Backing up mnemonic seeds using asymmetric and symmetric-key encryption into QR Codes

Photo by Jon Moore on Unsplash

Mnemonic seed paper backups are great, but having them in plain text could be dangerous, as anyone that has a chance to read them will be able to restore your wallets. Thus, we can back them up by first encrypting them, and storing them in a QR Code instead. We will use GPG or Keybase for asymmetric-key encryption, and AES-256 using Cipher-Block Chaining (AES-CBC) with OpenSSL for symmetric-key encryption.

First, we store our mnemonic seeds in a file:

vim seed.txt

Assuming a GPG loaded key or the Keybase client installed, we can proceed to double encrypt our seed file into a QR Code. To use the QR Code utility, you need Node.js 8.x> installed in order to use npx. We will be prompted a password for the AES-256 encryption process, and pass the standard output through xargs for the QR code generator.

Using GPG

gpg -sae --trust-model always -r <RECIPIENT_ID> -o- seed.txt | openssl enc -aes-256-cbc -salt -a | xargs npx qrcode -o seed.png

Using Keybase

keybase pgp encrypt -i seed.txt | openssl enc -aes-256-cbc -salt -a | xargs npx qrcode -o seed.png

This will produce a QR Code similar to the following one. You can print it and carry it around, as it’s safely encrypted.

Our backup words are safely encrypted, so there is no danger to have anyone snooping them around

First, we use a QR Code scanner to retrieve the content of our paper backup. This can be done with any mobile code reader, and then shared to ourselves by any secure or insecure channel.

I scanned my QR Code with my mobile phone, and then sent its contents to myself through Slack

Having our content stored in our clipboard (OSX only, otherwise store the contents in a file first and then do cat file | ... instead of pbpaste), we can then proceed to decrypt the backup with either GPG or Keybase. We use tr since sometimes the decoding process will strip the spaces of our encoded paper backup.

Using GPG

pbpaste | cat | tr ' ' '\n' | openssl enc -a -d -aes-256-cbc | gpg --decrypt

Using Keybase

pbpaste | cat | tr ' ' '\n' | openssl enc -a -d -aes-256-cbc | keybase pgp decrypt

Your mnemonic seed backup words will be shown in the terminal.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
"Backing up mnemonic seeds using asymmetric and symmetric-key encryption into QR Codes"
by José Aguinaga
20.11.2017
This post was created by @jjperezaguinaga. Verify its authenticity by checking this signature in https://keybase.io/verify
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.76
Comment: https://keybase.io/crypto
wsBcBAABCgAGBQJaEitcAAoJEEcNV2F2U20cjpoIAK6ooA9iRHqPKOB87C3z8JhT
bR1YMaMZOUqE1no+7FEMc19fWMCzzkDaKIKUFPjuImsAikiKKiUQH8Zb4C9MUmCG
Riom1E3f/MzM65p8HaEhEOKSI5r0SaLo6BFUi2QJM7SIfU3UsqhL4wj76gAjT5Mx
g5L0X5081rK2195nbtrhrqoOiywxzh3DgkNeARs11RmM+VO5KTrPfkoTKYBnqwbZ
3UO/6l64qjKYAyu46Idjbe/WMM/YFhabdECWS7QlLDxj52rxkBjJw3LxwptcJwq0
QmoDGPECpKchxSiCxSOdOKadJUUlfIsoXLA6fl14rLZsptAsi+d5gIrjO3LsTH4=
=ffJ5
-----END PGP SIGNATURE-----

Web3/Full-Stack. DevOps/Cryptography Enthusiast. Head of Engineering at @hoprnet, previously @MyBit_dapp, @numbrs, @plaid. JavaScript, startups, fintech.