QR SafeShare: Split Recovery Phrases into QR Fragments

[CMD1982]

The Problem
A crypto recovery phrase (also called a seed phrase) is the most important backup of your wallet. It is a list of words that can fully restore access to your crypto if your hardware wallet or software wallet is lost. Devices like Ledger, Trezor, and many others rely on recovery phrases.

The challenge is how to store them securely.

• A steel backup like Cryptosteel is durable, but it creates an all-or-nothing risk. If someone steals it, they instantly have full access to your wallet.
• Even split-steel solutions are limited. If one half is lost or stolen you lose access to your recovery phrase.

The Solution
I built QR SafeShare as a transparent alternative. Instead of storing a full recovery phrase in one place, it splits the phrase into multiple QR fragments. Each fragment is useless on its own and reveals nothing. You can also configure redundancy, for example split into three QRs but require only two to recover. That way, losing one fragment is not a disaster.

Why a single QR is unbreakable
A single QR fragment contains no usable part of the recovery phrase. It cannot be brute forced into something meaningful, because it is only a meaningless fragment of the whole. Even with unlimited computing power or a future quantum computer, there is no way to reconstruct the original phrase from a single QR. Only when the required number of fragments are combined does the recovery phrase become visible again.

Why this is safer than Cryptosteel

• Fragments are useless alone: a stolen piece gives nothing.
• Redundancy: you decide how many are required to recover, so losing one does not mean losing access.
• Flexible storage: keep one in a safe, another with family, another digital. No single point of failure.

Why this is safer than digital backups

• Digital backups in cloud storage or password managers create a single point of failure. If that account is hacked or breached, everything is exposed at once.
• QR fragments can be stored physically — on paper, 3D printed, or in a lockable sleeve — which makes them unreachable to remote attackers.
• Even if you choose to keep one fragment in digital form, it is useless on its own without the other required fragments.
• You are not dependent on any third-party service or provider. Fragments stored in safe locations remain fully under your control.

Trust and Security

• All processing is 100% local in your browser. The recovery phrase never leaves your device.
• All code is published on GitHub, transparent, and reviewable.
• Can be installed as a Progressive Web App (PWA) for completely offline use.
• No ads, no tracking, and no data collection.

Maker-friendly features

• One click export to 3MF for 3D printing durable, scannable codes
• A lockable sleeve design is available on printables.com for extra protection

Try it
Use QR SafeShare at https://qrsafeshare.com. The code is public and verifiable.

I know trust is always an issue with tools related to recovery phrases. That is why I made this project fully transparent.
All code is published on GitHub so the community can review and verify it. Feedback from the Bitcointalk community would mean a lot.

[ABCbits]

I know trust is always an issue with tools related to recovery phrases. That is why I made this project open source and transparent. Feedback from the Bitcointalk community would mean a lot.

I have seen your GitHub repository. While i can see the source code, FYI license you use doesn't meet definition of open source since it only allow non-commercial usage.

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

[CMD1982]

I have seen your GitHub repository. While i can see the source code, FYI license you use doesn't meet definition of open source since it only allow non-commercial usage.

Thanks for pointing this out.
You are correct that my license restricts commercial use, which means it does not meet the OSI definition of “open source.” Thank you as well for linking to the Open Source Definition for clarity.
To avoid confusion, I have updated my wording here on Bitcointalk and on the project site. Instead of calling it open source, I now describe it as a transparent project:

All code is published on GitHub, transparent, and reviewable.

The project remains completely free to use, and the full source code is available for anyone to inspect, learn from, or adapt for non-commercial purposes.
Thanks again for highlighting this. Your feedback helps me improve both the tool and the way I present it to the community.

[dkbit98]

Problem with QR SafeShare is that we can't reconstruct or combine split parts into one with anything else except using your website.
This makes it a non-standard method and that means more risk of making a mistake and losing backup forever.
There is standard shamir secret sharing without QR codes, but I am not sure if that is compatible with your method.

PS
I will read documentation more and try to perform some test when I have some free time.

[CMD1982]

Problem with QR SafeShare is that we can't reconstruct or combine split parts into one with anything else except using your website.
This makes it a non-standard method and that means more risk of making a mistake and losing backup forever.
There is standard shamir secret sharing without QR codes, but I am not sure if that is compatible with your method.

PS
I will read documentation more and try to perform some test when I have some free time.

Thanks a lot for your message and feedback, I really appreciate it! Sometimes I get the feeling that not many people want to use this tool, or maybe don’t fully understand it, so it’s great to see someone looking into it.

Each QR simply contains a JSON payload with the share data (Shamir or XOR). With enough shares (or the two XOR parts) the secret payload can be reconstructed by any tool or implementation that understands the same format and encodings.

You’re right that for recovery phrases I use a custom compression method, which means you’ll need the QR SafeShare tool (via my website or a local copy) to reconstruct them. For short notes and passwords, however, compatibility is maintained since you can recover those with just the Shamir or XOR part, as those follow standard methods.

To reduce dependency risk, the tool isn’t limited to the main site. You can also use the GitHub version here: https://cmd1982.github.io/qr-safeshare/, or host it yourself. That way, even if qrsafeshare.com is no longer available, the method will still be usable.

It’s also possible to install the site as a Progressive Web App (PWA) on mobile or desktop for offline use. Instructions are available here: https://qrsafeshare.com/help.html#pwa.

[dkbit98]

To reduce dependency risk, the tool isn’t limited to the main site. You can also use the GitHub version here: https://cmd1982.github.io/qr-safeshare/, or host it yourself. That way, even if qrsafeshare.com is no longer available, the method will still be usable.

I know that, but there is no guarantee files will remain on guthub, that is owned by micr0soft.

What I would suggest is trying to create BIP proposal and try contacting hardware wallets that already support Shamir Secret Sharing aka Slip39, and XOR.
I think this are Trezor and Keystone support Slip39, with maybe some other wallets, and c0ldcard uses XOR, but they don't like anything open source or working with other people.
Working together with more developers you will have better chances of spreading the word about QR SafeShare.

[BattleDog]

The Problem
A crypto recovery phrase (also called a seed phrase) is the most important backup of your wallet. It is a list of words that can fully restore access to your crypto if your hardware wallet or software wallet is lost. Devices like Ledger, Trezor, and many others rely on recovery phrases.

The challenge is how to store them securely.

• A steel backup like Cryptosteel is durable, but it creates an all-or-nothing risk. If someone steals it, they instantly have full access to your wallet.
• Even split-steel solutions are limited. If one half is lost or stolen you lose access to your recovery phrase.

The Solution
I built QR SafeShare as a transparent alternative. Instead of storing a full recovery phrase in one place, it splits the phrase into multiple QR fragments. Each fragment is useless on its own and reveals nothing. You can also configure redundancy, for example split into three QRs but require only two to recover. That way, losing one fragment is not a disaster.

Why a single QR is unbreakable
A single QR fragment contains no usable part of the recovery phrase. It cannot be brute forced into something meaningful, because it is only a meaningless fragment of the whole. Even with unlimited computing power or a future quantum computer, there is no way to reconstruct the original phrase from a single QR. Only when the required number of fragments are combined does the recovery phrase become visible again.

Why this is safer than Cryptosteel

• Fragments are useless alone: a stolen piece gives nothing.
• Redundancy: you decide how many are required to recover, so losing one does not mean losing access.
• Flexible storage: keep one in a safe, another with family, another digital. No single point of failure.

Why this is safer than digital backups

• Digital backups in cloud storage or password managers create a single point of failure. If that account is hacked or breached, everything is exposed at once.
• QR fragments can be stored physically — on paper, 3D printed, or in a lockable sleeve — which makes them unreachable to remote attackers.
• Even if you choose to keep one fragment in digital form, it is useless on its own without the other required fragments.
• You are not dependent on any third-party service or provider. Fragments stored in safe locations remain fully under your control.

Trust and Security

• All processing is 100% local in your browser. The recovery phrase never leaves your device.
• All code is published on GitHub, transparent, and reviewable.
• Can be installed as a Progressive Web App (PWA) for completely offline use.
• No ads, no tracking, and no data collection.

Maker-friendly features

• One click export to 3MF for 3D printing durable, scannable codes
• A lockable sleeve design is available on printables.com for extra protection

Try it
Use QR SafeShare at https://qrsafeshare.com. The code is public and verifiable.

I know trust is always an issue with tools related to recovery phrases. That is why I made this project fully transparent.
All code is published on GitHub so the community can review and verify it. Feedback from the Bitcointalk community would mean a lot.

Good direction, but security hinges on specifics.

Is this true k-of-n Shamir with fresh CSPRNG, or an XOR/derivation scheme?
How do you prevent a poisoned share from reconstructing a valid-looking wrong seed, verifiable secret sharing or commitments? What exactly is split (raw BIP-39 entropy vs mnemonic+checksum), and how is the optional passphrase handled so it isn't a single point of failure?

[CMD1982]

QR SafeShare converts each BIP-39 word into its 11-bit index and then packs all indices into a continuous bitstream that matches the original BIP-39 binary layout of entropy plus checksum bits. This packed byte array becomes the secret that is shared using true k-of-n Shamir Secret Sharing, implemented with secrets.js over GF(2⁸) and random coefficients generated by WebCrypto (CSPRNG).

Using Shamir also means there is no single point of failure. For example, in a 3-of-2 setup (n=3, k=2), the recovery phrase is divided into three independent fragments, and any two of them are enough to restore it. If one share is lost, destroyed, or stolen, the other two can still recover the wallet, while a single stolen share alone reveals nothing. This design adds redundancy without introducing new risks, protecting against both loss and theft at the same time.

For a 2-of-2 setup the app switches to a simple XOR split, which provides the same level of security for that case while keeping the QR codes much smaller and easier to handle. When the shares are combined, the app reconstructs the byte array, unpacks the 11-bit indices, and converts them back into the original words. Nothing human-readable is ever split; only the binary form of the mnemonic is used.

In theory a “poisoned” share could be crafted, but without access to the other shares it is practically impossible to make it reconstruct a valid-looking seed. I decided not to include verifiable secret sharing or per-share commitments in the current version because those would greatly increase share size and QR complexity, making the fragments less practical. Checksum validation can be added to detect corrupted or tampered reconstructions, but it is not yet enforced in this release.