I know this is theoretically bad practice, but please bear with me…
Assuming following spec:
Salt and IV are randomly generated using cryptographically-secure RNG.
Argon2 is used as KDF so
key_1=Argon2(shared_salt, passphrase_1)andkey_2=Argon2(shared_salt, passphrase_2).Both passphrases are not vulnerable to dictionary attacks and the like.
Shared salt and IV are only (re-)used once in the context of singular concatenated encrypted paper backup.
Encrypted paper backup = concat(shared_salt, shared_iv, AES-256-CBC(shared_iv, key_1, "some text"), AES-256-CBC(shared_iv, key_2, "some other text"))
According to https://crypto.stackexchange.com/a/10511/83430, it appears above spec should hold up to pretty sophisticated attacks (if vulnerable at all).
See proof of concept.
