claude'd better security things

usb-secrets/setup-usb.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p parted dosfstools
+set -euo pipefail
+
+SCRIPT_DIR="$(dirname "$(realpath "$0")")"
+USB_DEVICE="$1"
+if [[ -z "${USB_DEVICE:-}" ]]; then
+    echo "Usage: $0 <usb_device>"
+    echo "Example: $0 /dev/sdb"
+    exit 1
+fi
+
+if [[ ! -b "$USB_DEVICE" ]]; then
+    echo "Error: $USB_DEVICE is not a block device"
+    exit 1
+fi
+
+if [[ ! -f "$SCRIPT_DIR/usb-secrets/usb-secrets-key" ]]; then
+    echo "Error: usb-secrets-key not found at $SCRIPT_DIR/usb-secrets/usb-secrets-key"
+    exit 1
+fi
+
+echo "WARNING: This will completely wipe $USB_DEVICE"
+echo "Press Ctrl+C to abort, or Enter to continue..."
+read
+
+echo "Creating partition and formatting as FAT32..."
+parted -s "$USB_DEVICE" mklabel msdos
+parted -s "$USB_DEVICE" mkpart primary fat32 0% 100%
+parted -s "$USB_DEVICE" set 1 boot on
+
+USB_PARTITION="${USB_DEVICE}1"
+mkfs.fat -F 32 -n "SECRETS" "$USB_PARTITION"
+
+echo "Copying key to USB..."
+MOUNT_POINT=$(mktemp -d)
+trap "umount $MOUNT_POINT 2>/dev/null || true; rmdir $MOUNT_POINT" EXIT
+
+mount "$USB_PARTITION" "$MOUNT_POINT"
+cp "$SCRIPT_DIR/usb-secrets/usb-secrets-key" "$MOUNT_POINT/"
+umount "$MOUNT_POINT"
+
+echo "USB setup complete! Label: SECRETS"
+echo "Create multiple backup USB keys for redundancy."

usb-secrets/usb-secrets/usb-secrets-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN8+eSX2LH5wEHVG9sSv97ceD5zdTarV0lRvoUso4A7p USB secrets decryption key