Joakim Uddholm 🇸🇪🇩🇪Apr 28, 2024

Started working on a tool to create PDFs for printing backups of cryptographic keys. Uses @bcrypt 's niceware format/encoding. Meant for use in storing offline copies of yubikey/disk encryption keys.

⚠️ Not ready for use yet. Please do not use in production and lose your keys.

Just sharing the initial prototype.

Still todo:

  • Make PDF look pretty, with clear instructions.
  • Add option to encrypt (pbkdf+memorized master passphrase, or a static key) before encoding.
  • Move go port of niceware to it's own repo/lib.
  • Add recovery command/flow to the cli
  • Print and ✨Laminate✨ some keys :)

https://github.com/Tethik/papercopy

GitHub - Tethik/papercopy: QR Code + mnemonic + encrypted?

QR Code + mnemonic + encrypted? Contribute to Tethik/papercopy development by creating an account on GitHub.

GitHub
Show threadGuillaume Rossolini
@tethik hi would you mind expanding a little on the yubikey backup part? I thought they were impervious to data extraction
Apr 30, 2024 at 5:02pmWeb
Show threadJoakim Uddholm 🇸🇪🇩🇪Apr 30, 2024
@GuillaumeRossolini It is, but some modes (like challenge-response hmac) allow you to set a static secret that you load beforehand. I use such a secret as a factor to encrypt my keepass database.
Show threadGuillaume RossoliniApr 30, 2024

@tethik oh ok, thanks. Yes I use that too, but it’s usually also in my password manager somewhere

Which I realize in your use case is pointless

Show threadJoakim Uddholm 🇸🇪🇩🇪Apr 30, 2024

@GuillaumeRossolini I blogged about my setup a bit here: https://joakim.uddholm.com/setting-up-keepassxc-with-yubikey

Then I saw the need for this kind of tool. I want to use it for my backup encryption key as well.

Setting up keepassxc with yubikey - Tethik's weblog

I use keepassxc to store my passwords. Up until now for my setup I have been using Password + Keyfile as the database credentials, where keyfile has been mostly used as a salt rather than an actual secrets. I store a backup of this keyfile in various online accounts. Because of this I've never been entirely comfortable storing the passwords anywhere online, as it would only require cracking my password. Adding the yubikey secret to the credentials should add an offline factor that will be very difficult to compromise.

Show threadGuillaume RossoliniApr 30, 2024

@tethik I misunderstood. This is actually the OTP feature where the seed is what you’ve backed up, but it couldn’t be extracted after the fact?

(Not to be confused, as I did, with the actual static phrase it can store and obviously can also spit out on demand)

And you’ve been using this without any issues?

Show threadJoakim Uddholm 🇸🇪🇩🇪Apr 30, 2024

@GuillaumeRossolini It's the challenge-response OTP. I believe it uses a static secret stored on the yubikey and spits out hmac using that secret.

Sure, it's been working since I set it up ~2 weeks ago.

Show threadGuillaume RossoliniApr 30, 2024

@tethik thanks for the feedback, and for the tool!

Tools like this are part of the solution to a wider adoption for these phishing resistant, and generally more secure, techs