ability to pass in different password data

[gedw99]

Hey @0xEtherPunk

I have a use case where I want to pass in NATS auth keys in and get a QR out.

The keys from https://docs.nats.io/using-nats/nats-tools/nsc/signing_keys

for example I make keys this way, and so can then pipe it over the shell to passGen...

nsc generate nkey --operator --store
Copy
SOAEW6Z4HCCGSLZJYZQMGFQY2SY6ZKOPIAKUQ5VZY6CW23WWYRNHTQWVOA
OAZBRNE7DQGDYT5CSAGWDMI5ENGKOEJ57BXVU6WUTHFEAO3CU5GLQYF5
operator key stored ~/.nkeys/keys/O/AZ/OAZBRNE7DQGDYT5CSAGWDMI5ENGKOEJ

So I was wondering if I can pass data like this through PassGen, and get it back as a QR ?

It woudl just be a new flag like "-d" for the data to pass in, so that people can use different password data they want to make into a QR.

-d SOAEW6Z4HCCGSLZJYZQMGFQY2SY6ZKOPIAKUQ5VZY6CW23WWYRNHTQWVOA
OAZBRNE7DQGDYT5CSAGWDMI5ENGKOEJ57BXVU6WUTHFEAO3CU5GLQYF5  -o nats.png -s 1024

I also a thinking to add extra info to the QR like a password, so that anyone using the QR to get the NATS Auth code needs to also provide a password.

-bip39 -d SOAEW6Z4HCCGSLZJYZQMGFQY2SY6ZKOPIAKUQ5VZY6CW23WWYRNHTQWVOA
OAZBRNE7DQGDYT5CSAGWDMI5ENGKOEJ57BXVU6WUTHFEAO3CU5GLQYF5 -o nats.png -s 1024

[0xEtherPunk]

@gedw99

if I understood everything correctly, here is the list of features you would like to see in passGen:

• an additional flag to convert custom text into a QR code.

• add support for pipe so that it works approximately like: echo "some data" | passgen -o password.png

• add a flag for generating protected QR codes, which require a password to access the valuable information inside the QR code.

• add the ability to decrypt QR codes using passGen, in order to decode QR codes that are protected by an additional password.

  I am interested in integrating this into the project in the next update.

[gedw99]

That’s even more than I requested . Thank you ..

[0xEtherPunk]

@gedw99

Suggest ideas on how to implement password encryption. I’ve been thinking about the practicality of creating a QR code that can only be decrypted by Passgen. Wouldn’t it be better to use some other method for encryption? One idea that comes to mind is to try implementing encryption using:

passgen -e secret_text

After which, one or two encrypted files would be generated: 1. the encrypted information, 2. the secret key, which can be transmitted for decryption via Passgen on the same or another device with the application.

Another method to consider is Shamir's Secret Sharing, where the secret text is divided into several parts, for example, into 5 parts, and a threshold number of parts is set that would be sufficient to decrypt the message. Another option that comes to mind is PGP/GPG encryption.

If there are other ideas that would be more convenient for this case, please suggest them. I am currently contemplating which encryption method would be the most user-friendly and optimal for a terminal offline application, allowing for easy and secure encryption and transmission.

[gedw99]

passgen -e secret_text

would work for me. I can then feed it the NATS key and get a QR back.

---

In terms of your suggestion off using passgen to "transmit" the files / keys / whatever to another device, then yes its possible. I use NATS to do that currently because it s ability to ensure that anything in a nats KV updates all subscribers to it and so ensure that all of a users device gets the new key.

nats object store can also do the same for files, as opposed to KV values.

This works if the users device is offline and get the new key as soon as they come online.

this is the nice thing about nats store and forward system.

hope this helps ??

[0xEtherPunk]

In progress... 👀

[gedw99]

Thanks for update

[0xEtherPunk]

completed 😎

[gedw99]

thanks @0xEtherPunk

Will try it out today or tomorrow.

[gedw99]

Tested and works. thanks @0xEtherPunk

passgen -c anything-you-want -o data.png -s 1024

[0xEtherPunk]

@gedw99

thanks for testing

also added encryption and decryption function. the instructions are described in detail in the README

basic examples of the use of encryption and decryption are demonstrated in crypto.gif

[gedw99]

@gedw99

thanks for testing

also added encryption and decryption function. the instructions are described in detail in the README

basic examples of the use of encryption and decryption are demonstrated in crypto.gif

Perfect - was wondering about that .

now I just need to hook this to TPM chips so that when scanned by a golang app the QR is read and then the inner data is saved to the TPM .

will require the app to use URL Scheme so that the scanning of the QR that is an URL that maps to an app installed on the users device .

This is in general called Deep Linking . Gio golang gui has a plugin that does that for mobile and desktop and web. https://github.com/gioui-plugins/gio-plugins

it also has TPM chip plugin

sone others on roadmap too: https://github.com/orgs/gioui-plugins/projects/1

[0xEtherPunk]

@gedw99 thanks for testing also added encryption and decryption function. the instructions are described in detail in the README basic examples of the use of encryption and decryption are demonstrated in crypto.gif

Perfect - was wondering about that .

now I just need to hook this to TPM chips so that when scanned by a golang app the QR is read and then the inner data is saved to the TPM .

will require the app to use URL Scheme so that the scanning of the QR that is an URL that maps to an app installed on the users device .

This is in general called Deep Linking . Gio golang gui has a plugin that does that for mobile and desktop and web. https://github.com/gioui-plugins/gio-plugins

it also has TPM chip plugin

sone others on roadmap too: https://github.com/orgs/gioui-plugins/projects/1

I may add integration with TPM chips in next updates.

However, at the moment, I do not see the implementation of URL as rational, since reading encrypted QR codes is triggered by the command itself without external sources.

I might implement this in the future, but for now, I don't think a URL is necessary

[gedw99]

I have some code that uses all browsers built in passkey to generate passkeys .

The idea is to pass that to your system to produce a QR code .

I will dust it off and send a link and demo . It’s golang .

Will help I think with integration.

the intent is to allow passkeys to be moved easily beteeen devices without relying on Apple, Google, Microsoft

Nats is encrypted at rest so with the nats key inside the TPM, I can decrypt secrets that were encrypted against the users nats key in the first place .