QR Safe Keeper (Online & Offline)
About
QR Safe Keeper converts sensitive text (mnemonics, private keys, recovery codes, etc.) into a password-protected QR code, and lets you decrypt it later with the same password. Everything runs locally in your browser, which makes it suitable for offline / air-gapped workflows and multi-device recovery.
Key Features
- Client-side AES-256 encryption of arbitrary text
- Password-protected QR generation (user-defined password)
- Decrypt via upload, paste, file picker, or camera scan
- Decrypted result is shown locally after successful unlock
- Isolated secrets view: password field and decrypted text are rendered in an iframe on a separate origin (see Security)
- Ideal for backing up mnemonics, private keys, and other sensitive text
- Truly offline-capable (works in the air-gapped bundle)
How to Use
Encrypt Text Into a QR
- Go to the Encrypt tab.
- Paste the text to protect (e.g., your seed phrase).
- Enter a strong password and repeat it to confirm.
- Click Create QR Code.
The result view shows your password-protected QR code (to save, print, or scan later), and action buttons.
Decrypt a Protected QR
- Switch to the Decrypt tab.
- Enter the password used during encryption.
- Choose a source:
- Upload QR File, or
- Scan QR with your device camera, or
- Paste QR image, or
- Pick from explorer
- If the password is correct, the original text appears in the result view with actions.
Results Explained
Encrypt Result (QR View)
| UI element / action | What it does |
|---|---|
| Click QR | Copies the QR image to the clipboard for pasting elsewhere. |
| Download | Downloads the QR image (SVG) to your device. |
| Reset | Clears the data and returns you to the Encrypt tab. |
Decrypt Result (Text View)
| UI element / action | What it does |
|---|---|
| Copy | Copies the decrypted text to the clipboard. |
| Reset | Clears the data and returns you to the Decrypt tab. |
Good Practice
After generating a QR, test decryption immediately (offline if possible) to make sure your printout or file works with your chosen workflow.
Security & Privacy
- Encryption/decryption happens entirely in the browser (offline-capable).
- Passwords are never stored or transmitted.
- Uses AES-256 via the app’s crypto library.
- No telemetry; inputs are used only for the local operation.
- Isolated secrets view: the password field and decrypted text are rendered inside an iframe hosted on a separate origin.
- The parent page cannot read that DOM due to the browser’s Same-Origin Policy.
- Only minimal, non-sensitive status messages cross the boundary via
postMessage(never the password or decrypted payload).
Separating origins prevents scripts on the host page (including injected extensions or potential XSS) from accessing elements that display secrets. This adds a strong containment layer and allows tighter CSP on the secrets surface.
- Security depends on password strength and device hygiene (malware, screen recorders, cloud sync, etc.).
- Very long texts produce dense QRs that can be harder to scan — test before relying on a printout.
- Camera scanning requires granting camera access in your browser.
- Always test decryption before archiving a backup.
Offline Bundle (Optional, Air-Gapped)
Use this when you need fully isolated offline operation. The bundle serves QR Safe Keeper at one local origin and the secrets iframe (signer) at another local origin to isolate sensitive surfaces.
Choose the Right Distribution
| Your system | CPU architecture | Download |
|---|---|---|
| macOS (Intel) | x86_64 | extra-wallet-offline-darwin-amd64.zip |
| macOS (Apple Silicon M1/M2/M3) | arm64 | extra-wallet-offline-darwin-arm64.zip |
| Linux (most PCs/servers) | x86_64 | extra-wallet-offline-linux-amd64.zip |
| Linux (ARM64) | arm64 | extra-wallet-offline-linux-arm64.zip |
| Windows 10/11 (64-bit PCs) | x86_64 | extra-wallet-offline-windows-amd64.zip |
Check your architecture
- macOS:
uname -m→x86_64orarm64 - Linux:
uname -m→x86_64oraarch64/arm64 - Windows: most devices are
x86_64
Install & Run
-
Download the bundle for your OS (see table above).
-
Unarchive it. Ensure
qr-safe-keeper/andsigner/folders sit in the same directory as the executable.
After downloading the ZIP for your platform:- Windows: Right-click the
.zip→"Extract All..."→ choose a directory →"Extract" - MacOS/Linux: Use built-in archive manager or run unzip in terminal
qr-safe-keeper-offline-windows-amd64/
├── qr-safe-keeper-offline-windows-amd64.exe
├── qr-safe-keeper/
└── signer/ - Windows: Right-click the
-
Run the executable.
-
Windows: double-click
qr-safe-keeper-offline-windows-amd64.exe. A terminal window should open. -
macOS / Linux:
Open a terminal and run:
chmod +x qr-safe-keeper-offline-<your-arch>
./qr-safe-keeper-offline-<your-arch>Example (Linux amd64):
./qr-safe-keeper-offline-linux-amd64
-
-
A local server starts and your browser opens:
- QR Safe Keeper at
http://localhost:5174 - Signer iframe at
http://localhost:5001
- QR Safe Keeper at
Use a dedicated browser profile with no extensions. Disconnect the network if possible.
FAQ
What should my password be like?
Prefer a long passphrase (4–6+ random words). Don’t reuse passwords and don’t embed the seed phrase itself into the password.
Do I need internet?
No. After loading the online app once, you can use it offline; the offline bundle runs entirely without internet after download; all crypto runs locally.
Is the QR the only backup I need? Treat it as a convenient backup. For critical funds, keep multiple independent backups and rehearse recovery.
What if the QR is too dense to scan? Shorten the content or increase print size.
Troubleshooting (Offline Bundle)
| Problem | Solution |
|---|---|
index.html not found | Ensure qr-safe-keeper/ and signer/ are present next to the binary. |
| App doesn’t open in browser | Open http://localhost:5174 manually. |
| Binary won’t run (macOS/Linux) | chmod +x <binary> |
| macOS: “App can’t be opened…” | Right-click → Open → Allow once |
| Port already in use | Make sure nothing else is using port 5174 or 5001. |
zip: command not found | Install zip (sudo apt install zip on Ubuntu) |
Developer Info
- Built and maintained by the Extra Wallet team.
- Source: QR Safe Keeper
Overview (Offline Bundle)
The offline bundle includes:
- Static web
qr-safe-keeper/served athttp://localhost:5174 - Local
signer/iframe server athttp://localhost:5001 - A Go binary that serves both UI and signer
- A .zip archive for each platform (Windows/macOS/Linux)
Requirements
- Go 1.20+
zipCLI tool (preinstalled on most systems)- Bash (for running the build script)
- Built qr-safe-keeper & signer assets (see below)
Repository Layout (Offline)
├── qr-safe-keeper/ # Frontend build output (this mini app)
├── signer/ # Signer iframe build output
├── main.go # Offline binary entrypoint
├── scripts/
│ └── build-all.sh # Cross-platform build + packaging
└── builds/ # Final output (archives with the binary + qr-safe-keeper + signer)
Build The Offline Bundle
1. Build qr-safe-keeper and signer assets
Make sure you build both with offline env vars before bundling.
# From the offline directory root (adjust paths to your directories)
# qr-safe-keeper (web)
cd ../web # web app directory
yarn
yarn build
cp -r ./dist/* ../offline/qr-safe-keeper # adjust path to your directory
# signer
cd ../../signer # adjust path to your signer directory
yarn install
yarn build:offline
cp -r ./dist/* ../qr-safe-keeper/offline/signer # adjust path to your directory
- signer
.env:
PORT=5001
ALLOWED_ORIGINS="http://localhost:5174,http://localhost:5001"
- qr-safe-keeper
.env:
VITE_URL_IFRAME=http://localhost:5001
VITE_BUILD_TARGET=offline
After this step, in the qr-safe-keeper/offline directory you should have:
-
./qr-safe-keeper→ web assets -
./signer→ signer assets
2. Build binaries & archives
From the offline directory root:
./scripts/build-all.sh
The script:
-
Builds the Go binary for:
-
Windows (amd64)
-
Linux (amd64, arm64)
-
macOS (amd64, arm64)
-
-
Bundles
qr-safe-keeper/,signerand the binary into a.ziparchive -
Writes archives into
./buildsdirectory
Output Layout
builds/
├── qr-safe-keeper-offline-windows-amd64.zip
├── qr-safe-keeper-offline-linux-amd64.zip
├── qr-safe-keeper-offline-darwin-arm64.zip
├── qr-safe-keeper-offline-darwin-arm64.zip
└── ...
Each archive contains:
-
The platform-specific binary
-
qr-safe-keeper/– web frontend -
signer/– signer iframe