Pages:
Author

Topic: Krux Hardware Signer - new release v24.03.0 (Read 485 times)

newbie
Activity: 28
Merit: 29
Thank you Meuserna!
Seeing them appreciate and support our work is truly motivating.
full member
Activity: 128
Merit: 190
Odudex, did you hear NVK from ColdCard was on the Bitcoin Review podcast, raving about Krux & the work you guys are doing?  Here's a link.

Quote
"My favorite DIY FOSS Bitcoin signer for a while now."

"You can build this thing for 30 bucks."

"These guys are killing it."

-- NVK

That's some high praise.  And well deserved.  You guys are on fire.
newbie
Activity: 28
Merit: 29
Does changing the "Hide Mnemonics" mode from True to False and vice versa require any password or PIN entry or can users change it at any time from their settings menu without having to enter a password/PIN? In other words, would anyone be able to view the sensitive data if they took control of a device that was being used?

Meuserna is correct; Krux operates statelessly by default.
But you can store a mnemonic in its internal flash memory or on an SD card. When you do this, you'll need to create a PIN. However, with Krux, it's not just a PIN; you can and should use a strong password to enhance encryption. Each time you want to load a stored mnemonic (and you can store multiple), the password (referred to as the encryption key in our documentation) will be necessary. In summary, if someone acquires your device, they won't have access to any unencrypted private information.
The "hide mnemonics" feature conceals your mnemonic AFTER it has been loaded. Therefore, if you leave your Krux on your desk, powered on, with a key loaded, an attacker won't be able to steal its secrets. Moreover, after the "auto shutdown" period, it will power off, thereby unloading the key.
full member
Activity: 128
Merit: 190
Does changing the "Hide Mnemonics" mode from True to False and vice versa require any password or PIN entry or can users change it at any time from their settings menu without having to enter a password/PIN? In other words, would anyone be able to view the sensitive data if they took control of a device that was being used?

Krux is used airgapped and stateless, which means it doesn't save your seed phrase or keys on the device.  When you turn it off or reboot, your seed is erased.  Krux doesn't use a PIN or password to unlock the device since there's nothing on the device to lock.

Krux makes loading your seed really easy.  You'll either save the seed to a micro SD card, or make a seed QR code.

Even better, you can encrypt it. I prefer using encrypted seed QR.  It's so fast and easy.

Here's a seed QR I made in Krux as a test.

It's actually faster to scan an encrypted seed QR & scan a decryption key QR on Krux than it is to enter a PIN on a typical hardware wallet.  Scan.  Scan.  Done.  And since your seed isn't saved on the device, if the device gets stolen, there's nothing on it for a thief to find.  And since you can encrypt your seed QR code, if a thief finds it, they can't even scan it, because it's encrypted.

I'm not involved with Krux.  I'm just a huge fan.

I honestly think Krux is the best Bitcoin only hardware wallet, at any price.  And it's free!  The hardware to run it on is cheap too.  Right now, the best device for Krux is probably the Yahboom K210 module ($45-ish).  The Yahboom is a development board type of gizmo with a touchscreen that is popular for DIY AI robotics, but it makes for a great hardware wallet device.

Crypto Guide has a few videos on Krux, on youtube.  That's where I discovered it.  The current version is a lot more advanced than what you'll see in his videos though.  This project has very active development!  They've won grants from OpenSats too.  Krux is legit.
legendary
Activity: 2730
Merit: 7065
1) SETTINGS>SECURITY>HIDE MNEMONICS>TRUE

2) When we say that we mean if the above security feature is set, backup tool info will be hidden. More info here: https://selfcustody.github.io/krux/getting-started/settings/#hide-mnemonics
Does changing the "Hide Mnemonics" mode from True to False and vice versa require any password or PIN entry or can users change it at any time from their settings menu without having to enter a password/PIN? In other words, would anyone be able to view the sensitive data if they took control of a device that was being used?
newbie
Activity: 11
Merit: 7
How does the option to hide private key data work? Is it just a switch you can turn on/off or does it require you to enter a PIN code or password to enable/disable the visibility of private keys?
When you say "Disable backup tools" what does it mean?
There are no switches on any of the devices we support: https://selfcustody.github.io/krux/

1) SETTINGS>SECURITY>HIDE MNEMONICS>TRUE

2) When we say that we mean if the above security feature is set, backup tool info will be hidden. More info here: https://selfcustody.github.io/krux/getting-started/settings/#hide-mnemonics
legendary
Activity: 2730
Merit: 7065
How does the option to hide private key data work? Is it just a switch you can turn on/off or does it require you to enter a PIN code or password to enable/disable the visibility of private keys?
When you say "Disable backup tools" what does it mean?
newbie
Activity: 11
Merit: 7
Hello Bitcointalk forum!

With our latest v24.03.0 release (https://github.com/selfcustody/krux/releases) having been leaked already by excited contributors and project supporters, we wanted to officially start a thread here and introduce our FOSS bitcoin wallet project. That way our devs can focus on building, and our internz can focus on managing users via social media.

For those that haven't heard of the project yet, I suggest you check out our excellent documentation https://selfcustody.github.io/krux/getting-started/ as well as our Twitter page @selfcustodykrux

The crux of it, pun intended, is a bitcoin hardware signer which consists of open-source firmware that transforms 1/5 (soon to be 6) off-the-shelf Kendryte K210 devices, such as the Maix Amigo, M5StickV and more, into versatile Bitcoin transaction signers. Bitcoin was meant to be used without trusting middlemen, and in the spirit of DIY that is why we build Krux.

For all the info on our latest release as it's too much to list, check out the thread here: https://twitter.com/selfcustodykrux/status/1768569044175650904 or of course, the release notes on github: https://github.com/selfcustody/krux/releases/tag/v24.03.0

Hello again BTC

Our jam packed latest v24.07.0 release is live, and we're excited to hear what users think. There's really too much to list, so check out the changelog here: https://github.com/selfcustody/krux/releases/tag/v24.07.0
newbie
Activity: 11
Merit: 7
I just noticed that with the latest firmware version you released a few months ago, a new device has become compatible with the Krux DIY hardware wallet. It's the Yahboom K210 module. It's a touchscreen device that runs on Linux and has a touchscreen. It's cheap and can be bought for $50 to $60 at Amazon.

http://www.yahboom.net/study/K210-Developer-Kit
Yes that's correct! It was mentioned in the release notes, but I suppose I could have highlighted it better when mentioning the release in here. Users seem to be enjoying it as a viable alternative for a touchscreen device to the Maix Amigo.
https://selfcustody.github.io/krux/parts/#yahboom-k210-module

Although it doesn't have touchscreen, users seems to be enjoying the Maix Cube device as well which costs as much as the Yahboom. Next release the Cube will have official support as well, currently it's only supported through the beta release.
legendary
Activity: 2730
Merit: 7065
I just noticed that with the latest firmware version you released a few months ago, a new device has become compatible with the Krux DIY hardware wallet. It's the Yahboom K210 module. It's a touchscreen device that runs on Linux and has a touchscreen. It's cheap and can be bought for $50 to $60 at Amazon.

http://www.yahboom.net/study/K210-Developer-Kit
newbie
Activity: 11
Merit: 7
Krux mentioned again on the BitcoinReview podcast!

https://youtu.be/tCrWvIwV9co?si=Vzb2MGICNR5fER6F&t=3441
full member
Activity: 128
Merit: 190
When considering the use of BIP85 child seeds as passphrases, or any other deterministic approach, it's important to be aware that an attacker could potentially brute-force the second secret (the passphrase) from the first secret (the BIP39 mnemonic).

The attacker would have to brute force a combination of secrets: the child seed used as a seed, and the child seed used as a passphrase.

To do this, the attacker would have to have access to the parent seed and would have to know the person is using BIP85 and know the wallet uses a passphrase.  And the attacker would have to check all combinations of all possible indexes at all possible child seed lengths.

I'd say using a seed with a standard passphrase is only more secure than my approach if the passphrase is at least 6 words long - but that introduces risks such as typos and loss, not to mention the need for easy access to the passphrase every time the wallet is used, which means greater risk the passphrase will be found.  My method eliminates the possibility of typos, it includes redundant backups, and since the version of my parent seed kept in my home is encrypted with a very strong key, there's no risk of it being accessed by a thief.  If somebody broke into my safe deposit box at the bank, they'd find a metal backup of a seed, which means they'd find 24 words, but they'd have no way of knowing how they're used.  If somebody breaks into the safe in my home they probably need an ambulance.

All of that being said...  the most important part of my setup is security of the parent seed.  As we know, all Bitcoin owners should back up their seed on paper and metal, secured in 2 locations only they have access to...  but sadly, most Bitcoin owners don't do that.  I definitely do.

P.S.

when communicating with others, I emphasize the importance of caution, backups and tests.

That's one of my (many) favorite things about Krux.  The clarity and simplicity of your interface makes testing so easy, not to mention the fact that Krux does Testnet.  I recommend Krux to people even if they're not going to use it as their hardware wallet / signer because it's so easy to test and prove just about every aspect of a wallet is what you think it is.
newbie
Activity: 28
Merit: 29
I use 2 Kruxes.  One does BIP85.  The other is my wallet.
Load the 24 word child seed via BIP85 on one Krux.  Scan it with the other.  Reboot the first Krux & load the 12 word passphrase via BIP85.  Scan it with the other.

With Krux, it's possible to create a variety of complex puzzles. I personally enjoy designing them, using two Krux devices, combining elements such as encryption, encodings, mnemonics, keys, and passphrases. Now on beta there are account derivations and BIP85 to further enrich the puzzle-making experience.

In the device's user interface, we strive to minimize excessive warnings and avoid blocking features 'for the safety of the user.' However, when communicating with others, I emphasize the importance of caution, backups and tests. Complex puzzles can be bewildering and splitting a wallet's secret into 'x of x' parts can introduce additional risks.
Be careful Wink!

When considering the use of BIP85 child seeds as passphrases, or any other deterministic approach, it's important to be aware that an attacker could potentially brute-force the second secret (the passphrase) from the first secret (the BIP39 mnemonic). As a result, this method introduces a less secure layer compared to adding a non-deterministic secret to your setup.
full member
Activity: 128
Merit: 190
🚨Beta24 highly experimental available!

✅BIP85
✅Change accounts derivation
✅New wallet login and customizations
✅Hide mnemonics security setting
✅Cube screen optimizations

VIDEO > https://twitter.com/selfcustodykrux/status/1776617270078284246

Where to get Krux BETA binaries > https://github.com/odudex/krux_binaries/

I'm already testing it.  And loving it.

This update simplifies my overall setup while GREATLY increasing my security.

I use 2 Kruxes.  One does BIP85.  The other is my wallet.

Load the 24 word child seed via BIP85 on one Krux.  Scan it with the other.  Reboot the first Krux & load the 12 word passphrase via BIP85.  Scan it with the other.

Load, scan.
Load, scan.
Done.

This allows me to use my wallet stateless without ever needing to get my wallet's seed or passphrase out of the safes where they're locked up.  My parent seed (which is encrypted) generates the child seeds to build my wallet.  This takes just a few seconds.

Quote
"One Seed to rule them all, One Key to find them, One Path to bring them all, And in cryptography bind them."
-- github: bip-0085.mediawiki

In terms of security:

If my Krux devices get stolen...  there's nothing on 'em.  If my parent seed gets found or stolen...  it's encrypted, but it wouldn't matter anyway since it's backed up on metal and it's never been used as a wallet.
newbie
Activity: 11
Merit: 7
🚨Beta24 highly experimental available!

✅BIP85
✅Change accounts derivation
✅New wallet login and customizations
✅Hide mnemonics security setting
✅Cube screen optimizations

VIDEO > https://twitter.com/selfcustodykrux/status/1776617270078284246

Where to get Krux BETA binaries > https://github.com/odudex/krux_binaries/
full member
Activity: 128
Merit: 190
I use 12 word child seeds as passphrases for my wallets.
I have never given this much thought, but is there an upper character/word limit in Bitcoin for passphrase lengths? I am asking because you said you use 12 words as passphrases. When I configured my Trezor with passphrases, I noticed that the device has a limit of 6-7 words (depending on the length) It seems it's different wherever you look. It's probably a memory limitation of Trezor, preventing users to set up longer passphrases.

Some hardware wallets have limits.  Trezor limits to 50 bytes.  Ledger limits to 100 characters.  A 12 word passphrase tends to average around 75 characters.

I love using BIP85 to have redundant backups.  I still back everything up the proper way: paper & metal, secured in locations only I have access to.  But BIP85 gives me redundant backups of everything.  And really, once you have more than one seed, I think using BIP85 to create mathematically generated redundant backups makes a lot of sense.

The catch, of course, is that you have to start your entire wallet setup from scratch, because in order to use BIP85 the way I do, you need a parent seed.  For me, I felt like starting over with my wallets was a necessity after Ledger announced their key extraction firmware.  I didn't feel like there was an immediate risk, but long term, that nonsense is a time bomb waiting to go off.  So I started over with everything, from scratch.

On the other hand, for somebody who only wants to keep using the seed they already have but start using passphrases for different wallets (perhaps a trading wallet, a DeFi wallet, and a hodl wallet), BIP85 is perfect, because using BIP85 child seeds as passphrases protects against loss of a passphrase, since they can easily be regenerated.

EDITED to add:  By the way...  I realize that a 24 word seed with a 12 word passphrase is massive massive overkill in terms of entropy, but it's not about that.  It's about ease of use and redundant backups.
legendary
Activity: 2730
Merit: 7065
I use 12 word child seeds as passphrases for my wallets.
I have never given this much thought, but is there an upper character/word limit in Bitcoin for passphrase lengths? I am asking because you said you use 12 words as passphrases. When I configured my Trezor with passphrases, I noticed that the device has a limit of 6-7 words (depending on the length) It seems it's different wherever you look. It's probably a memory limitation of Trezor, preventing users to set up longer passphrases.
full member
Activity: 128
Merit: 190
There are many other features we plan to add, including one that you also requested: BIP85.

That would be fantastic.

UPDATE!  BIP85 has been added to the Krux beta.  Sweeeeeet!

BIP85 is an option more Bitcoiners should discover.

Here's how I use it:

I created a parent seed.  I never use this seed as a wallet.  I've backed it up, backed it up, backed it uuuuup.

I use 24 word child seeds as my actual "seeds."  Encrypted, thanks to Krux.

I use 12 word child seeds as passphrases for my wallets.  There are many benefits of using a child seed as a passphrase: It's impossible to have a typo since the seed has a checksum.  It's easy to load since Krux does Passphrase QR.  It's incredibly secure.  The parent seed is encrypted, thanks to Krux.

Because my seeds & passphrases are all child seeds, if any of them is ever lost, they can easily be regenerated by the parent seed.

EASY.

I name my wallets with a simple system that tells me the BIP85 child seed index numbers.

I realize some people will read this and think "Yikes!  That's complicated!"  It's really not.

Krux A:  Load the 24 word child seed.
Krux B:  Load the 12 word child seed (to use as a passphrase).
Krux A:  Scan the plaintext QR on Krux B to load the passphrase.
Done.

Airgapped: Unhackable.
Stateless:  Nothin' on it, if stolen.
Encrypted Seed QR:  Unhackable if stolen.

And if anything is ever lost...  any seed or any passphrase...  it can easily be regenerated by the parent seed (which is backed up on paper and metal & the metal copy is locked in a safe deposit box).  And, I can keep the child seeds, which are the seeds and passphrases for my actual wallets, locked up in a safe.  I never need to access them in order to use my wallets, since I use the parent seed to quickly generate them each time.

I can't think of a way to make security better than this for a long term hodl wallet, and Krux makes it easy.  Everything is backed up, plus I have a backup of the backups that can regenerate everything.
newbie
Activity: 28
Merit: 29
Any chance you folks are planning on adding encrypted passphrase QR as a feature?  That would be fantastic.

I updated my backup Amigo to the latest Krux beta binary by odudex, and holy cow is that sucker FAST!  Krux was already snappy, but the latest binary on a Maix Amigo is screaming fast.  It boots fast.  Response to clicks is crazy fast.  Fast fast faster than fast.

Yes, we have focused on optimizations to make better use of resources, which also allows us to add new features. Encrypted passphrases could be an interesting addition, but we need to consider if it would introduce too many secrets to manage. We should discuss this further.

There are many other features we plan to add, including one that you also requested: BIP85.
newbie
Activity: 28
Merit: 29
Is Jeff still active and contributing anything, or he left the project for good?
I was always confusing Jeff and Odudex and I was thinking this is the same person, plus there are some other guys who are talking about Krux in forum Wink

Yes, Jeff, Krux creator, who seemed to be a reserved person, left the project (and all his accounts out there).
Jeff, if you are seeing this, we would love to have you back if you change your mind! Krux changed my life, I'll be always grateful for it! Thank you!
Pages:
Jump to: