s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-23 17:43:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved Shamir Secret Sharing feature

Browse Source
This commit is contained in:
Sun Knudsen 2021-04-15 19:41:12 -04:00
parent fd7da45d10
commit 3c3bec5a5e
No known key found for this signature in database
GPG Key ID: 1FA767862BBD1305
9 changed files with 201 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
how-to-create-encrypted-paper-backup/README.md
View File

@ -101,7 +101,7 @@ $ source ~/.bashrc
```console ```console
$ sudo apt update $ sudo apt update
$ sudo apt install -y autopoint build-essential git libv4l-dev libtool $ sudo apt install -y autopoint build-essential git libjpeg-dev libmagickwand-dev libtool libv4l-dev
``` ```
#### Clone zbar repository #### Clone zbar repository
@ -684,8 +684,7 @@ Options:
--shamir-secret-sharing split secret using Shamir Secret Sharing --shamir-secret-sharing split secret using Shamir Secret Sharing
--number-of-shares number of shares (defaults to 5) --number-of-shares number of shares (defaults to 5)
--share-threshold shares required to access secret (defaults to 3) --share-threshold shares required to access secret (defaults to 3)
--no-encryption disable symmetric encryption (shamir-only) --no-qr disable show SHA512 hash as QR code prompt
--no-qr disable “Show SHA512 hash as QR code”
--label <label> print label after short hash --label <label> print label after short hash
-h, --help display help for command -h, --help display help for command
@ -725,7 +724,7 @@ $ qr-restore.sh --help
Usage: qr-restore.sh [options] Usage: qr-restore.sh [options]
Options: Options:
--shamir-secret-sharing split secret using Shamir Secret Sharing --shamir-secret-sharing combine secret using Shamir Secret Sharing
--share-threshold shares required to access secret (defaults to 3) --share-threshold shares required to access secret (defaults to 3)
--word-list split secret into word list --word-list split secret into word list
-h, --help display help for command -h, --help display help for command
@ -759,8 +758,10 @@ $ qr-clone.sh --help
Usage: qr-clone.sh [options] Usage: qr-clone.sh [options]
Options: Options:
--duplicate duplicate content --duplicate duplicate content
-h, --help display help for command --qr-restore-options see `qr-restore.sh --help`
--qr-backup-options see `qr-backup.sh --help`
-h, --help display help for command
$ qr-clone.sh $ qr-clone.sh
Scan QR code… Scan QR code…

82
how-to-create-encrypted-paper-backup/qr-backup.sh
View File

@ -1,6 +1,9 @@
#! /bin/bash #! /bin/bash
set -e set -e
set -o pipefail
shamir_secret_sharing=false
number_of_shares=5 number_of_shares=5
share_threshold=3 share_threshold=3
@ -20,8 +23,7 @@ while [[ $# -gt 0 ]]; do
" --shamir-secret-sharing split secret using Shamir Secret Sharing" \ " --shamir-secret-sharing split secret using Shamir Secret Sharing" \
" --number-of-shares number of shares (defaults to 5)" \ " --number-of-shares number of shares (defaults to 5)" \
" --share-threshold shares required to access secret (defaults to 3)" \ " --share-threshold shares required to access secret (defaults to 3)" \
" --no-encryption disable symmetric encryption (shamir-only)" \ " --no-qr disable show SHA512 hash as QR code prompt" \
" --no-qr disable “Show SHA512 hash as QR code”" \
" --label <label> print label after short hash" \ " --label <label> print label after short hash" \
" -h, --help display help for command" " -h, --help display help for command"
exit 0 exit 0
@ -52,10 +54,6 @@ while [[ $# -gt 0 ]]; do
shift shift
shift shift
;; ;;
--no-encryption)
no_encryption=true
shift
;;
--no-qr) --no-qr)
no_qr=true no_qr=true
shift shift
@ -96,19 +94,20 @@ wait_for_usb_flash_drive () {
wait_for_usb_flash_drive wait_for_usb_flash_drive
printf "$bold%s$normal\n" "Format USB flash drive? (y or n)? " printf "$bold%s$normal\n" "Format USB flash drive (y or n)?"
read -r answer read -r answer
if [ "$answer" = "y" ]; then if [ "$answer" = "y" ]; then
if mount | grep $usb > /dev/null; then if mount | grep $dev > /dev/null; then
sudo umount $dev sudo umount $dev
fi fi
sudo mkfs -t vfat $dev sudo mkfs -t vfat $dev
fi fi
sudo mkdir -p $usb sudo mkdir -p $usb
if ! mount | grep $usb > /dev/null; then
sudo mount $dev $usb -o uid=pi,gid=pi if ! mount | grep $dev > /dev/null; then
sudo mount $dev $usb --options uid=pi,gid=pi
fi fi
if [ -z "$duplicate" ] && [ "$create_bip39_mnemonic" = true ]; then if [ -z "$duplicate" ] && [ "$create_bip39_mnemonic" = true ]; then
@ -127,16 +126,16 @@ fi
if [ -z "$duplicate" ] && [ -z "$secret" ]; then if [ -z "$duplicate" ] && [ -z "$secret" ]; then
tput sc tput sc
printf "$bold%s$normal\n" "Type secret and press enter, then ctrl-d" printf "$bold%s$normal\n" "Please type secret and press enter, then ctrl+d"
readarray -t secret_array readarray -t secret_array
secret=$(printf "%s\n" "${secret_array[@]}") secret=$(printf "%s\n" "${secret_array[@]}")
tput rc tput rc
tput ed tput ed
printf "$bold%s$normal\n" "Type secret and press enter, then ctrl-d (again)" printf "$bold%s$normal\n" "Please type secret and press enter, then ctrl+d (again)"
readarray -t secret_confirmation_array readarray -t secret_confirmation_array
secret_confirmation=$(printf "%s\n" "${secret_confirmation_array[@]}") secret_confirmation=$(printf "%s\n" "${secret_confirmation_array[@]}")
if [ ! "$secret" = "$secret_confirmation" ]; then if [ ! "$secret" = "$secret_confirmation" ]; then
printf "$red%s$normal\n" "Secrets do not match" printf "$bold$red%s$normal\n" "Secrets do not match"
exit 1 exit 1
fi fi
fi fi
@ -149,25 +148,36 @@ if [ -z "$duplicate" ] && [ "$validate_bip39_mnemonic" = true ]; then
fi fi
fi fi
if [ "$duplicate" = true ] && [ -n "$encrypted_secret" ]; then read_passphrase () {
printf "%s\n" "Duplicating encrypted secret…" local -n data=$1
else
if [ -z "$shamir_secret_sharing" ] || ([ "$shamir_secret_sharing" = true ] && [ -z "$no_encryption" ]); then printf "$bold%s$normal\n" "Please type passphrase and press enter"
encrypted_secret=$(echo -n "$secret" | gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor) read -rs data
gpg-connect-agent reloadagent /bye > /dev/null 2>&1 printf "$bold%s$normal\n" "Please type passphrase and press enter (again)"
read -rs data_confirmation
if [ ! "$data" = "$data_confirmation" ]; then
printf "$red%s$normal\n" "Passphrases do not match"
return 1
fi fi
fi
printf "$bold%s$normal\n" "Show passphrase (y or n)?"
read -r answer
if [ "$answer" = "y" ]; then
printf "%s\n" $data
fi
}
if [ "$shamir_secret_sharing" = true ]; then if [ "$shamir_secret_sharing" = true ]; then
if [ -n "$encrypted_secret" ]; then read_passphrase passphrase
secret="$encrypted_secret"
fi
share_number=1 share_number=1
for share in $(echo -n "$secret" | secret-share-split -n $number_of_shares -t $share_threshold); do
printf "$bold%s$normal\n" "Generating share $share_number or $number_of_shares"
encrypted_secret="$share" for share in $(echo -n "$secret" | secret-share-split -n $number_of_shares -t $share_threshold); do
printf "$bold%s$normal\n" "Encrypting secret share $share_number of $number_of_shares"
encrypted_secret=$(echo -n "$share" | gpg --batch --passphrase-fd 3 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor 3<<<"$passphrase")
encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //') encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //')
encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8) encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8)
@ -181,15 +191,15 @@ if [ "$shamir_secret_sharing" = true ]; then
text_offset=$(echo "$font_size * 1.5" | bc) text_offset=$(echo "$font_size * 1.5" | bc)
if [ -z "$label" ]; then if [ -z "$label" ]; then
text="$encrypted_secret_short_hash $share_number" text="$encrypted_secret_short_hash"
else else
text="$encrypted_secret_short_hash $label-$share_number" text="$encrypted_secret_short_hash $label"
fi fi
convert "$tmp/secret.png" -gravity center -scale 200% -extent 125% -scale 125% -gravity south -font /usr/share/fonts/truetype/noto/NotoMono-Regular.ttf -pointsize $font_size -fill black -draw "text 0,$text_offset '$text'" "$usb/$encrypted_secret_short_hash.jpg" convert "$tmp/secret.png" -gravity center -scale 200% -extent 125% -scale 125% -gravity south -font /usr/share/fonts/truetype/noto/NotoMono-Regular.ttf -pointsize $font_size -fill black -draw "text 0,$text_offset '$text'" "$usb/$encrypted_secret_short_hash.jpg"
if [ -z "$no_qr" ]; then if [ -z "$no_qr" ]; then
printf "$bold%s$normal\n" "Show SHA512 hash as QR code? (y or n)? " printf "$bold%s$normal\n" "Show SHA512 hash as QR code (y or n)?"
read -r answer read -r answer
if [ "$answer" = "y" ]; then if [ "$answer" = "y" ]; then
@ -203,6 +213,16 @@ if [ "$shamir_secret_sharing" = true ]; then
share_number=$((share_number+1)) share_number=$((share_number+1))
done done
else else
if [ "$duplicate" = true ] && [ -n "$encrypted_secret" ]; then
printf "%s\n" "Duplicating encrypted secret…"
else
read_passphrase passphrase
printf "$bold%s$normal\n" "Encrypting secret…"
encrypted_secret=$(echo -n "$secret" | gpg --batch --passphrase-fd 3 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor 3<<<"$passphrase")
fi
encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //') encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //')
encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8) encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8)
@ -224,7 +244,7 @@ else
convert "$tmp/secret.png" -gravity center -scale 200% -extent 125% -scale 125% -gravity south -font /usr/share/fonts/truetype/noto/NotoMono-Regular.ttf -pointsize $font_size -fill black -draw "text 0,$text_offset '$text'" "$usb/$encrypted_secret_short_hash.jpg" convert "$tmp/secret.png" -gravity center -scale 200% -extent 125% -scale 125% -gravity south -font /usr/share/fonts/truetype/noto/NotoMono-Regular.ttf -pointsize $font_size -fill black -draw "text 0,$text_offset '$text'" "$usb/$encrypted_secret_short_hash.jpg"
if [ -z "$no_qr" ]; then if [ -z "$no_qr" ]; then
printf "$bold%s$normal\n" "Show SHA512 hash as QR code? (y or n)? " printf "$bold%s$normal\n" "Show SHA512 hash as QR code (y or n)?"
read -r answer read -r answer
if [ "$answer" = "y" ]; then if [ "$answer" = "y" ]; then
@ -236,6 +256,6 @@ else
fi fi
fi fi
sudo umount $usb sudo umount $dev
printf "%s\n" "Done" printf "%s\n" "Done"

26
how-to-create-encrypted-paper-backup/qr-backup.sh.sig
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB4hZcACgkQH6dnhiu9 iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB7OOAACgkQH6dnhiu9
EwWtixAAtExvLc25xi20ahxm1xdQ1nl0r0E0vglXMdcTW+JIYxDKX2u5PqwM2hE9 EwXjPg//VtWqugIVSPKBE2HBTKr4Pp9EDBSuLy1nI/Dq89vxU74BjXovDFN02iLv
ijdjd49uAuwoukIfRPHHLzlqT1Cmne/wANIphFUTK6utdN5VqjvwIb3riyy4UhlM J7t7vgQ1gk4zfisMdPi199GrgKOVE6Ke1xxHbRWIdWRTBF+7hcNzEm7YCd+HfrMq
XcfIzFcKBq054Kly41CiyTF0s4620glWziR9zENJEFNszPx8vZg7KMtVke0tVFrG S1dEMbN+2xxDm9NJJ506d9BPS5GicOY+0yu1BAOonKioIgrBwPCcAhjA6Miws8+/
DD3NgxG5RnyCrZ1VxMqI/VW6jY+GumFQf/8NT4KUi5fI0NjNvKhRruUMWfh4zHpc E0XIhNErSwqVOPQcRlRLhhIWIT6iMZgMOLPUpTHna7KfOlmfCcbNzlxHxBPO8OV7
mC3uZr42DaUSB6NK3QN9ImSEUy4idXeYGGL33CXj0jVhp0cG51TGLM45IKTOI3WU 4LruoGqDRQAk5h6pXKf95WVaDioUe4SHDvdq0tLjDNqMBZ0Fur9PBCzDcHc3KDaq
vbE3byjlH/D8qZ+JR1eqvcotn2ZLGMnSP9Eo97JcJN0phVgGyYTdoYP0tukyuNeQ XwWKldxIWvjTGLD7I2Jz7Y6/vnANoibQpJ20yXTS1KTZiVqRJbZI76NHz+Tm6ZJ1
yjWFvu+9DKGkpmg8uYr5e5JSoeI5zT1B0ItGCKhrYMg7vuV5bnfPUiqJwy9UxJVb hVMjl+ZUAHrDnCIFxBdirJh62pBPRFvvC/FmbluNUuUQXPNs5E+62LDlkzMwN4XI
BCEyvXL9aeX7AgoKlIzYXJNzz7OHZvB4gvCt5kZpCKIu1fn0zvCEBGRHsorW48+d fmhiFj5karjsIk7TYAXyeOb8dQQXTohfsY0YTUBSAt09Pb0L3Dq4kSVm79gEXaem
u+3GcS8DnPukEJdPid6O4vso74FlCtw9E29i610comMeqqNY1XeIWXxfVlQd3dX3 5WIy4UawC3yj2lA4EaqyVUrA7oldMM7AIUfIo1niKNMPnrjaP9VdHJQR0g4QSMms
/HV085Kmbekg/uWtNmqqHoqfnaM1Ik9hA429ewGh1pBeHhjU/YDb4DuCMOvS+cwU VnTxcrJPT7t4BkEgvjc43vTEAkVtGqZv32nmT8aLAhy3GERH//ZDqFe3wvqw0VGM
3mtQ9UGTVmM//ghUkLd0sSLoC/oVBWxlaTAxeerEcZqtSm1jWZA= hI+lXgTwywALCna9cqOmWD/cktmq/riG0aB9SQGPluqI80elaO4=
=jcbd =CTqJ
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

31
how-to-create-encrypted-paper-backup/qr-clone.sh
View File

@ -1,6 +1,7 @@
#! /bin/bash #! /bin/bash
set -e set -e
set -o pipefail
positional=() positional=()
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
@ -11,14 +12,26 @@ while [[ $# -gt 0 ]]; do
"Usage: qr-clone.sh [options]" \ "Usage: qr-clone.sh [options]" \
"" \ "" \
"Options:" \ "Options:" \
" --duplicate duplicate content" \ " --duplicate duplicate content" \
" -h, --help display help for command" " --qr-restore-options see \`qr-restore.sh --help\`" \
" --qr-backup-options see \`qr-backup.sh --help\`" \
" -h, --help display help for command"
exit 0 exit 0
;; ;;
--duplicate) --duplicate)
duplicate=true duplicate=true
shift shift
;; ;;
--qr-restore-options)
qr_restore_options=$2
shift
shift
;;
--qr-backup-options)
qr_backup_options=$2
shift
shift
;;
*) *)
positional+=("$1") positional+=("$1")
shift shift
@ -34,19 +47,9 @@ normal=$(tput sgr0)
tput reset tput reset
printf "%s\n" "Restoring…" printf "%s\n" "Restoring…"
eval . qr-restore.sh $qr_restore_options
if [ -z "$duplicate" ]; then
printf "$bold%s$normal\n" "Type qr-restore.sh options and press enter (see “qr-restore.sh --help”)"
read -r qr_restore_options
fi
. qr-restore.sh $qr_restore_options
if [ -n "$secret" ] || [ -n "$encrypted_secret" ]; then if [ -n "$secret" ] || [ -n "$encrypted_secret" ]; then
printf "%s\n" "Backing up…" printf "%s\n" "Backing up…"
eval . qr-backup.sh $qr_backup_options
printf "$bold%s$normal\n" "Type qr-backup.sh options and press enter (see “qr-backup.sh --help”)"
read -r qr_backup_options
. qr-backup.sh $qr_backup_options
fi fi

26
how-to-create-encrypted-paper-backup/qr-clone.sh.sig
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB4hZoACgkQH6dnhiu9 iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB7OOMACgkQH6dnhiu9
EwUgRA//Y8lBVFesXa9T/cJElyV/E3xQOpKvQ5xaxl5gPVyVwu0zzZjPFEJ+rzNn EwWyoQ/8Cmu9zwUXYxCPZaM4IuX9TnMxtYUPKe4bbtzz6pSaK71oui+bbYCMBBcT
vHNTWpDFCqhznglQGSNDDpLW29yaMay2iujQBTFjI7P74cqST+M0hnly3UMiqQ0u Y3fRfJOu7z4cxST/2e8TazSaAvNQTLRGfJwtVLwLHlK47nkMFK5UGA4eHpSSlw+5
PLmT54hnmpEeZGVsumkN3fvzOPZ7x5d9k5niJ0KJWAlwypspzB/i6dHumjKZYkHz YbeRg1Vl7oO8qaMdtSbn9SktMWfefu9AclOq/sVCe7IkSBbUCpYxxIm2GtXXTl5F
Ji6SrIOzxd2fBfMN0Y6w5z966UCekWUhTkXCfvLPzWcc8zitOZfdh7Ahs6jjHv1w Yep3FN2YM/lP7/X/Po9U/wnLSn03fz6t6TsYi0VDXMcMTFBZUgxJb/uYivVGN2jU
jCwkSlVWuDHPLaKESyXrsrbU2zQif+FHU6QkudJqK9ewD2hR6Vm0juYSPqNPw3k6 khU8baXtuO90Pg+gSlX2+cDcAGljd5j0KGyqTbS3/Xh2ea8QfcnQQ9NRmkXHN7HW
ByBQXYYOglKlrvKXQ4kvPTuU1bpjwmG1OhLLquOE3aWHoN73UBB4bNYAJ8+onJjQ Su2lO2i9SWHaYFNloK8s9DjPOwe9uBjradze4/mTzpG/TJNscz8rGE5pRZX2r4hQ
XSvm3KYpGGec/3j96qe5IH+deYpyWmAPVWpA1Dnw0iRMy/OPhe+o/wAaz92tVaSP YvYgG4Xi9nUllZdDLE4bQ0hxYD8m3L/TR+AeB1EjfqrGtOkZbzfME6R9Bi+Omkv2
Ijv/absAlKSxFJceSgoKF0gYHuLVtzDjLkgtnBtH7FUKdISDCSMyAfXXwcXJNcwT oo15suQcTnYfPnTKyFVbJ79Q4DM26c4tlDjgNBXGrly12f7CybCiQUtuqegyGLv+
1JARusrnWE+FsE2FpFs9RsDv0hRzSV2N/+GuGkBsLRxXjDsGYj/EAwb75UcHQG7s F6hObWwIywYLf/I8W3BX58CzHgJvsKwZ5x0kZSIIvD9B0skJU5g+ZmMCWxsW/ywe
uGcuLyDgQV97VDs+5sD9Tqp07kUJ93nk5fRRSJNz8srGDhxDntO3eEqsPSo5hnnO j1beeZGVkKlPCdKZEuQeAdGWI+HWnVTf/6XmNEeyJOvV4tTPpwbBGmkNnptdDx/F
OuGmF8NyirJkizR41WJNk2O3s14UMa2ag1r0HxUrAiezvgCL3yw= Lr1MhKWsUPTMtnIhsp2bkv6Fn41H+CthRnno+I5G8BqNjNs5+jk=
=mqR/ =qX0p
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

85
how-to-create-encrypted-paper-backup/qr-restore.sh
View File

@ -1,6 +1,7 @@
#! /bin/bash #! /bin/bash
set -e set -e
set -o pipefail
share_threshold=3 share_threshold=3
@ -19,6 +20,11 @@ while [[ $# -gt 0 ]]; do
" -h, --help display help for command" " -h, --help display help for command"
exit 0 exit 0
;; ;;
--images)
images=$2
shift
shift
;;
--shamir-secret-sharing) --shamir-secret-sharing)
shamir_secret_sharing=true shamir_secret_sharing=true
shift shift
@ -45,8 +51,22 @@ bold=$(tput bold)
red=$(tput setaf 1) red=$(tput setaf 1)
normal=$(tput sgr0) normal=$(tput sgr0)
dev="/dev/sda1"
tmp="/tmp/pi"
usb="/tmp/usb"
tput reset tput reset
if [ -n "$images" ]; then
IFS=',' read -r -a images <<< "$images"
sudo mkdir -p $usb
if ! mount | grep $usb > /dev/null; then
sudo mount $dev $usb --options uid=pi,gid=pi
fi
fi
scan_qr_code () { scan_qr_code () {
local -n data=$1 local -n data=$1
@ -62,28 +82,59 @@ scan_qr_code () {
printf "%s: $bold%s$normal\n" "SHA512 short hash" "$data_short_hash" printf "%s: $bold%s$normal\n" "SHA512 short hash" "$data_short_hash"
} }
read_passphrase () {
local -n data=$1
printf "$bold%s$normal\n" "Please type passphrase and press enter"
read -rs data
}
if [ -z "$duplicate" ] && [ "$shamir_secret_sharing" = true ]; then if [ -z "$duplicate" ] && [ "$shamir_secret_sharing" = true ]; then
for share_number in $(seq 1 $share_threshold); do read_passphrase passphrase
printf "$bold%s$normal" "Prepare share $share_number or $share_threshold and press enter"
read -r confirmation if [ -n "$images" ]; then
scan_qr_code share for image in ${images[@]}; do
shares="$share\n$shares" printf "%s\n" "Processing $image"
done
encrypted_secret="$(echo -e "$shares" | secret-share-combine)" encrypted_share=$(zbarimg --quiet $usb/$image | sed 's/QR-Code://')
share=$(echo -e "$encrypted_share" | gpg --batch --passphrase-fd 3 --decrypt 3<<<"$passphrase")
shares="$share\n$shares"
done
else
for share_number in $(seq 1 $share_threshold); do
printf "$bold%s$normal" "Prepare secret share $share_number of $share_threshold and press enter"
read -r confirmation
scan_qr_code encrypted_share
share=$(echo -e "$encrypted_share" | gpg --batch --passphrase-fd 3 --decrypt 3<<<"$passphrase")
shares="$share\n$shares"
done
fi
secret="$(echo -e "$shares" | secret-share-combine)"
else else
scan_qr_code encrypted_secret if [ -n "$images" ]; then
printf "%s\n" "Processing ${images[0]}"
encrypted_secret=$(zbarimg --quiet $usb/${images[0]} | sed 's/QR-Code://')
else
scan_qr_code encrypted_secret
fi
if [ -z "$duplicate" ]; then
read_passphrase passphrase
secret=$(echo -e "$encrypted_secret" | gpg --batch --passphrase-fd 3 --decrypt 3<<<"$passphrase")
fi
fi fi
if [ -z "$duplicate" ]; then if [ -z "$duplicate" ]; then
printf "$bold$red%s$normal\n" "Show secret? (y or n)? " printf "$bold$red%s$normal\n" "Show secret (y or n)?"
read -r answer read -r answer
if [ "$answer" = "y" ]; then if [ "$answer" = "y" ]; then
if [[ "$encrypted_secret" =~ "-----BEGIN PGP MESSAGE-----" ]]; then
secret=$(echo -e "$encrypted_secret" | gpg --decrypt)
else
secret=$encrypted_secret
fi
if [ "$word_list" = true ]; then if [ "$word_list" = true ]; then
printf "%s\n" "Secret:" printf "%s\n" "Secret:"
array=($secret) array=($secret)
@ -103,4 +154,8 @@ if [ -z "$duplicate" ]; then
fi fi
fi fi
if mount | grep $dev > /dev/null; then
sudo umount $dev
fi
printf "%s\n" "Done" printf "%s\n" "Done"

26
how-to-create-encrypted-paper-backup/qr-restore.sh.sig
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB4hZ0ACgkQH6dnhiu9 iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB7OOYACgkQH6dnhiu9
EwW4ZhAAiHRDKjWgepGMlskT4AIOd9IyZGJ9S27p4ShZvRuEB6RWQVSP8I9Nrxdo EwUy3w//ckQVIouZjTiNam7DBoyGUXw+lfXKKnkR0HEbLeUld0KvDh8fON1IB4GM
RV1cHcvecnUrWSDUZeS17R6+qQnqoHwwd8MhrJTTa2vizLQBhfJerhXrPLyDP7C7 0eRIpkkbmW8Dp4uAnVxtcQKeEHTZfja7g04hD7AO0JjD7b1drtFjxny8Ue74lR4Q
vkhWDiKY6Bf47JykMTmXCFIZanpv3xppON7aNjDG/HhQ++MVaZitYCAzt5sHltFH kfIIcB4WEj7nAfEFffgHbihnt1R27shXFcbvWH11DkChXT0tpFZhN2QYqDzK+8t+
/7o62gvEx/QM2MNnEOvwS3mUI+LqVmtzs39NO+FsbFgxBw2LaCbQZTCWUk5WXrZ5 Ru4Xz+zQ6YDRv40YV4NRMJG8ju9xvfecPLRDK0aO0W/N7HNZMiMYP+ZqgpLlx+11
b8rUb1IfEhT8g+XljUTws95p4QlYOBadVLedKKC5COHWWfjwZQlKgfZWcTr1hKWL ru550caSKg8VlwywkjoKx84kmBCdhuc90BNgjOsLoL71naRo2f6N+PelUcWzF+VB
FTWTLwRb5bxaGelky6Sm9Lk9vrxkG4WKhBBySVBJo14XNK0nCXLTkL3RZuECGvDF 9J0yVrOq8el6oCfPxT9lnn3BcaVjMrQWHfTM4AllRYEpeU/MqdnknhnxCGlH/u3I
TVXxJvSVI/OAbVeHCVmcyJy++mAcxQeUjRcWfTucMm0ISa1YHEA4L0utsDSPI1Ct fov9kA/shgeAwQ266KTX+l+mPADE4uV0UWCT9vfXOUM9gkPzW040t1pwCqBqhJNP
hSb1jmuJIb7lMMRtiPmhrWod2/LxJSA5d3fLvfRTz+JyggmfC5idHTYUEk72jpPh Rwy9ppF4yIMgDZTokpt/s2JMhAHKYCqJRZKaQx0sf+eSO8Ye+SeyfrXYT79JiCT5
XzugZl3lNOkMxB4LCWJcWadLx+H75AdVzZeYbZ5G1w+kiWSg5AKaqx436+ryVhAd TYNBEClTLfPJIBx6g2HTxJoO/oKQr0J/usNXzqdN1y5Rzq9IVeyVOxw03VqLu7dW
Pb2K2gYHoNXMnmpBlOdRmtzgePKSFNgtUCu4LkLWddZqzAHt8GYJo+0YnZ2rfGYl eLfJm5sNUQZtwu8fwqzc3/gtsHchFXmd5700i35rCT/DxUdpEKTDtH/qlp3kqUez
6ylanmeFLCR3aDU90qCwNokNc93Sqp9fE8Vjc9GsNwwcpV0eV/4= 5iJmmhsMKXL2AYXYroTAWo/FnPlALJ1+mE/8eWwYjDFjItUjGE8=
=IKBO =9ATO
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

5
how-to-create-encrypted-paper-backup/secure-erase.sh
View File

@ -1,5 +1,8 @@
#! /bin/bash #! /bin/bash
set -e
set -o pipefail
rounds=3 rounds=3
positional=() positional=()
@ -52,7 +55,7 @@ waitForUsbThumbDrive () {
waitForUsbThumbDrive waitForUsbThumbDrive
printf "$bold$red%s$normal\n" "Secure erase USB flash drive? (y or n)? " printf "$bold$red%s$normal\n" "Secure erase USB flash drive (y or n)?"
read -r answer read -r answer
if [ "$answer" = "y" ]; then if [ "$answer" = "y" ]; then

26
how-to-create-encrypted-paper-backup/secure-erase.sh.sig
View File

@ -1,16 +1,16 @@
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB4haAACgkQH6dnhiu9 iQIzBAABCgAdFiEEqYzNEiJDZVsm+vthH6dnhiu9EwUFAmB7OOgACgkQH6dnhiu9
EwVeNA//Yz7KqK887qZyz9BcttZypKbeIrFneBiGM3A55iR3Yws5NFsFfLOH6BZo EwWxKhAAnXmr5WcAehYc3tl+AdBpvLaNHwr0yUr6NjV20xz4f/Y/bfHAQxkRnWRS
KBkRHlFGyQWgWtev183TIhvkg1rbqQ0oGk+NQyLfWeAgxFVwLB4cXH/3MLahKZeq Pc5F0X2u3dU6Q6hr9rCZP6/J6V6nrd6omIKyiLPtCW9z3Ofitsb4Xy9rP7VuWYJy
BvP9IEBNBdjMjJX3jpMqex4AKPwj3/cEMI2XUAIM8GKJkFF7N5hXCzOK0ACfbMSe 10gOz0aWqNdgyb9CwQN30ELC5XNfDQbGQGypNzcdg9Yd1uxZhpucNgMdUGihje5Q
lSZYtmarA/tjimtrNM1Bb3XsdohsbdZebzfTQdfSrch/Q0NO8j+FXlQ0Eo9CpX60 BYMYBKXdz0aVRRQn3u4qlyku6WdRe90Z+MgdW5wkU/YXKZC09BXzp2KTE5NNYq8l
HSvD9/z5V4J2jhgudSv9H1IHdp4/ISpRoeETnNOc20Pglpp3anCU66tASsKpUsBl HSyEWa0IwDvNBE8oW7yIgEzLbjmuWDnV71SDaWF7+aQgrpGYc7YuWBi2tAb5cd73
T11R5T1cxBbCByolSnvZynkDApvlYx686VO38t5PjXH2Od5xHB18iA3y0/0JtGTK hsR/DoghldIUyHXS24AuSwyB7LgRQageutdjBy+QYCtI3NXS3CslyYcw/D3Fz83e
4kPfUdOp0wbJkwaSbAaTTTAVHgiD3nHYiYmcLf6ZVwqDMaYWJcQvp0aYxZfw2Z8X o6Yn0bpKzeu9fLk57uBxIpJBT2Lkag0ZdkkxIGwtj+mI3GYDEZVweQiS0t/+2JC5
iU6zdU5CY58BIVJya2e8X6LVUQrpT+oBFtmaPR3Ax5CUIRvx4v95zGfTiRfO4cKl SsbeEWAvE1wG/jMmQ/WJ34lOBr/hc7Gz1Vd7JwoIryJolflLS0wdI0zl5PsVaOeu
HPIeLP+ankYu1eKxdNHRLNh/cNTO8nrFd9yiGFJumss+xaFfjEqLsNWn+ZbR+Cpx w3F1tk+hL4zgR087l96gdFVCHRNs4alrjgBopramSQCikbthErhe6S2LM+R55hSk
jprd+jWJ6eKMPq0W3IewahMGZeWeP0VZxc4MwmqQdV2deqv39BzLyKsQzGzO8940 VIxxKVF7bq61gPbwGaNhhZJcgvUkhUd32/P9chuEitulh4MtD2A9f0OFVfooEtHP
WWiCpRtEABTnfT6kw3pLxW9PKG9RYkbJ3EseeWmQP2PAG+kWxXw= j+zK40mZYyA1deY40iD2ORXeHtfswT/MKo8LWzVeZjX8Oa3yBj8=
=R1pv =lEr/
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----