Hey all, I just got a trezor and have a question.
Initially set it up w/ only PIN protection. If I enable password protection and leave some funds in the 'non password protected' accounts as well as the newly created 'password protected account'....
How does the recovery process work in this case? When doing the seed recovery process would I check the box 'password encrypted'(or w/e it is) ... if so would this restore both my 'non password protected' & 'password protected' accounts?(even tho the 'non password protected' accounts have no password?)
Initially set it up w/ only PIN protection. If I enable password protection and leave some funds in the 'non password protected' accounts as well as the newly created 'password protected account'....
How does the recovery process work in this case? When doing the seed recovery process would I check the box 'password encrypted'(or w/e it is) ... if so would this restore both my 'non password protected' & 'password protected' accounts?(even tho the 'non password protected' accounts have no password?)
You should be able to use both "wallets" in parallel (or rather alternatingly) without using the restore process in between. Depending on which pw you use (empty or "something"), a different wallet is loaded. I don't know exactly how it works with myTrezor (I use electrum), but entering a different password (or no password) should do the trick.
Maybe someone who is doing this with myTrezor could chip in?
It doesn't matter if you set 'password encrypted' during recovery, you can change it later after recovery to access your password protected funds. The password function disabled technically is like entering an empty password so you can only access those funds while you have the feature disabled. Enable the feature and your other funds get accessible with the correct password.
tl-dr: yes it works, it will restore both (all) accounts.
I got ya guys, thanks! I see how it works now =)
Thats pretty badass you can have any number of password'd unique wallets on ur device!
Im guessing the way it works is the seed is simply encrypted w/ a password and the HD tree is generated from the encrypted seed unique to whatever password u use.
Yes, that is correct but if you forget the password you lose the coins, period. No way to recover them if you cannot remember the password(s).
No, that's not how it works.
wallet seed = device seed + passphrase
What I call "device seed" here (those are the words you write down) is not encrypted in any way (at least not with the passphrase). The passphrase is sent to the trezor device and simply added to that seed in some way (xor, concatenation + hash or something) and that results in the HD wallet seed used by the device to generate the wallet (addresses, xpub, private keys,...)
But of course it's true: you need the password(s) to access the wallet(s).
EDIT: here's the relevant code in the trezor firmware:
Code:
if (storage.has_passphrase_protection && storage.passphrase_protection && strlen(sessionPassphrase)) {
// decrypt hd node
uint8_t secret[64];
uint8_t salt[12];
memcpy(salt, "TREZORHD", 8);
layoutProgressSwipe("Waking up", 0);
pbkdf2_hmac_sha512((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), salt, 8, BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback);
aes_decrypt_ctx ctx;
aes_decrypt_key256(secret, &ctx);
aes_cbc_decrypt(sessionRootNode.chain_code, sessionRootNode.chain_code, 32, secret + 32, &ctx);
aes_cbc_decrypt(sessionRootNode.private_key, sessionRootNode.private_key, 32, secret + 32, &ctx);
}
memcpy(node, &sessionRootNode, sizeof(HDNode));
// decrypt hd node
uint8_t secret[64];
uint8_t salt[12];
memcpy(salt, "TREZORHD", 8);
layoutProgressSwipe("Waking up", 0);
pbkdf2_hmac_sha512((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), salt, 8, BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback);
aes_decrypt_ctx ctx;
aes_decrypt_key256(secret, &ctx);
aes_cbc_decrypt(sessionRootNode.chain_code, sessionRootNode.chain_code, 32, secret + 32, &ctx);
aes_cbc_decrypt(sessionRootNode.private_key, sessionRootNode.private_key, 32, secret + 32, &ctx);
}
memcpy(node, &sessionRootNode, sizeof(HDNode));
Now I'm not so sure any more
