Topic: Safepal,Ledger,Trezor keep a backup of my 24 words and transfer to their server? (Read 145 times)

There are a number of methods I have used in the past to create offline/airgapped/paper wallets.

The easiest is to use a reputable, open source wallet, in which you have examined the source code or are confident that the community have done so if you do not have the technical knowledge to do so yourself. Electrum is the obvious choice here. Download it only from electrum.org, transfer it to your offline device, verify the download before installing it, and then install it and create your wallet. Once you've done this and backed up your seed phrase on paper, you can export the master public key, transfer it to your online device, and create a paired watch only wallet.

If you want to go a step further, then generate your entropy yourself. Flipping a coin 256 times is the simplest method, but you can also roll a standard 6 sided die. Download iancoleman.io/bip39, transfer it to your offline device, verify the download before using it, and then enter your entropy to generate a seed phrase. Even better, turn the entropy in to a seed phrase yourself by mapping against the BIP39 word list. Then use that seed phrase to generate a wallet.

What dkbit98 was implying is that using open source wallet is better because the source code is available to the public. A good and reputed wallet of that category which can be recommended is Trezor. But, it is good to keep Trezor in a place it can not be stolen, or better use passphrase along with seed phrase so physical attacks can not reveal the keys generated by the Trezor wallet.

If you want to know how to generate a cold wallet using an online wallet, you can use Electrum which is open source but only support Bitcoin. You will need two devices for it, one as watch-only, and the other as the cold wallet which is used for signing transactions. You can go through below guilds:

On computer
https://electrum.readthedocs.io/en/latest/coldstorage.html

On mobile
Re: Using mobile phone as a full mobile wallet

What software should I use to create an offline wallet? Looking forward to your advice. Thank you!

Indeed they do, and personally I'm not too concerned that Ledger is secretly keeping all of its users' seed phrases in some database somewhere in order to perpetrate some massive scam in the future.  I don't like that the code is closed-source either, but I'm old school and tend to need to have a little trust in things like this--but I can see where it would make some people very uncomfortable.

Safepal I'm not so sure about, and that's mostly because I'm not as familiar with them as I am with Ledger.  I had to take a look at their website, and they've only been around since the beginning of 2018--thus they don't have quite as much of an established track record as Trezor and Ledger do.  They could be completely above-board, but I wouldn't risk it if I were looking for a HW wallet (which I'm not).  I'd definitely stick to the biggest and most reputable names in the industry.

Just because you need to connect your wallet to the computer does not mean that it will send the private keys to the company's servers, if they want to do this it is better for them to generate non-random wallet seeds saved in their database so even if you create them in an offline environment they will be able to access your coins .

In short, the entropy of how randomly a seed is generated and how it is managed is the most important. If you don't trust any hardware wallet, use air gapped PC with an open source wallet with good reviews.

Yeah, but I said that because ''random generators'' are not so random as people may think, and what is happening inside closed source hardware wallets is a secret by design.
You can always generate seed words on your own and import it to hardware wallet that is not connected to computer with internet connection, so there is no way to send anything online.

If a hardware wallet is programmed to secretly transmit your seed phrase to an external server, then it probably isn't going to matter whether that seed phrase was generated on the device itself or imported from elsewhere.

It is possible, however, to only use a hardware wallet with an airgapped computer. Connect it to an online computer the first time you use it to verify it and update any firmware, etc., then connect it to a permanently airgapped computer, generate a new seed phrase for it (using an external entropy source if desired), and then pair it with a wallet like Electrum to transfer transactions back and forth for signing and broadcasting.

You really can't be sure especially with hardware wallets like Safepal and Ledger that are totally closed source and protected with various NDA agreements,
but what you can do is to generate your own seed words offline and then import them in your hardware wallet.
There is server communication with all hardware wallets for updating price and balance but so far there was no reported identified flaws of leaking seed words.
I would always give advantage to Open Source hardware wallets like Trezor, ColdCard or Bitbox and use dices for manually generating seed words and not trusting their random generators.

FBI was running fake secure closed source Anom phones for 3 years before they busted and arrested bunch of people, and look how they infiltrated and destroyed Silk Road in similar way.
Why would closed source hardware wallets be any different when we know they already hired some people to hack them, and that is only possible as inside job.

Trezor is completely open-source, so if you don't trust them and believe they have a way to record your seed phrase, feel free to go through thousands of lines of code to expose that vulnerability. Ledger is almost open-source, (their secure element isn't). Again, feel free to inspect their codebase if you like. Since most people don't have the skills to do that, you are left with trusting that others have done it. Alternatively, pay someone to do it for you or get someone to create your own hardware wallet based on open-source code. You would then have to trust that person has done a good job.

Since most of that is undoable for the majority of people, you can either trust that Trezor and Ledger, who have been in the business for years, don't have a way to get to your seed, since they could have emptied all of our accounts at any time (I am not sure what they are waiting for if they can), or you find alternative ways to store your private keys. Things like paper wallets and non-custodial software on airgapped machines.    

Everything about Trezor is open source, and some companies have been searching for vulnerabilities on the hardware wallet, the one I remembered was that physical attack on Trezor can result to the seed phrase to be known to attackers, but will be as a result of the hardware wallet theft and physical attack on the wallet, and this problem can be solved by protecting Trezor with passphrase and also protecting the hardware wallet from offline attackers (thieves). No evidence proven yet that it can reveal your seed phrase to the server, infact, it is not, and the wallet is completely open source.

About Ledger Nano, it can be operated with open source wallets also like electrum, but only what I do not like about the wallet is the close source microchip used to generate and store seed phrase which is close souce, so if their is vulnerability included into the microchip like that can pre-generate the seed phrase, people will not know, but the company still maintain good reputation till today. But, yet, the microchip help in generating the seed phrase, and also store it. It makes even physical attacks on the seed phrase not to be successful. No evidence of your seed phrase to be exposed to he server too while using it.

About SafePal, I can not recommend such wallet, I am not implying it reveals any seed phrase, but the wallet is completely close source, it can only be used with an app on mobile phone, the app is not even open source (correct me if wrong), so I am not furthering my discussion on SafePal.

Even many reputed wallets which are online like Electrum, Mycelium  and many others are not revealing your seed phrase to the server, so even hardware wallets are more safer in which they store seed phrase in a way it does not even leave the hardware wallet, which makes it difficult for hackers to get through unlike on online wallets. What you should focus on are malwares and protect your device you are using to operate your hardware wallet, especially against QR code malware and also a malware that can change receiver's address into an hackers (attacker) address while sending bitcoin, this even happen without your seed phrase revealed to attackers but can lead to coin lost.

Hello,
Safepal, Ledger, Trezor say they don't keep a backup of my 24 words and they will not transfer my 24 words to their servers.

Because I still need to connect the above hardware wallet through the app, PC, every time I need to use them.

This makes me worry they might store my 24-word recovery phrase is randomly generated by the device and displayed when during setup, and then they will be transferred to their server.

So how can I be sure they're not lying? Is there any way to check this?