TLDR
-
CLI tool generating ML-KEM-768 + X25519 hybrid age keys with printable QR-code HTML backups for offline disaster recovery.
Key Takeaways
-
Uses ML-KEM-768 + X25519 hybrid to produce post-quantum-safe age-compatible private keys installable via Homebrew or Go.
-
Paper backup is a single printable HTML page with QR codes, SHA-256 checksum, and step-by-step sops recovery instructions.
-
Age PQ keys store only the 32-byte seed, keeping full keys.txt around 2,089 bytes and fitting a single version-40 QR code.
-
Docker mode enforces
--network none, --read-only, --cap-drop ALL, distroless nonroot image, and RAM-backed tmpfs for /tmp.
-
Known limit: Go GC may copy key strings in heap before zeroing; mlockall prevents swap exposure but not in-RAM persistence.
Hacker News Comment Review
-
No substantive HN discussion yet.
Original | Discuss on HN
