HN
Today

Coldkey – Post-quantum age key generation and paper backup tool

Introducing coldkey, a new tool for generating and securing post-quantum age encryption keys. It tackles the common problem of key loss by creating robust, single-page paper backups with QR codes. This solution appeals to the HN crowd by combining cutting-edge cryptography with old-school physical resilience, ensuring secrets survive even digital catastrophe.

3
Score
0
Comments
#15
Highest Rank
5h
on Front Page
First Seen
May 15, 5:00 AM
Last Seen
May 15, 10:00 AM
Rank Over Time
2516171530

The Lowdown

Coldkey is an open-source utility designed to safeguard critical encryption keys against digital loss, particularly for users of age or sops. It focuses on a practical, resilient backup strategy, ensuring that private keys remain accessible even if all digital copies are compromised or lost.

  • Purpose: Prevents permanent loss of age or sops private keys, which would render encrypted secrets irretrievable.
  • Key Generation: Generates post-quantum age keys using ML-KEM-768 + X25519 for future-proof security.
  • Paper Backup: Produces single-page, printable HTML documents containing keys as plain text and scannable QR codes.
  • Installation & Usage: Can be installed via Homebrew or Go, with Docker recommended for enhanced security via hardened execution flags.
  • Security Model: Implements various layers of security, including memory locking (mlockall), secure file permissions, container isolation (network none, read-only filesystem, dropped capabilities), and best-effort memory zeroing for sensitive data.
  • QR Code Handling: Automatically splits large key files across multiple QR codes using a framing protocol, while also providing raw text for manual transcription.
  • Recovery: The generated backup includes step-by-step instructions for scanning/typing, saving, and verifying the key with a SHA-256 checksum.
  • Limitations: Acknowledges Go's garbage collector limitations regarding absolute memory zeroing, the requirement for CAP_IPC_LOCK for full swap protection, and potential difficulty in scanning very dense QR codes.

Coldkey offers a robust, multi-faceted approach to key management, bridging the gap between advanced cryptographic standards and physical data resilience, making it a valuable tool for long-term secret storage.