Added first draft of encrypted paper backup guide

how-to-create-encrypted-paper-backup/README.md

@@ -0,0 +1,141 @@
+<!--
+Title: How to create encrypted paper backup
+Description: Learn how to create encrypted paper backup.
+Author: Sun Knudsen <https://github.com/sunknudsen>
+Contributors: Sun Knudsen <https://github.com/sunknudsen>, Alex Anderson <https://github.com/Serpent27>
+Reviewers:
+Publication date: 2021-02-23T21:53:38.495Z
+Listed: true
+-->
+
+# How to create encrypted paper backup
+
+## Requirements
+
+- [Hardened Raspberry Pi](../how-to-configure-hardened-raspberry-pi) 📦
+- [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) (optional)
+- Linux or macOS computer
+
+## Caveats
+
+- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
+- When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command
+
+## Setup guide
+
+### Step 1: log in to Raspberry Pi
+
+Replace `10.0.1.248` with IP of Raspberry Pi.
+
+When asked for password, enter password from [step 1](#step-1-create-ssh-key-pair-on-computer).
+
+```shell
+ssh pi@10.0.1.248 -i ~/.ssh/pi
+```
+
+### Step 2 (optional): install [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) drivers and disable console auto login
+
+#### Install [Adafruit PiTFT monitor](https://www.adafruit.com/product/2423) drivers
+
+> Heads-up: don’t worry about `PITFT Failed to disable unit: Unit file fbcp.service does not exist.`.
+
+```shell
+$ sudo apt update
+
+$ sudo apt install -y git python3-pip
+
+$ sudo pip3 install --upgrade adafruit-python-shell click==7.0
+
+$ git clone https://github.com/adafruit/Raspberry-Pi-Installer-Scripts.git
+
+$ cd Raspberry-Pi-Installer-Scripts
+
+$ sudo python3 adafruit-pitft.py --display=28c --rotation=90 --install-type=console
+```
+
+#### Disable console auto login
+
+```shell
+sudo raspi-config
+```
+
+Select “System Options”, then “Boot / Auto Login”, then “Console” and finally “Finish”.
+
+### Step 3: configure keyboard keymap
+
+> Heads-up: following instructions are for [Raspberry Pi keyboard](https://www.raspberrypi.org/products/raspberry-pi-keyboard-and-hub/) (US model).
+
+```shell
+sudo raspi-config
+```
+
+Select “Localisation Options”, then “Keyboard”, then “Generic 105-key PC (intl.)”, then “Other”, then “English (US)”, then “English (US)”, then “The default for the keyboard layout”, then “No compose key” and finally “Finish”.
+
+### Step 4: install dependencies
+
+```shell
+$ sudo apt update
+
+$ sudo apt install -y fim imagemagick zbar-tools
+
+$ pip3 install pillow qrcode --user
+
+$ echo "export GPG_TTY=\"\$(tty)\"" >> ~/.bashrc
+
+$ echo "export PATH=\$PATH:/home/pi/.local/bin" >> ~/.bashrc
+
+$ source ~/.bashrc
+```
+
+### Step 5: download [qr-backup.sh](./qr-backup.sh) ([PGP signature](./qr-backup.sh.sig), [PGP public key](https://sunknudsen.com/sunknudsen.asc))
+
+```shell
+sudo curl -o /usr/local/sbin/qr-backup.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-backup.sh
+sudo chmod +x /usr/local/sbin/qr-backup.sh
+```
+
+### Step 6: download [qr-restore.sh](./qr-restore.sh) ([PGP signature](./qr-restore.sh.sig), [PGP public key](https://sunknudsen.com/sunknudsen.asc))
+
+```shell
+sudo curl -o /usr/local/sbin/qr-restore.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-restore.sh
+sudo chmod +x /usr/local/sbin/qr-restore.sh
+```
+
+### Step 7: download [qr-clone.sh](./qr-clone.sh) ([PGP signature](./qr-clone.sh.sig), [PGP public key](https://sunknudsen.com/sunknudsen.asc))
+
+```shell
+sudo curl -o /usr/local/sbin/qr-clone.sh https://sunknudsen.com/static/media/privacy-guides/how-to-create-encrypted-paper-backup/qr-clone.sh
+sudo chmod +x /usr/local/sbin/qr-clone.sh
+```
+
+### Step 8: reboot
+
+```shell
+sudo systemctl reboot
+```
+
+👍
+
+---
+
+## Usage guide
+
+### Create encrypted paper backup
+
+```shell
+qr-backup.sh
+```
+
+### Restore encrypted paper backup
+
+```shell
+qr-restore.sh
+```
+
+### Clone encrypted paper backup
+
+```shell
+qr-clone.sh
+```
+
+👍

how-to-create-encrypted-paper-backup/qr-backup.sh

@@ -0,0 +1,69 @@
+#! /bin/bash
+
+set -e
+
+bold=$(tput bold)
+red=$(tput setaf 1)
+normal=$(tput sgr0)
+
+dev="/dev/sda1"
+tmp="/home/pi/tmp"
+usb="/home/pi/usb"
+
+waitForUsb () {
+  if [ ! -e $dev ]; then
+    printf "Insert USB thumb drive and press enter"
+    read -r confirmation
+    waitForUsb
+  fi
+}
+
+waitForUsb
+
+sudo mkdir -p $tmp
+if ! mount | grep $tmp > /dev/null; then
+  sudo mount -t tmpfs -o size=100m tmp $tmp
+fi
+
+sudo mkdir -p $usb
+if ! mount | grep $usb > /dev/null; then
+  sudo mount $dev $usb -o uid=pi,gid=pi
+fi
+
+if [ -z $secret ]; then
+  printf "%s\n" "Type secret and press enter"
+  read -r secret
+fi
+
+encrypted_secret=$(echo -n "$secret" | gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo sha512 --cipher-algo AES256 --symmetric --armor)
+gpg-connect-agent reloadagent /bye > /dev/null 2>&1
+
+encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //')
+encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8)
+
+printf "%s\n" "$encrypted_secret"
+printf "SHA512 hash: $bold%s$normal\n" "$encrypted_secret_hash"
+printf "SHA512 short hash: $bold%s$normal\n" "$encrypted_secret_short_hash"
+
+echo -n "$encrypted_secret" | qr --error-correction=H > "$tmp/secret.png"
+
+font_size=$(echo "$(convert "$tmp/secret.png" -format "%h" info:) / 8" | bc)
+text_offset=$(echo "$font_size * 1.5" | bc)
+
+convert "$tmp/secret.png" -gravity center -scale 200% -extent 125% -scale 125% -gravity south -font /usr/share/fonts/truetype/noto/NotoMono-Regular.ttf -pointsize $font_size -fill black -draw "text 0,$text_offset '$encrypted_secret_short_hash'" "$usb/$encrypted_secret_short_hash.jpg"
+
+printf "%s\n" "Show SHA512 hash as QR code? (y or n)? "
+
+read -r answer
+if [ "$answer" = "y" ]; then
+  printf "%s\n" "Press q to quit"
+  sleep 1
+  echo -n "$encrypted_secret_hash" | qr --error-correction=L > "$tmp/secret-hash.png"
+  sudo fim --autozoom --quiet --vt 1 "$tmp/secret-hash.png"
+fi
+
+sudo umount $tmp
+
+sudo umount $usb
+
+printf "%s\n" "Done"

how-to-create-encrypted-paper-backup/qr-clone.sh

@@ -0,0 +1,11 @@
+#! /bin/bash
+
+set -e
+
+printf "%s\n" "Restoring…"
+. qr-restore.sh
+
+if [ -n "$secret" ]; then
+  printf "%s\n" "Backing up…"
+  . qr-backup.sh
+fi

how-to-create-encrypted-paper-backup/qr-restore.sh

@@ -0,0 +1,43 @@
+#! /bin/bash
+
+bold=$(tput bold)
+red=$(tput setaf 1)
+normal=$(tput sgr0)
+
+set -e
+
+printf "%s\n" "Scan QR code…"
+
+data=""
+
+while read line; do
+  if echo -n $line | grep -Eq "^QR-Code:"; then
+    line=$(echo -n $line | sed 's/QR-Code://')
+  fi
+  data="$data$line"
+  if [ "$line" = "-----END PGP MESSAGE-----" ]; then
+    killall zbarcam --signal SIGINT
+  else
+    data="$data\n"
+  fi
+done < <(zbarcam --nodisplay --quiet)
+
+encrypted_secret=$(echo -e $data)
+
+encrypted_secret_hash=$(echo -n "$encrypted_secret" | openssl dgst -sha512 | sed 's/^.* //')
+encrypted_secret_short_hash=$(echo -n "$encrypted_secret_hash" | head -c 8)
+
+printf "%s\n" "$encrypted_secret"
+printf "SHA512 hash: $bold%s$normal\n" "$encrypted_secret_hash"
+printf "SHA512 short hash: $bold%s$normal\n" "$encrypted_secret_short_hash"
+
+printf "$bold$red%s$normal\n" "Show secret? (y or n)? "
+
+read -r answer
+if [ "$answer" = "y" ]; then
+  secret=$(echo -e "$encrypted_secret" | gpg --decrypt)
+  gpg-connect-agent reloadagent /bye > /dev/null 2>&1
+  printf "Secret: $bold%s$normal\n" "$secret"
+fi
+
+printf "%s\n" "Done"