In "Mastering Bitcoin" Andreas Antonopoulos talks about
seed derivation in a BIP-39 compatible wallet (e.g., Trezor) from a
mnemonic phrase +
salt.
The mnemonic (
typically 12 words phrase) is derived for you automatically by the wallet. (Or you can provide it yourself as discussed in
this post.) The standard allows adding some salt words at the end, and then the seed is generated. It is derived by repeatedly hashing the combination of mnemonic phrase + salt with a key stretching function called
PBKDF2.
PBKDF2(mnemonic phrase + salt)=seed
The principle is illustrated in this image [1]:
Every salt we choose to extend the initial mnemonic phrase yields a different seed, which means each time a totally different (HD) wallet is obtained with different public and private keys.
Andreas Antonopoulos mentions the possibility to use this salting procedure to create a situation with 2 wallets derived from the same mnemonic phrase. This will serve as a form of
plausible deniability to help us protect our wallet in case of attack.
Here is what he says:
A form of plausible deniability or "duress wallet," where a chosen passphrase leads to a wallet with a small amount of funds used to distract an attacker from the "real" wallet that contains the majority of funds. [1]
Now, Electrum does not follow the BIP-39 standard, but we can use more or less the same trick with Electrum as well.
Here is how I think it could work (please feel free to correct me if this guide is wrong at some point):
Step by Step Guide for ElectrumIn principle, we can use one and the same computer with the same Electrum installation, but it is much better to have Electrum installed on
2 computers: computer A which can be air gapped and serve for cold storage and computer B - any other computer.
Computer A
1. Here we create the wallet that will keep the
majority of our funds. It should preferably be on an
air gapped computer. Verify your Electrum installation files (if you don't know how, here is a guide how to do that on
Windows and
LInux). Check "
Standard wallet" and click "
Next"
2. Choose "
Create a new seed" and click "
Next"
3. For Seed type choose "
Standard" and click "
Next"
4. Write down the mnemonic phrase
5. Then choose Options and mark the checkbox like this:
6. Enter the passphrase you are going to extend your mnemonic with.
I think you can choose something easy to remember, it doesn't have to be a complicated password. The point here is not to increase the entropy or improve the cryptographic security. The point is to create a totally different wallet from the same initial mnemonic phrase.
7. Now confirm the seed
8. Then confirm the passphrase
9. You may encrypt the wallet if you like
At this point, it is important NOT to confuse the
wallet encryption with the
mnemonic seed extension from the previous steps. They are two very different things with two different purposes.
10. Now you have installed your
real wallet on the air gapped computer.
Computer B11. Go to the other computer, probably the one you use daily.
12. Rather than creating a new seed, choose "I already have a seed"
13. Enter the same mnemonic from before, but now don't click on "Options" and don't extend it with a passphrase.
14. Finish the remaining steps and again, you can encrypt this wallet too if you like.
Similar procedure can be followed for a BIP-39 type of wallet.
What have we achieved? We have created 2 wallets from the same initial 12 words. They hold different keys and different addresses, which is easy to check.
Our
real wallet with (hopefully) significant funds is extended with a passphrase.
The other,
decoy wallet, is not extended at all. It may hold small amount of funds which you can afford to lose in case of attack.
Say someone (a possible attacker) came into possession of your mnemonic. After all, there's no other way but to keep this phrase on paper (
or in memory which can be risky).
So, in case of attack, you can give the attacker access to your fake wallet, while your main wallet remains protected.
You can also feel more at ease, having several copies of your mnemonic at different locations, and knowing that compromising the security of your mnemonic is not the end of the world.
I would appreciate your thoughts, and especially if there's something that is not done correctly.
Reference:
[1]
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc