Hosted version?

[stv0g]

Hi @eljojo,

thank for this great tool and idea. I've been looking for something like this for some time now.

I had initially planned to host something like this on a static web-host to simplify the unlock procedure for my relatives.

My Envisioned Procedure

Sealing

1. Generate a bundle, much like in your tool
2. Upload bundle and encrypted archive to a static site host (GitHub Pages, Netlify, or some CDN like Bunny)
3. Distribute to each shared secret holder:

• URL / QR Code to hosted bundle
• A passphrase constructed from a word list

Recovering

1. Scan QR code visit hosted bundle
2. Enter all passphrases
3. Download decrypted archive

Alternatively, a fully offline method could still be used by distributing also the bundle & archive separately.

Required implementation changes

To implement such a workflow, I think only some minor extensions would be required to your tool:

1. Allow for pass phrases / word lists instead of PEM-encoded secrets
2. Allow encrypted archive to be loaded directly from a file hosted relative to the bundle HTML.
3. Allow generation of bundle's without pre-filling secret from one of the shared secret holders.

[eljojo]

Hi @stv0g, this is a great inversion of how things work, have a simple website and then a password people can remember, I love it!

I'm really down for points 2 and 3 from what you mention, but I'd like to better understand the cryptographic implications of doing 1, a feature I really like about the software currently is that security is high because it takes care of generating safe passwords, it would be great to retain that. -- I'd much prefer if we could give people QR codes they can print that, for example visit the URL with the long-and-safe password pre-filled.

I'm not too familiar with PGP word lists but this sounds like a cool concept.

I'd love to do some form of remote pairing or collaboration with you on this idea, what do you think the next step should be?

[stv0g]

Oh yeah, I guess we could encode the key as part of a query string argument in an QR code.

However, this would only work for the first key holder.
The 2nd and 3rd holder would still need to enter it manually?

The idea behind word lists is that they are a more human friendly way to encode strong secrets.
Crypto Wallets are doing it in the same way.

I like them, as they can be nicely printed out on paper and still easily entered on request.
No QR code or phone required.

I agree with you that such a passphrase / word list needs to be generated to avoid any weak keys choosen by users.

I'd love to do some form of remote pairing or collaboration with you on this idea, what do you think the next step should be?

I am a bit busy over the next weeks unfortunately. But I will ping you once I find some time.

Nevertheless, I dont want stop anyone from looking into this earlier :)

[eljojo]

Hey @stv0g I opened #13 , #14 , and #23 in this context. I've been persuaded around word lists!

Could you take a look at #13? I'm wondering what the UX should be for making web bundles. Are you planning on using this from the CLI? It'd be nice if we could make this work from the browser, but it's definitely an advanced usecase, so I'm wondering how to keep things simple. Maybe there could be an advanced checkbox to enable more stuff, or we just make this work with the CLI to start with. what do you think?