Notes and BASH snippets regarding password generation.
If you are on an air-gapped system, you can't look up your favourite passphrase generation command on the internet - this file should help.
Create a password from 32 pseudo-randomly generated bytes - expressed as a 44 character Base64 string:
LC_ALL=C head -c 32 /dev/urandom | base64
The use of LC_ALL=C
is probably unnecessary - it prevents user settings (e.g. language settings) interfering with the command. Because in this case bytes are expressed in base 64, LC_ALL=C
is
- Step 1: Create many passwords and save in a single file, with one password per line.
- Step 2: To use as an offline-key, symmetrically encrypt the keyfile
# Step 1: collect 32 pseudo random bytes, write as base64 string to a file, loop x 10
for i in {0..9}; do LC_ALL=C head -c 32 /dev/urandom | base64 >> /path/to/keys.txt; done
# As above, but output as hexstrings:
for i in {0..9}; do head -c 32 /dev/urandom | xxd -ps -c 256 >> /tmp/hexkeys.txt; done
# Step 2 - enter password when prompted. Use `armor` option for printing the encrypted file
gpg --symmetric -o encrypted-keys.gpg --armor /path/to/keys.txt
Strong passwords can form the basis of offline keyfiles.
Offline keys can be stored (offline, of course) in a LUKS encrypted USB drive that has never been opened on an online computer, with a paper copy (ASCII armor encrypted as shown above) as additional backup.
If the passphrase used to encrypt the keyfile is strong, multiple copies of the key media (paper, USB) can be lodged in multiple semi-trusted environments - e.g. a Solicitor's safe, or a bank vault. This guards against fire, theft and other disasters - it mitigates having the key(s) in a single location.
The password used to backup the keyfile should itself be backed up by means of a secret sharing scheme - for example the main passphrase could be distributed carefully using Shamir's Secret Sharing Scheme.
# Archive and encrypt with default GPG algorithm
tar -cz recovery | gpg --symmetric -o recovery.tgz.gpg
# Archive and encrypt using Twofish cipher algorithm
tar -cz recovery | gpg --symmetric --cipher-algo TWOFISH -o recovery.tgz.gpg
head /dev/urandom | tr -cd [:graph:] | head -c 32; echo
tr -cd [:graph:] < /dev/urandom | head -c 32; echo