Hyperbacked – Encrypted QR using Shamir's Secret Sharing

Basically as the title says, it is an open source version of Superbacked which is developed by youtuber Sun Knudsen Introducing Superbacked, possibly the world’s most advanced backup and succession planning app - Invidious

Some random dev didn’t feel like paying 149$ for a closed source app calling it a weekend project, so he decided to make an open source version of it as the picture shows below, literally in a weekend.

The project:

A clone of Superbacked, written in Rust.

Basically, it stores secrets securely using printable PDFs that contain encrypted QR-Codes. The encrypted backup can optionally be sharded, so that it can be distributed across many trusted people, with only a configurable subset of shards being required to decrypt the secret.

9 Likes

I mean yeah sure this was easy to develop yourself. Nothing wrong with that. But not sure why you would do this out of frustration with paying for something, oh well. I mean 150 bucks is a lot for what it is but also it definitely costs more to make it yourself…

This looks great. It’s criminal that he’s selling such a simple tool for $149 USD, even more so that it’s closed source. That’s ridiculous. Good on you for making this open source. Though I hope you’re not infringing on any copyright.

However, there is a problem. There aren’t any install instructions. I have no idea how to install it. I did download the zip file and had a look through but I don’t see any scripts that will install it on Linux.

The videos are helpful but I am unclear on the decryption part, “scanning for QR codes. Please position the code in front of your camera”. Since this is a desktop app, I assumed it displays the QR code in the app itself and expects you to scan it with your phone, but I didn’t see a QR code. And after scanning the first shard, it shows up on the app. It must be in reverse, does that mean you have your phone or a camera connected to the PC? Or is it scanning PDF files in a certain directory? I’m probably being dumb, I’d appreciate some clarification.

EDIT: I’m now realizing it probably requires a web cam to work. I’m not going to make any assumptions, but if a web cam is required for this to work, it’s a minor inconvenience, as per privacy requirements I don’t use them.

1 Like

output

(The program is portable, is what I’m trying to say)

2 Likes

There are no .gnu files in the code. Where did you download it?

I downloaded the first (and currently only) release from Releases · Twometer/hyperbacked · GitHub for Linux-gnu

Note that gnu is not the file extension, this binary does not have a file extension. Infact, Windows is the only major desktop OS that has to rely on file extensions to begin with.

Woops, for some reason it didn’t show the latest release on the main page as it normally does. Probably because it’s tagged as a pre-release. I just missed it.

And woops again, didn’t notice it was -gnu not .gnu.

You say Windows relies on file extensions, but last I checked, you can still open files that have no (or random) extensions, if you use “open with”, which is the same for Linux. I’m not sure what the difference is.

Windows is reliant on the file extension for figuring out what a file is.

basically any other system just looks at the first couple of bytes in a file, where 99% of the time the filetype is just right there

In the case of Linux binaries, which are shipped in the ELF binary format, you’ll see this represented in the first couple of bytes of any Linux binary:

As another example, here are the first couple of bytes of a PNG image:

Linux systems read out the filetype/MIMEType from here instead of the file extension as it usually proves to be more accurate, especially for when you rename a file.

1 Like

That’s really interesting and informative. Thank you. I would have some follow up questions but I don’t want to derail this thread.

Regarding the app, I noticed two things:

  1. When recovering, the “Scan code” button does not work. I’m guessing it’s trying to get access to a camera that doesn’t exist. I would make the suggestion to the dev (who I am now realizing is not OP) to make this more obvious. I also think a different implementation where decryption can take place on a phone could be more convenient, although I imagine there could be security challenges to this. Neverless, requiring a PC camera is going to make usability and adoption of this tool more difficult.
  2. The passphrase is still there, in plaintext. Meaning the passphrase wasn’t cleared from memory. That’s a major security vulnerability.

Indeed, that’s the model this follows.

Create codes > Print codes to paper > Store securely > scan later

You can open an issue on GitHub.

Where is “there”?

That comes as part of the threat model of this app. It’s sorta designed to run on an airgapped computer.

When I go to restore a backup, my passphrase is displayed in the passphrase field. As such:

This is the same passphrase used to create my backup. It recovered my passphrase without any user input. It’s not clearing the passphrase, therefore this could be used to gain access to the shards. It should be cleared immediately after creating the backup.

That comes as part of the threat model of this app. It’s sorta designed to run on an airgapped computer.

This is my concern. There are no detailed instructions or advice on how to achieve this. It doesn’t explicitly say that you should run this on an airgapped computer. It also requires access to a camera, I can see some security challenges to this including device permissions.

For a new project I can understand the lack of documentation. Though I think most projects lack good documentation, but that’s neither here nor there.

1 Like

This is the same passphrase used to create my backup. It recovered my passphrase without any user input. It’s not clearing the passphrase, therefore this could be used to gain access to the shards. It should be cleared immediately after creating the backup.

You could open an issue about it.

This is my concern. There are no detailed instructions or advice on how to achieve this. It doesn’t explicitly say that you should run this on an airgapped computer. It also requires access to a camera, I can see some security challenges to this including device permissions.

Dev assumes you already watched superbacked video (as it is an open source version of it) where he explained everything.

I actually saw the video around the time Sun released it. Pretty sure I was even confused back then.

that is true, I did take that from the project that hyperbacked originated from, Superbacked. Although neither Hyperbacked or Superbacked have claimed to guide you into creating an airgapped computer

That definitely seems like an issue to be addressesed, I would personally recommend opening an issue on GitHub, or if you don’t want GitHub maybe seeing if they have a public E-Mail address, and asking politely about this discovery and whether it is intended or not

That is fair, it’s a 0.1.0 after all.

This man made it to fund his research work as a way to support him. Honestly nothing wrong with that at all. But also I am not saying nobody else can make something like thisz that’s ehat noe happened and that’s okay. Just find the motivation a bit silly.

You find open source silly*

It’s actually Sun’s fault, he mocked and challenged him. Twometer (hyperbacked dev) accepted the challenge and implemented the most basic functionality for the app to work within a weekend, I admire his dedication.

2 Likes

@ph00lt0 looks like there is another project that is a clone of superbacked because they were also pissed about the price :rofl:

This project exists because another company, named Superbacked, charges a minimum of $149 for a similar service, which doesn’t make sense. Furthermore, unlike Superbacked, this project is free and open-source, so anyone can inspect the code and ensure it’s not malicious.

1 Like

As I said, not against rebuilding such a software. It isn’t a complex thing. Also nothing against someome who sells this to fund research. Either are fine. Just don’t see reasons to cry out for an asking price. Take it or leave it…

Well the original company doesn’t own copyright to the math behind Shamir’s secret sharing. I’ve seen this algorithm used before in things like Hashicorp Vault for the unseal keys.

As for instructions, I’d say this is early days yet, only 29 commits.

I just found out about these tools and I‘m very impressed by them.

But where do you store the passphrase to decrypt them? Do you hand it over every involved party?