Privacy Guides recommends encrypting backup codes on a PC, however I don’t understand this since I will have to first place them in plain text.
- Put backup recovery codes in plain text form
- Create encrypted file
- Delete original file
This blog states that it is impossible to delete any specific file without wiping a hard drive clean.
So from my understanding since I can’t delete my unencrypted passwords after I have made them on my computer, should I delete them at all and keep everything in plain text?
I think there would be ways to encrypt it directly, but it would be through the commandline most likely
my idea is that you take your security phrase, make that the input to something like GnuPG and write the output to a file. Effectively this should only move around your phrase/code in memory and write only the encrypted data to a file
Though, this is highly theoretical.
You don’t really need to backup recovery codes to be honest, just make sure you’re creating regular encrypted exports in the 2fa app you’re using.
just make sure you’re creating regular encrypted exports in the 2fa app you’re using.
Good idea, but I also use my FIDO2 hardware key for email/important services, so backup codes are still very much important.
make that the input to something like GnuPG and write the output to a file.
This could work, though I am not familiar with the command details of GPG to be honest.
A third low tech solution could be to manually write them down on some paper then store it at home under a mattress
That is why I suggested creating a LUKS or Veracrypt container and storing the text files in there. As these things use transparent encryption of a mounted volume, that is in memory when it is open and not stored separate on the volume as an unencrypted file. You could attach that to a global password manager entry. This would be a better approach than using 7z, gpg etc, because that requires you to have a decrypted copy on the filesystem, unless you put it in ramfs (I wouldn’t decrypt into tmpfs because that could potentially be swapped to the disk).
That way it would be backed up by Bitwarden or 1Password or whatever. Unless you’re happy with making sure you have your own backup. Good to have one off site though in case of natural disaster.