Backing up mnemonic seeds using asymmetric and symmetric-key encryption into QR Codes
Mnemonic seed paper backups are great, but having them in plain text could be dangerous, as anyone that has a chance to read them will be able to restore your wallets. Thus, we can back them up by first encrypting them, and storing them in a QR Code instead. We will use GPG or Keybase for asymmetric-key encryption, and AES-256 using Cipher-Block Chaining (AES-CBC) with OpenSSL for symmetric-key encryption.
Encrypting our backup words
First, we store our mnemonic seeds in a file:
vim seed.txt
Assuming a GPG loaded key or the Keybase client installed, we can proceed to double encrypt our seed file into a QR Code. To use the QR Code utility, you need Node.js 8.x> installed in order to use npx. We will be prompted a password for the AES-256 encryption process, and pass the standard output through xargs for the QR code generator.
Using GPG
gpg -sae --trust-model always -r <RECIPIENT_ID> -o- seed.txt | openssl enc -aes-256-cbc -salt -a | xargs npx qrcode -o seed.png
Using Keybase
keybase pgp encrypt -i seed.txt | openssl enc -aes-256-cbc -salt -a | xargs npx qrcode -o seed.png
This will produce a QR Code similar to the following one. You can print it and carry it around, as it’s safely encrypted.
Decrypting our backup words
First, we use a QR Code scanner to retrieve the content of our paper backup. This can be done with any mobile code reader, and then shared to ourselves by any secure or insecure channel.
Having our content stored in our clipboard (OSX only, otherwise store the contents in a file first and then do cat file | ...
instead of pbpaste
), we can then proceed to decrypt the backup with either GPG or Keybase. We use tr since sometimes the decoding process will strip the spaces of our encoded paper backup.
Using GPG
pbpaste | cat | tr ' ' '\n' | openssl enc -a -d -aes-256-cbc | gpg --decrypt
Using Keybase
pbpaste | cat | tr ' ' '\n' | openssl enc -a -d -aes-256-cbc | keybase pgp decrypt
Your mnemonic seed backup words will be shown in the terminal.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512"Backing up mnemonic seeds using asymmetric and symmetric-key encryption into QR Codes"
by José Aguinaga
20.11.2017This post was created by @jjperezaguinaga. Verify its authenticity by checking this signature in https://keybase.io/verify
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.76
Comment: https://keybase.io/cryptowsBcBAABCgAGBQJaEitcAAoJEEcNV2F2U20cjpoIAK6ooA9iRHqPKOB87C3z8JhT
bR1YMaMZOUqE1no+7FEMc19fWMCzzkDaKIKUFPjuImsAikiKKiUQH8Zb4C9MUmCG
Riom1E3f/MzM65p8HaEhEOKSI5r0SaLo6BFUi2QJM7SIfU3UsqhL4wj76gAjT5Mx
g5L0X5081rK2195nbtrhrqoOiywxzh3DgkNeARs11RmM+VO5KTrPfkoTKYBnqwbZ
3UO/6l64qjKYAyu46Idjbe/WMM/YFhabdECWS7QlLDxj52rxkBjJw3LxwptcJwq0
QmoDGPECpKchxSiCxSOdOKadJUUlfIsoXLA6fl14rLZsptAsi+d5gIrjO3LsTH4=
=ffJ5
-----END PGP SIGNATURE-----