Shamir's Secret Sharing Scheme - Storing Bitcoin seeds as Encrypted shards for geographically diverse backups

in bitcoin •  2 years ago

This post is Part #2 of a backup strategy series. Part #1 looks at the backup strategy as a whole which can be found linked below
https://steemit.com/bitcoin/@steempower/are-your-bitcoins-and-digital-asset-sufficiently-protected-backup-strategy-to-secure-seeds-databases-and-digital-files

Preface:

In this post i would like to share a method of backing up a Bitcoin Mnemonic 12 - 24 word seed, encrypted with AES256 and then broken in shards using Shamir's Secret Sharing Scheme (SSSS). The end goal here is to have shards of a secret (Bitcoin Seed) backed up on paper so as we have the ability to store these shards in multiple geographically separated locations to protect from physical theft, fire, flood ect.

Shamir's Secret Sharing Scheme (SSSS)

Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.

Counting on all participants to combine the secret might be impractical, and therefore sometimes the threshold scheme is used where any k of the parts are sufficient to reconstruct the original secret.

You can learn more about SSSS HERE
There is also a nice video regarding the topic HERE

The Goal and the Process

I will be using 256bit AES symmetric encryption to create a Base64 encoded encrypted string of my 12-24 word seed and then i will use Shamir's Secret Sharing Scheme (SSSS) to shard the data into 3 pieces with a threshold value of 2 (this means it requires 2 of the 3 shared to recreate the original Base64 encoded, AES256 encrypted string)

I will use a Live Ubuntu CD on a completely isolated machine to create the encrypted shards and print them to a stand alone personal printer via USB (This printer does not have internal HDD! and jobs will not be cached). The shards will then be protected inside a small envelope which will be laminated and distributed to geographically separated locations.

Resources:

Backup Procedure

1.Boot Ubuntu Live CD to memory on an Isolated Computer (no WiFi, no internet, no LAN ,Bluetooth etc).

2.Eject CD and insert CD with Offline version of Pass Guardian, copy Pass Guardian folder to Home Dir.

3.Open the Terminal.

4.Use the follow command "echo '{your mnemonic seed}' | gpg --symmetric --cipher-algo AES256 | base64"

5.Enter a strong password that you will not forget and press ENTER, you will be asked to enter it again to confirm

6.Copy the encrypted output make sure you select it all!

7.Open Passguardian by running {HOMEDIR}\secrets.js-gh-pages\index.html

8.Scroll down and click 'Split' tab in the 'Split a Secret' panel.

9.Enter your encrypted output into the 'Secret to Share' text box

10.Verify the encrypted text to ensure it matches the output in the terminal Note: if your terminal output is broken in to multiple lines you may end up with a line break/carriage return in your copied text, make sure you remove this (if your not sure put it into a text editor and ensure wrap text is disabled; you should end up with 1 line of text)
Before:

After

11.set 'Number of shares' = 3 and 'Threshold' = 2; or your prefered settings then Click 'Split!' to generate your desired amount of shards

12.IMPORTANT! - Do not skip this step! - Copy all the shards to a text document and run through the Restore Procedure below.. once you have verified that you can successfully recreated your seed; return to this step and continue.

13.Once you have verified your restore was successful, Connect a USB Printer and print 2 copies of each shard to a separate piece's of paper (3 pieces of paper in total with 2 redundant copies of each shard on each piece)

14.Trim each piece of paper to create 3 separate; piece's of paper containing 1 shard on each (printed twice on each page for redundancy)

15.Fold the pieces of paper to protect the text from vision and slide each one into a slim envelop of a similar size

16.Laminate each of the slim envelope's containing 1 shard in each envelope

17.Power down Live CD and disconnect power from the computer.

Restore Procedure

if you are testing close all windows except for the text editor containing your shards then skip to step 3
1.Boot Ubuntu Live CD to memory on an Isolated Computer (no WiFi, no internet, no LAN ,Bluetooth etc).

2.Eject CD and insert CD with Offline version of Pass Guardian, copy Pass Guardian folder to Home Dir.

3.Open Passguardian by running {HOMEDIR}\secrets.js-gh-pages\index.html

4.Scroll down and Click the 'Reconstruct' tab in the Reconstruct a secret section toward the bottom of the page;

5.Enter the required shards to reconstruct i.e 2 of the 3 shards into the text boxes provided and click 'Reconstruct'

6.Copy the "Reconstructed Secret" output from Pass Guardian

7.Open the 'Terminal'

8.Use the follow command "echo -n '{Your Reconstructed Secret from Pass Guardian}' | base64 --decode | gpg --decrypt"

9.Enter your password.

10.Original Seed is displayed on the screen.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!