How to encrypt your secrets with the scrypt utility on Ubuntu, print them on paper and then read them again

Your secrets are in the file secret.txt.

Install the scrypt utility:

$ sudo apt-get install scrypt

Encrypt the file with custom scrypt parameters (about 1G of RAM, 200 seconds; in reality it takes less than 200 seconds on my system, see this Github bug report):

$ scrypt enc -M 1073741824 -t 200 secret.txt encrypted.scrypt

Now, you got your encrypted data in the file encrypted.scrypt. You can upload it to your favorite cloud storage provider (Google Drive, DropBox, email it to your Gmail, Proton Mail and Yahoo Mail addresses, etc.).

If you want it on paper type into the command line:

$ base64 encrypted.scrypt > encrypted.scrypt.base64.txt

You can open the encrypted.scrypt.base64.txt file with your favorite editor (LibreOffice Writer) and set a proper font before printing it (this is critical - when printing your keys make sure you use a proper font (that don't have similar characters - like "I" and "l", zero and big O)).

To decrypt the encrypted data:

$ scrypt dec encrypted.scrypt decrypted.secret.txt

If you want to restore your printed data, first you need to OCR the page, correct errors (if any) and to decode from base64 encoding:

$ base64 -d text.from.OCR.app.txt >  encrypted.scrypt

Instead of just a plain text file you can store your secrets into a KeePass container. But KeePass2 is known to have a inefficient key stretching algorithm. And on KeePassX you can't change the key stretching settings. So, it's wise to encrypt your KeePass container with scrypt (using another password!).

Please be aware that writing directly on your unencrypted hard drive is dangerous. Deleted data can be theoretically restored. Also, if you use unencrypted swap your secrets are probably written on your hard drive unencrypted. It's better to write on a tmpfs. Or just use Live Linux distribution like Tails. Read more here: Archiving private keys - TLDR version.

Comments

Popular posts from this blog

Do not use (only) flash memory (SSD drives, hardware wallets, USB flash drives) for your precious private keys!

Archiving private keys - TLDR version

[ad removed]