learn how [here](../how-to-verify-pgp-digital-signatures-using-gnupg-on-macos)) - -```console -$ gpg --verify Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz.asc -gpg: assuming signed data in 'Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz' -gpg: Signature made Thu 08 Apr 2021 09:47:30 EDT -gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 -gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown] -gpg: aka "ThomasV " [unknown] -gpg: aka "Thomas Voegtlin " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 -``` - -Good signature - -👍 - -#### Install Electrum - -```shell -$ pip3 install --user Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz - -$ rm Electrum-$ELECTRUM_RELEASE_SEMVER.tar.gz* -``` - -### Step 9: install `tmux` and [trezorctl](https://wiki.trezor.io/Using_trezorctl_commands_with_Trezor) (used to verify integrity of and restore [Trezor](https://trezor.io/) devices) - -```console -$ sudo apt update - -$ sudo apt install -y tmux - $ pip3 install --user attrs trezor $ sudo curl --fail --output /etc/udev/rules.d/51-trezor.rules https://data.trezor.io/udev/51-trezor.rules ``` -### Step 10: import Sun’s PGP public key (used to verify downloads below) +### Step 10: install [qrcode](https://github.com/lincolnloop/python-qrcode) (used to create QR codes) + +```shell +pip3 install --user pillow qrcode +``` + +### Step 11: import Sun’s PGP public key (used to verify downloads below) ```console -$ curl --fail --output /home/pi/sunknudsen.asc https://raw.githubusercontent.com/sunknudsen/pgp-public-key/master/legacy/sunknudsen-legacy.asc +$ curl --fail --output /home/pi/sunknudsen.asc https://sunknudsen.com/sunknudsen.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 6896 100 6896 0 0 7569 0 --:--:-- --:--:-- --:--:-- 7561 +100 2070 100 2070 0 0 1653 0 0:00:01 0:00:01 --:--:-- 1653 $ gpg --import /home/pi/sunknudsen.asc -gpg: key C1323A377DE14C8B: public key "Sun Knudsen " imported +gpg: directory '/home/pi/.gnupg' created +gpg: keybox '/home/pi/.gnupg/pubring.kbx' created +gpg: key 8C9CA674C47CA060: 1 signature not checked due to a missing key +gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created +gpg: key 8C9CA674C47CA060: public key "Sun Knudsen " imported gpg: Total number processed: 1 gpg: imported: 1 +gpg: no ultimately trusted keys found ``` imported: 1 👍 -### Step 11: download and verify [create-bip39-mnemonic.py](./create-bip39-mnemonic.py) +### Step 12: download and verify [create-bip39-mnemonic.py](./create-bip39-mnemonic.py) ```console $ curl --fail --output /home/pi/.local/bin/create-bip39-mnemonic.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/create-bip39-mnemonic.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 149 100 149 0 0 138 0 0:00:01 0:00:01 --:--:-- 138 +100 149 100 149 0 0 144 0 0:00:01 0:00:01 --:--:-- 144 $ curl --fail --output /home/pi/.local/bin/create-bip39-mnemonic.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/create-bip39-mnemonic.py.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 681 0 0:00:01 0:00:01 --:--:-- 681 +100 228 100 228 0 0 200 0 0:00:01 0:00:01 --:--:-- 200 $ gpg --verify /home/pi/.local/bin/create-bip39-mnemonic.py.asc gpg: assuming signed data in '/home/pi/.local/bin/create-bip39-mnemonic.py' -gpg: Signature made Thu 15 Apr 2021 12:54:22 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:36 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 600 /home/pi/.local/bin/create-bip39-mnemonic.py ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -303,33 +178,33 @@ Good signature 👍 -### Step 12: download and verify [validate-bip39-mnemonic.py](./validate-bip39-mnemonic.py) +### Step 13: download and verify [validate-bip39-mnemonic.py](./validate-bip39-mnemonic.py) ```console $ curl --fail --output /home/pi/.local/bin/validate-bip39-mnemonic.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/validate-bip39-mnemonic.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 6217 100 6217 0 0 8234 0 --:--:-- --:--:-- --:--:-- 8234 +100 183 100 183 0 0 187 0 --:--:-- --:--:-- --:--:-- 187 $ curl --fail --output /home/pi/.local/bin/validate-bip39-mnemonic.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/validate-bip39-mnemonic.py.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 6217 100 6217 0 0 10361 0 --:--:-- --:--:-- --:--:-- 10344 +100 228 100 228 0 0 113 0 0:00:02 0:00:02 --:--:-- 113 -$ gpg --verify /home/pi/.local/bin/create-bip39-mnemonic.py.asc -gpg: assuming signed data in '/home/pi/.local/bin/create-bip39-mnemonic.py' -gpg: Signature made Thu 15 Apr 2021 12:54:22 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +$ gpg --verify /home/pi/.local/bin/validate-bip39-mnemonic.py.asc +gpg: assuming signed data in '/home/pi/.local/bin/validate-bip39-mnemonic.py' +gpg: Signature made Sat 08 Jan 2022 14:33:41 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 600 /home/pi/.local/bin/validate-bip39-mnemonic.py ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -337,33 +212,33 @@ Good signature 👍 -### Step 13: download and verify [tmux-buttons.py](./tmux-buttons.py) +### Step 14: download and verify [tmux-buttons.py](./tmux-buttons.py) ```console $ curl --fail --output /home/pi/.local/bin/tmux-buttons.py https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/tmux-buttons.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 149 100 149 0 0 138 0 0:00:01 0:00:01 --:--:-- 138 +100 918 100 918 0 0 897 0 0:00:01 0:00:01 --:--:-- 898 $ curl --fail --output /home/pi/.local/bin/tmux-buttons.py.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/tmux-buttons.py.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 681 0 0:00:01 0:00:01 --:--:-- 681 +100 228 100 228 0 0 213 0 0:00:01 0:00:01 --:--:-- 213 $ gpg --verify /home/pi/.local/bin/tmux-buttons.py.asc gpg: assuming signed data in '/home/pi/.local/bin/tmux-buttons.py' -gpg: Signature made Thu Apr 22 09:13:47 2021 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:39 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 600 /home/pi/.local/bin/tmux-buttons.py ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -371,33 +246,33 @@ Good signature 👍 -### Step 14: download and verify [qr-backup.sh](./qr-backup.sh) +### Step 15: download and verify [qr-backup.sh](./qr-backup.sh) ```console $ curl --fail --output /home/pi/.local/bin/qr-backup.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-backup.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 3956 100 3956 0 0 3971 0 --:--:-- --:--:-- --:--:-- 3967 +100 8225 100 8225 0 0 7679 0 0:00:01 0:00:01 --:--:-- 7686 $ curl --fail --output /home/pi/.local/bin/qr-backup.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-backup.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 620 0 0:00:01 0:00:01 --:--:-- 620 +100 228 100 228 0 0 259 0 --:--:-- --:--:-- --:--:-- 258 $ gpg --verify /home/pi/.local/bin/qr-backup.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/qr-backup.sh' -gpg: Signature made Sun 18 Apr 2021 19:03:07 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:53 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/qr-backup.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -405,33 +280,33 @@ Good signature 👍 -### Step 15: download and verify [qr-restore.sh](./qr-restore.sh) +### Step 16: download and verify [qr-restore.sh](./qr-restore.sh) ```console $ curl --fail --output /home/pi/.local/bin/qr-restore.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-restore.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1904 100 1904 0 0 1715 0 0:00:01 0:00:01 --:--:-- 1715 +100 3754 100 3754 0 0 3511 0 0:00:01 0:00:01 --:--:-- 3514 $ curl --fail --output /home/pi/.local/bin/qr-restore.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-restore.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 908 0 --:--:-- --:--:-- --:--:-- 908 +100 228 100 228 0 0 236 0 --:--:-- --:--:-- --:--:-- 236 $ gpg --verify /home/pi/.local/bin/qr-restore.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/qr-restore.sh' -gpg: Signature made Sun 18 Apr 2021 18:47:17 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:57 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/qr-restore.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -439,33 +314,33 @@ Good signature 👍 -### Step 16: download and verify [qr-clone.sh](./qr-clone.sh) +### Step 17: download and verify [qr-clone.sh](./qr-clone.sh) ```console $ curl --fail --output /home/pi/.local/bin/qr-clone.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-clone.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 481 100 481 0 0 440 0 0:00:01 0:00:01 --:--:-- 440 +100 1007 100 1007 0 0 930 0 0:00:01 0:00:01 --:--:-- 930 $ curl --fail --output /home/pi/.local/bin/qr-clone.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-clone.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 783 0 0:00:01 0:00:01 --:--:-- 784 +100 228 100 228 0 0 230 0 --:--:-- --:--:-- --:--:-- 229 $ gpg --verify /home/pi/.local/bin/qr-clone.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/qr-clone.sh' -gpg: Signature made Sat 17 Apr 2021 15:37:07 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:55 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/qr-clone.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -473,33 +348,33 @@ Good signature 👍 -### Step 17: download and verify [secure-erase.sh](./secure-erase.sh) +### Step 18: download and verify [secure-erase.sh](./secure-erase.sh) ```console $ curl --fail --output /home/pi/.local/bin/secure-erase.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1350 100 1350 0 0 992 0 0:00:01 0:00:01 --:--:-- 992 +100 1352 100 1352 0 0 1390 0 --:--:-- --:--:-- --:--:-- 1390 $ curl --fail --output /home/pi/.local/bin/secure-erase.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/secure-erase.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 805 0 0:00:01 0:00:01 --:--:-- 805 +100 228 100 228 0 0 257 0 --:--:-- --:--:-- --:--:-- 257 $ gpg --verify /home/pi/.local/bin/secure-erase.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/secure-erase.sh' -gpg: Signature made Thu 03 Jun 2021 19:34:35 BST -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:33:59 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/secure-erase.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -507,33 +382,33 @@ Good signature 👍 -### Step 18: download and verify [trezor-verify-integrity.sh](./trezor-verify-integrity.sh) (used to verify integrity of Trezor devices) +### Step 19: download and verify [trezor-verify-integrity.sh](./trezor-verify-integrity.sh) (used to verify integrity of Trezor devices) ```console $ curl --fail --output /home/pi/.local/bin/trezor-verify-integrity.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-verify-integrity.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1283 100 1283 0 0 1189 0 0:00:01 0:00:01 --:--:-- 1189 +100 1228 100 1228 0 0 1271 0 --:--:-- --:--:-- --:--:-- 1269 $ curl --fail --output /home/pi/.local/bin/trezor-verify-integrity.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-verify-integrity.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 944 0 --:--:-- --:--:-- --:--:-- 944 +100 228 100 228 0 0 244 0 --:--:-- --:--:-- --:--:-- 243 $ gpg --verify /home/pi/.local/bin/trezor-verify-integrity.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/trezor-verify-integrity.sh' -gpg: Signature made Thu Apr 22 09:13:56 2021 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:34:06 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/trezor-verify-integrity.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -541,33 +416,33 @@ Good signature 👍 -### Step 19: download and verify [trezor-restore.sh](./trezor-restore.sh) (used to restore Trezor devices) +### Step 20: download and verify [trezor-restore.sh](./trezor-restore.sh) (used to restore Trezor devices) ```console $ curl --fail --output /home/pi/.local/bin/trezor-restore.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-restore.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1283 100 1283 0 0 1189 0 0:00:01 0:00:01 --:--:-- 1189 +100 1818 100 1818 0 0 1744 0 0:00:01 0:00:01 --:--:-- 1744 $ curl --fail --output /home/pi/.local/bin/trezor-restore.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/trezor-restore.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 944 0 --:--:-- --:--:-- --:--:-- 944 +100 228 100 228 0 0 257 0 --:--:-- --:--:-- --:--:-- 257 $ gpg --verify /home/pi/.local/bin/trezor-restore.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/trezor-restore.sh' -gpg: Signature made Thu Apr 22 09:14:04 2021 EDT -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:34:03 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/trezor-restore.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -575,33 +450,33 @@ Good signature 👍 -### Step 20: download and verify [update.sh](./update.sh) +### Step 21: download and verify [update.sh](./update.sh) ```console $ curl --fail --output /home/pi/.local/bin/update.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 1494 100 1494 0 0 1498 0 --:--:-- --:--:-- --:--:-- 149 +100 1846 100 1846 0 0 1895 0 --:--:-- --:--:-- --:--:-- 1895 $ curl --fail --output /home/pi/.local/bin/update.sh.asc https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/update.sh.asc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed -100 833 100 833 0 0 929 0 --:--:-- --:--:-- --:--:-- 928 +100 228 100 228 0 0 225 0 0:00:01 0:00:01 --:--:-- 225 $ gpg --verify /home/pi/.local/bin/update.sh.asc gpg: assuming signed data in '/home/pi/.local/bin/update.sh' -gpg: Signature made Sat 05 Jun 2021 16:01:37 BST -gpg: using RSA key A98CCD122243655B26FAFB611FA767862BBD1305 +gpg: Signature made Sat 08 Jan 2022 14:34:08 EST +gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 gpg: Good signature from "Sun Knudsen " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C4FB DDC1 6A26 2672 920D 0A0F C132 3A37 7DE1 4C8B - Subkey fingerprint: A98C CD12 2243 655B 26FA FB61 1FA7 6786 2BBD 1305 +Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 + Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 $ chmod 700 /home/pi/.local/bin/update.sh ``` -Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-its-fingerprint) fingerprints +Primary key fingerprint matches [published](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint) fingerprints 👍 @@ -609,24 +484,38 @@ Good signature 👍 -### Step 21: make filesystem read-only +### Step 22 (optional): install [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) drivers and disable console auto login + +#### Install Adafruit PiTFT monitor drivers + +> Heads-up: don’t worry about `PITFT Failed to disable unit: Unit file fbcp.service does not exist.`. + +```console +$ sudo pip3 install adafruit-python-shell click + +$ sudo git clone https://github.com/adafruit/Raspberry-Pi-Installer-Scripts.git /usr/local/include/Raspberry-Pi-Installer-Scripts + +$ sudo python3 /usr/local/include/Raspberry-Pi-Installer-Scripts/adafruit-pitft.py --display=28c --rotation=90 --install-type=console --reboot=no +``` + +#### Disable console auto login + +> Heads-up: when asked to reboot, select “No” and press enter. + +```shell +sudo raspi-config +``` + +Select “System Options”, then “Boot / Auto Login”, then “Console” and finally “Finish”. + +### Step 23: make filesystem read-only > Heads-up: shout-out to Nico Kaiser for his amazing [guide](https://gist.github.com/nicokaiser/08aa5b7b3958f171cf61549b70e8a34b) on how to configure a read-only Raspberry Pi. -#### Disable swap - -```console -$ sudo dphys-swapfile swapoff - -$ sudo dphys-swapfile uninstall - -$ sudo systemctl disable dphys-swapfile.service -``` - -#### Remove `dphys-swapfile`, `fake-hwclock` and `logrotate` +#### Disable fake-hwclock and logrotate ```shell -sudo apt remove -y --purge dphys-swapfile fake-hwclock logrotate +sudo systemctl disable fake-hwclock logrotate ``` #### Link `/etc/console-setup` to `/tmp/console-setup` @@ -637,12 +526,6 @@ $ sudo rm -fr /etc/console-setup $ sudo ln -s /tmp/console-setup /etc/console-setup ``` -#### Link `/home/pi/.electrum` to `/tmp/pi/.electrum` - -```console -$ ln -s /tmp/pi/.electrum /home/pi/.electrum -``` - #### Link `/home/pi/.gnupg` to `/tmp/pi/.gnupg` ```console @@ -651,10 +534,10 @@ $ rm -fr /home/pi/.gnupg $ ln -s /tmp/pi/.gnupg /home/pi/.gnupg ``` -#### Enable `tmp.mount` service +#### Enable tmp.mount ```console -$ echo -e "D /tmp 1777 root root -\nD /tmp/console-setup 1700 root root -\nD /tmp/pi 1700 pi pi -\nD /tmp/pi/.electrum 1700 pi pi -\nD /tmp/pi/.gnupg 1700 pi pi -\nD /var/tmp 1777 root root -" | sudo tee /etc/tmpfiles.d/tmp.conf +$ echo -e "D /tmp 1777 root root -\nD /tmp/console-setup 1700 root root -\nD /tmp/pi 1700 pi pi -\nD /tmp/pi/.gnupg 1700 pi pi -\nD /var/tmp 1777 root root -" | sudo tee /etc/tmpfiles.d/tmp.conf $ sudo cp /usr/share/systemd/tmp.mount /etc/systemd/system/ @@ -664,8 +547,6 @@ $ sudo systemctl enable tmp.mount #### Edit `/boot/cmdline.txt` ```console -$ sudo cp /boot/cmdline.txt /boot/cmdline.txt.backup - $ sudo sed -i 's/fsck.repair=yes/fsck.repair=skip/' /boot/cmdline.txt $ sudo sed -i '$ s/$/ fastboot noswap ro systemd.volatile=state/' /boot/cmdline.txt @@ -674,34 +555,34 @@ $ sudo sed -i '$ s/$/ fastboot noswap ro systemd.volatile=state/' /boot/cmdline. #### Edit `/etc/fstab` ```console -$ sudo cp /etc/fstab /etc/fstab.backup - $ sudo sed -i -e 's/vfat\s*defaults\s/vfat defaults,ro/' /etc/fstab $ sudo sed -i -e 's/ext4\s*defaults,noatime\s/ext4 defaults,noatime,ro,noload/' /etc/fstab ``` -### Step 22: disable Wi-Fi (if not using ethernet) +### Step 24: disable networking and “fix” rfkill bug + +```console +$ sudo systemctl disable dhcpcd networking sshd.service wpa_supplicant + +$ sudo rm /etc/profile.d/wifi-check.sh +``` + +### Step 25: disable Wi-Fi + +> Heads-up: use `cat /boot/config.txt | grep "dtoverlay=disable-wifi" && echo "Wi-Fi disabled"` to see if Wi-Fi is already disabled. ```shell echo "dtoverlay=disable-wifi" | sudo tee -a /boot/config.txt ``` -### Step 23: disable `dhcpcd`, `networking` and `wpa_supplicant` services and “fix” `rfkill` bug - -```console -$ sudo systemctl disable dhcpcd networking wpa_supplicant - -$ sudo rm /etc/profile.d/wifi-check.sh -``` - -### Step 24: delete macOS hidden files (if present) +### Step 26: delete macOS hidden files (if present) ```shell sudo rm -fr /boot/.fseventsd /boot/.DS_Store /boot/.Spotlight-V100 ``` -### Step 25: reboot +### Step 27: unplug network cable (if using ethernet) and reboot ```shell sudo systemctl reboot @@ -709,7 +590,7 @@ sudo systemctl reboot > WARNING: DO NOT CONNECT RASPBERRY PI TO NETWORK EVER AGAIN WITHOUT REINSTALLING RASPBERRY PI OS FIRST (DEVICE IS NOW “READ-ONLY” AND “COLD”). -### Step 26 (optional): disable auto-mount of `boot` volume (on macOS) +### Step 28 (optional): disable auto-mount of `boot` volume (on macOS) > Heads-up: done to prevent macOS from writing [hidden files](#step-24-delete-macos-hidden-files-if-present) to `boot` volume which would invalidate stored SHA512 hash of microSD card. @@ -717,7 +598,7 @@ sudo systemctl reboot ![micro-sd-card-adapter](./micro-sd-card-adapter.png) -#### Insert microSD card into adapter and insert adapter into computer +#### Insert microSD card into adapter and adapter into computer #### Run following and eject microSD card @@ -727,41 +608,45 @@ volume_uuid=$(diskutil info "$volume_path" | awk '/Volume UUID:/ { print $3 }') echo "UUID=$volume_uuid none msdos ro,noauto" | sudo tee -a /etc/fstab ``` -### Step 27 (optional): compute SHA512 hash of SD card and store in password manager (on macOS) +### Step 29 (optional): compute SHA512 hash of microSD card and store in password manager (on macOS) -Run `diskutil list` to find disk ID of microSD card with “Raspberry Pi OS Lite” installed (`disk2` in the following example). +Run `diskutil list` to find disk ID of microSD card with “Raspberry Pi OS Lite” installed (`disk4` in the following example). -Replace `diskn` and `rdiskn` with disk ID of SD card (`disk2` and `rdisk2` in the following example). +Replace `diskn` and `rdiskn` with disk ID of microSD card (`disk4` and `rdisk4` in the following example). ```console $ diskutil list -/dev/disk0 (internal, physical): +/dev/disk0 (internal): #: TYPE NAME SIZE IDENTIFIER - 0: GUID_partition_scheme *500.3 GB disk0 - 1: EFI EFI 209.7 MB disk0s1 - 2: Apple_APFS Container disk1 500.1 GB disk0s2 + 0: GUID_partition_scheme 500.3 GB disk0 + 1: Apple_APFS_ISC 524.3 MB disk0s1 + 2: Apple_APFS Container disk3 494.4 GB disk0s2 + 3: Apple_APFS_Recovery 5.4 GB disk0s3 -/dev/disk1 (synthesized): +/dev/disk3 (synthesized): #: TYPE NAME SIZE IDENTIFIER - 0: APFS Container Scheme - +500.1 GB disk1 + 0: APFS Container Scheme - +494.4 GB disk3 Physical Store disk0s2 - 1: APFS Volume Macintosh HD - Data 340.9 GB disk1s1 - 2: APFS Volume Preboot 85.9 MB disk1s2 - 3: APFS Volume Recovery 529.0 MB disk1s3 - 4: APFS Volume VM 3.2 GB disk1s4 - 5: APFS Volume Macintosh HD 11.3 GB disk1s5 + 1: APFS Volume Macintosh HD 15.3 GB disk3s1 + 2: APFS Snapshot com.apple.os.update-... 15.3 GB disk3s1s1 + 3: APFS Volume Preboot 328.4 MB disk3s2 + 4: APFS Volume Recovery 815.1 MB disk3s3 + 5: APFS Volume Data 458.2 GB disk3s5 + 6: APFS Volume VM 3.2 GB disk3s6 -/dev/disk2 (internal, physical): +/dev/disk4 (external, physical): #: TYPE NAME SIZE IDENTIFIER - 0: FDisk_partition_scheme *15.9 GB disk2 - 1: Windows_FAT_32 boot 268.4 MB disk2s1 - 2: Linux 15.7 GB disk2s2 + 0: FDisk_partition_scheme *15.9 GB disk4 + 1: Windows_FAT_32 boot 268.4 MB disk4s1 + 2: Linux 3.1 GB disk4s2 + (free space) 12.5 GB - $ sudo diskutil unmountDisk /dev/diskn -Unmount of all volumes on disk2 was successful +Unmount of all volumes on disk4 was successful -$ sudo openssl dgst -sha512 /dev/rdiskn -SHA512(/dev/rdisk2)= 353af7e9bd78d7d98875f0e2a58da3d7cdfc494f2ab5474b2ab4a8fd212ac6a37c996d54f6c650838adb61e4b30801bcf1150081f6dbb51998cf33a74fa7f0fe +$ sudo openssl dgst -sha512 /dev/rdiskns1 /dev/rdiskns2 +SHA512(/dev/rdisk4s1)= a14b7c184279a3e756eaa095b619e949320e759bf4637406e82e713aff24732691aaad5aa2377086655ef04b42fc8d7c98e338ebd049f79626923c0d16e18761 +SHA512(/dev/rdisk4s2)= 5627414e630eb2fa2b080858deee80daec0470668fbfcf3965fe9c52ba0bf1e68518610ee6d4d1a1212c09d2ccbdcb80989838b00369ff5e2ca4f9d10b8ae4fb ``` 👍 @@ -777,20 +662,22 @@ $ qr-backup.sh --help Usage: qr-backup.sh [options] Options: - --create-bip39-mnemonic create BIP39 mnemonic - --create-electrum-mnemonic create Electrum mnemonic - --validate-bip39-mnemonic validate if secret is valid BIP39 mnemonic - --shamir-secret-sharing split secret using Shamir Secret Sharing - --number-of-shares number of shares (defaults to 5) - --share-threshold shares required to access secret (defaults to 3) - --no-qr disable show SHA512 hash as QR code prompt - --label