During a backup weekend, I started thinking about how I handle my most sensitive data (credentials, SSH keys, encryption keys, PINs, and similar) and whether my current strategy had any single points of failure.
My setup at the time:
- The sensitive data (my “vault”) lives on an encrypted external drive
- A copy goes to an offsite location as an additional backup
- Passphrases are stored separately from the keys they protect
This is solid, but all of it depends on having access to functioning hardware and encrypted storage. What if everything fails at once? What if I need to recover in a situation where I have no drives, no devices, nothing?
The idea: encrypt and print Link to heading
I decided to add a paper backup. The process is simple:
- Dump all vault contents to a plain text file
- Encrypt it with my PGP public key:
gpg --encrypt --armor --recipient me@example.com vault.txt - Print the resulting ASCII-armored output (about eight A4 pages at Consolas 8pt)
The encrypted output is unreadable to anyone who doesn’t have my PGP private key and its passphrase, both of which I have memorized. The paper itself is useless without that combination.
Recovery procedure Link to heading
If I ever need to use this backup:
- Scan the pages and run OCR to reconstruct the ASCII text
- Retrieve my PGP private key
- Decrypt:
gpg --decrypt vault.txt.asc > vault.txt
The OCR step is the fragile part: a few misread characters in the ASCII armor can corrupt the whole file. Printing at a small, legible font size (Consolas 8pt works well) and doing a quick visual check of the output before storing it helps reduce that risk. Some people use QR codes instead for this reason, since QR has built-in error correction.
Is this paranoid? Link to heading
Yes, deliberately. This is a last-resort backup, the kind you hope never to use. The whole point is that it works even in scenarios where all digital backups have failed. Paper doesn’t need power, doesn’t need a working internet connection, and doesn’t require trust in any third-party service.
For the PGP approach to work, the key requirement is that you can reliably recall your private key passphrase: it’s the one thing that can’t be written down anywhere without undermining the security model. If your passphrase is long and memorable (a passphrase, not a password), this works well as an additional layer in a defense-in-depth backup strategy.