iaindooley · February 20, 2025 00:23
diff --git a/README.txt b/README.txt
 README - Secure Encrypted Backup Storage

 This USB contains an encrypted backup of your 2FA recovery codes. The backup is stored as a GPG-encrypted tarball for maximum security and portability. Follow the instructions below to encrypt, decrypt, and format additional USB drives.

 ---

 ENCRYPTING BACKUP DIRECTORY (macOS/Linux)
 To encrypt a directory (my_backup_dir) and store it as backup.tar.gpg on this USB:

 #Contents of encrypt.sh below
 #TODO: add encryption instructions for Windows with GPG4Win
 ./encrypt.sh /path/to/codes

 You will be prompted to enter a passphrase. Keep it safe.

 ---

 DECRYPTING BACKUP (macOS/Linux)
 To extract the backup from backup.tar.gpg:

 gpg --pinentry-mode loopback --decrypt /Volumes/USB/2fa_backup.tar.gpg | tar -xvf -

 You will be prompted for the passphrase.

 ---

 DECRYPTING BACKUP (Windows)
 1. Install GPG4Win (if not already installed):
   - Download: https://gpg4win.org/download.html
   - Install and follow on-screen instructions.

 2. Open Command Prompt (cmd.exe) and run:

 gpg --decrypt X:\2fa_backup.tar.gpg | tar -xvf -

 Replace X: with your USB drive letter.

 ---

 FORMATTING A NEW USB DRIVE TO exFAT

 On macOS:
 1. Open Disk Utility (cmd + space, type "Disk Utility", press Enter).
 2. Select the USB drive (not a partition, the full drive).
 3. Click Erase.
 4. Choose:
   - Format: exFAT
   - Scheme: Master Boot Record (MBR)
 5. Click Erase.

 Or use the terminal:

 diskutil list  # Find your USB device (e.g., /dev/disk2)
 diskutil eraseDisk exFAT BackupUSB MBRFormat /dev/disk2

 Replace /dev/disk2 with your actual USB device.

 ---

 On Linux:
 Run the following commands:

 lsblk  # Identify your USB device (e.g., /dev/sdb)
 sudo mkfs.exfat -n BackupUSB /dev/sdb

 Replace /dev/sdb with your actual USB device.

 ---

 On Windows:
 1. Open Disk Management (Win + R, type diskmgmt.msc, press Enter).
 2. Right-click the USB drive and choose Format.
 3. Select:
   - File system: exFAT
   - Allocation unit size: Default
   - Volume label: BackupUSB
 4. Click OK.

 Or use PowerShell:

 Get-Partition -DriveLetter X | Format-Volume -FileSystem exFAT -NewFileSystemLabel "BackupUSB"

 Replace X with your USB drive letter.

 ---

 INSTALLING GPG IF NOT AVAILABLE
 - macOS: Preinstalled, but you can update via:
  
  brew install gnupg

 - Linux: Install via:
  
  sudo apt install gnupg  # Debian/Ubuntu
  sudo dnf install gnupg  # Fedora
  sudo pacman -S gnupg    # Arch Linux

 - Windows: Download and install Gpg4win from https://gpg4win.org/download.html

 ---

 RESTORING BACKUP ON A NEW USB DRIVE
 1. Format the new USB drive to exFAT (see instructions above).
 2. Copy the encrypted backup file:

 cp /Volumes/USB/2fa_backup.tar.gpg /mnt/new_usb/

 3. Ensure the README.txt file is also copied.

 ---

 IMPORTANT NOTES
 - Do NOT forget your passphrase. If you lose it, you cannot decrypt the backup.
 - Test decryption before wiping any old copies.
 - Store multiple copies of the encrypted file in different locations for redundancy.

 TODO
 Install portable GPG binaries on the stick to allow decryption without installation of any software on macOS,
 Windows and Linux

 ---

 End of README

 CONTENTS OF encrypt.sh (store this on the USB along with the README):

 #!/bin/bash

 set -e  # Exit immediately if a command fails

 # Ensure a directory path is provided
 if [ -z "$1" ]; then
    echo "Usage: $0 <directory-to-backup>"
    exit 1
 fi

 # Resolve absolute path
 DIR=$(realpath "$1")

 # Ensure the provided directory exists
 if [ ! -d "$DIR" ]; then
    echo "Error: Directory does not exist: $DIR"
    exit 1
 fi

 # Get current date in YYYYMMDD format
 DATE=$(date +"%Y%m%d")

 # Get the directory where the script is located
 SCRIPT_DIR=$(dirname "$(realpath "$0")")

 # Set the output filename
 OUTFILE="$SCRIPT_DIR/${DATE}_backup_codes.tar.gpg"

 # Create and encrypt the tarball
 tar -cf - -C "$(dirname "$DIR")" "$(basename "$DIR")" | \
    gpg --pinentry-mode loopback --symmetric --cipher-algo AES256 -o "$OUTFILE"

 echo "Backup created successfully: $OUTFILE"
	README - Secure Encrypted Backup Storage

	This USB contains an encrypted backup of your 2FA recovery codes. The backup is stored as a GPG-encrypted tarball for maximum security and portability. Follow the instructions below to encrypt, decrypt, and format additional USB drives.

	---

	ENCRYPTING BACKUP DIRECTORY (macOS/Linux)
	To encrypt a directory (my_backup_dir) and store it as backup.tar.gpg on this USB:

	#Contents of encrypt.sh below
	#TODO: add encryption instructions for Windows with GPG4Win
	./encrypt.sh /path/to/codes

	You will be prompted to enter a passphrase. Keep it safe.

	---

	DECRYPTING BACKUP (macOS/Linux)
	To extract the backup from backup.tar.gpg:

	gpg --pinentry-mode loopback --decrypt /Volumes/USB/2fa_backup.tar.gpg \| tar -xvf -

	You will be prompted for the passphrase.

	---

	DECRYPTING BACKUP (Windows)
	1. Install GPG4Win (if not already installed):
	- Download: https://gpg4win.org/download.html
	- Install and follow on-screen instructions.

	2. Open Command Prompt (cmd.exe) and run:

	gpg --decrypt X:\2fa_backup.tar.gpg \| tar -xvf -

	Replace X: with your USB drive letter.

	---

	FORMATTING A NEW USB DRIVE TO exFAT

	On macOS:
	1. Open Disk Utility (cmd + space, type "Disk Utility", press Enter).
	2. Select the USB drive (not a partition, the full drive).
	3. Click Erase.
	4. Choose:
	- Format: exFAT
	- Scheme: Master Boot Record (MBR)
	5. Click Erase.

	Or use the terminal:

	diskutil list # Find your USB device (e.g., /dev/disk2)
	diskutil eraseDisk exFAT BackupUSB MBRFormat /dev/disk2

	Replace /dev/disk2 with your actual USB device.

	---

	On Linux:
	Run the following commands:

	lsblk # Identify your USB device (e.g., /dev/sdb)
	sudo mkfs.exfat -n BackupUSB /dev/sdb

	Replace /dev/sdb with your actual USB device.

	---

	On Windows:
	1. Open Disk Management (Win + R, type diskmgmt.msc, press Enter).
	2. Right-click the USB drive and choose Format.
	3. Select:
	- File system: exFAT
	- Allocation unit size: Default
	- Volume label: BackupUSB
	4. Click OK.

	Or use PowerShell:

	Get-Partition -DriveLetter X \| Format-Volume -FileSystem exFAT -NewFileSystemLabel "BackupUSB"

	Replace X with your USB drive letter.

	---

	INSTALLING GPG IF NOT AVAILABLE
	- macOS: Preinstalled, but you can update via:

	brew install gnupg

	- Linux: Install via:

	sudo apt install gnupg # Debian/Ubuntu
	sudo dnf install gnupg # Fedora
	sudo pacman -S gnupg # Arch Linux

	- Windows: Download and install Gpg4win from https://gpg4win.org/download.html

	---

	RESTORING BACKUP ON A NEW USB DRIVE
	1. Format the new USB drive to exFAT (see instructions above).
	2. Copy the encrypted backup file:

	cp /Volumes/USB/2fa_backup.tar.gpg /mnt/new_usb/

	3. Ensure the README.txt file is also copied.

	---

	IMPORTANT NOTES
	- Do NOT forget your passphrase. If you lose it, you cannot decrypt the backup.
	- Test decryption before wiping any old copies.
	- Store multiple copies of the encrypted file in different locations for redundancy.

	TODO
	Install portable GPG binaries on the stick to allow decryption without installation of any software on macOS,
	Windows and Linux

	---

	End of README

	CONTENTS OF encrypt.sh (store this on the USB along with the README):

	#!/bin/bash

	set -e # Exit immediately if a command fails

	# Ensure a directory path is provided
	if [ -z "$1" ]; then
	echo "Usage: $0 <directory-to-backup>"
	exit 1
	fi

	# Resolve absolute path
	DIR=$(realpath "$1")

	# Ensure the provided directory exists
	if [ ! -d "$DIR" ]; then
	echo "Error: Directory does not exist: $DIR"
	exit 1
	fi

	# Get current date in YYYYMMDD format
	DATE=$(date +"%Y%m%d")

	# Get the directory where the script is located
	SCRIPT_DIR=$(dirname "$(realpath "$0")")

	# Set the output filename
	OUTFILE="$SCRIPT_DIR/${DATE}_backup_codes.tar.gpg"

	# Create and encrypt the tarball
	tar -cf - -C "$(dirname "$DIR")" "$(basename "$DIR")" \| \
	gpg --pinentry-mode loopback --symmetric --cipher-algo AES256 -o "$OUTFILE"

	echo "Backup created successfully: $OUTFILE"