In this post, I want to present my tool to generate Shamir scheme secrets reducing the risk of them being exposed or hacked. It consists in a single purpose ISO that can be used to start a VM or boot your PC from it once you burn it into a CD or a USB stick (preferred option).

Why bother?

In our day to day environment, we tend to install a significant amount of software and use it for activities that may have compromised our installation even without being aware of it. A malicious site may have been able to use a browser’s vulnerability to implant some malware, for example.

In our digital life, there are specific pieces of information that require very cautious handling. Access to them by malicious actors can result in big inconveniences or even financial loses. Some examples of this may be passphrases you may use for encryption, crypto wallets seed phrases, etc.

This tool helps you running in a minimal ephemeral environment which is more trustworthy.

Is this a fully trust-able solution?

The absolutist answer is no. As soon as there is code involved, there can be errors in it which may create vulnerabilities. Moreover, modern computers contain large amounts of software embedded in the firmware of the different components (chipset controllers, graphic cards, network controllers, disk controllers, etc) which is out of our reach and which we can hardly audit (if we can perform any auditing at all). For most of us, they are behind closed-source code that manufacturers do not publish.

If we assume that our firmware is not compromised and our PC firmware is not logging our keyboard and storing it in some, we can remove most of the remaining attack vectors with this solution.

What does it do?

It starts a Debian Linux with only vim, nano, basic X tools, icew and ssss for Shamir’s secrets management. From a configuration perspective, it does not configure any networking or mount any storage device so there is no connectivity or storage support (unless you manually mount a drive).

You can exchange information with the OS using the following mechanisms:

• Manually mounting a drive and exchanging files
• Entering keys using the keyboard and reading the screen

Downloading the image

You can download the ISOs from the Github repository’s releases section.

Then, if you want to boot from it in your PC, you’ll need to burn it into a CD or write it to an USB stick.

Run this command to write an USB stick only if you need what you are doing:

dd status=progress if=shamir-manage.iso of=/dev/<yourUSBdevice> bs=1M

Generate a set of Shamir secrets

Once we log in into the OS (user is root and password toor ), you can generate a Shamir set of keys with the following command (in this example we generate 5 pieces and we only need 3 of them to recover the original key):

echo "hello world" | ssss-split -t 3 -n 5

Output:

Generating shares using a (3,5) scheme with dynamic security level.
Enter the secret, at most 128 ASCII characters: Using a 48 bit security level.
1-79f847d32bc7d404219fe0
2-358a7ebd071055db71670f
3-ce9914f9142d07c513d320
4-e937954b216efe6ffb2379
5-1224ff0f3253ac71999744

Recover the original secret from the pieces

When we want to recover the original key from the pieces, we just need to make sure we have access to the number of pieces originally set as threshold. The nice thing is that it doesn’t matter which of them we have access to as long as we know any of the required number of pieces. In this example, we can recover the original key from any 3 pieces of the 5 original pieces:

ssss-combine -t 3

Output:

Enter 3 shares separated by newlines:
Share [1/3]: 2-358a7ebd071055db71670f
Share [2/3]: 4-e937954b216efe6ffb2379
Share [3/3]: 5-1224ff0f3253ac71999744
Resulting secret: hello world

We would get same result if we used other combination of 3 keys:

ssss-combine -t 3

Output:

Enter 3 shares separated by newlines:
Share [1/3]: 1-79f847d32bc7d404219fe0 
Share [2/3]: 3-ce9914f9142d07c513d320 
Share [3/3]: 5-1224ff0f3253ac71999744 
Resulting secret: hello world

Voilà, we get exactly the same result!

Image goodies

The image comes with vim and nano as text editors so you can pick the one you prefer (if you don’t know what vim or nano are, then you should choose nano ).

Many times the old physical ways of storing the keys are the ones you want to go for to store these keys in the safest way. However, as with Shamir’s scheme we don’t put so much trust in any of the individual pieces, it may be convenient to read one of them from your phone (for example). The image comes with qrencode and display commands to help you generating QR codes and displaying them.

If you are not already in a graphical session, use this command to start it:

icewm-session

generate the image do display:

qrencode -o my-qr-code.png "my key text"

display the QR code:

display my-qr-code.png

I hope you find this post useful!