Suggestions about the best ways to backup seed phrase

hatshepsut93

legendary

Activity: 2954

Merit: 2145

Quote from: Wexnident on June 18, 2020, 11:42:31 AM

Banks are the same, though the difference is mostly if the bank is robbed, then it's almost a guaranteed goodbye tbh.

When banks are robbed these days, it happens with small local branches and robbers only take cash. No one does those heists that you see in movies when they break into storage room, and even if it somehow happened, no one would care about personal deposit boxes, where you'd store a seed. The danger of bank is that it's a their party custodian and they can seize your coins, if the private key isn't encrypted.

Quote from: Wexnident on June 18, 2020, 11:42:31 AM

Home is both a safe and dangerous place to hide your stuff. Thefts coulld easily determine which is important or not if you hide it in safes and the like so it's actually just better to hide it in a nonconspicious way or just make a hidden compartment.

This is an example of security by obscurity, which is generally regarded as a bad things. Thieves and police officers know how to quickly search a house for hidden things, so if someone know what to look for, in this case a piece of paper or a USB stick, then they will likely find it.

No method is perfect, if you store seed in plaintext, you're risking your coins getting stolen, if you encrypt it, you risk locking yourself out of your coins if you lose the password.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18587

Quote from: witcher_sense on June 19, 2020, 01:42:05 AM

So, root seed is the number which is derived from seed phrase plus some salt.

Correct.

Quote from: witcher_sense on June 19, 2020, 01:42:05 AM

Salt is the passphrase we use to add some additional security, it also can be equal to "none" when we decide not to use a passphrase at all.

Almost. For BIP39 wallets, the salt is actually the word "mnemonic" concatenated with your passphrase. If you don't use a passphrase, then the salt is just the word "mnemonic" on its own.

Quote from: witcher_sense on June 19, 2020, 01:42:05 AM

Root seed plus passphrase is the number that is used to generate HD wallets.

Not quite. Seed phrase plus passphrase is used to generate 512 bit root seed. Root seed on its own is used to generate the master private key and master chain code for your HD wallet.

Quote from: witcher_sense on June 19, 2020, 01:42:05 AM

What did I miss here, because it seems I used older literature to find out how things work, maybe I have missed something?

There's a very good explanation of how we go from entropy all they to addresses in Mastering Bitcoin here: https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#wallet-technology-details

Quote from: witcher_sense on June 19, 2020, 01:42:05 AM

Why do we prefer to backup a seed phrase instead of entropy?

Because it is human readable, and far less error prone. You are far less likely to make a mistake writing down 24 words than you are writing down a sequence of 256 ones and zeros.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: witcher_sense on June 19, 2020, 02:40:46 AM

Quote from: pooya87 on June 19, 2020, 02:01:56 AM

~
now you have the encrypted mnemonic with a new set of words!

So, instead of keeping in secret only one piece of data, which is unencrypted seedphrase, the average user will have to keep several pieces of data. Encrypted seed phrase needs to be hidden just in case to avoid undesired leaks of information, I don't want to expose even encrypted one. A passphrase to decrypt our AES encrypted file needs to be hidden, otherwise, it becomes a lot easier to crack our security (in case we used additional passphrase to our unencrypted seed). A passphrase to our unencrypted seed phrase needs to be hidden. We also need a back up of our seed phrase, just in very possible case we forget or lose our key used to encrypt a seed phrase. What s the point of such complexity in the first place?

only 2 not several: 1 piece is the encrypted result and 1 piece is the password used for encryption.
and yes it is a little more complicated than just writing down the unencrypted mnemonic but that is how security is. it requires a lot of effort.

P.S. note that what i posted above is just an example showing the idea. i don't know how secure the site used for AES encryption is, or the method might have some flaws.

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Quote from: pooya87 on June 19, 2020, 02:01:56 AM

~
now you have the encrypted mnemonic with a new set of words!

So, instead of keeping in secret only one piece of data, which is unencrypted seedphrase, the average user will have to keep several pieces of data. Encrypted seed phrase needs to be hidden just in case to avoid undesired leaks of information, I don't want to expose even encrypted one. A passphrase to decrypt our AES encrypted file needs to be hidden, otherwise, it becomes a lot easier to crack our security (in case we used additional passphrase to our unencrypted seed). A passphrase to our unencrypted seed phrase needs to be hidden. We also need a back up of our seed phrase, just in very possible case we forget or lose our key used to encrypt a seed phrase. What s the point of such complexity in the first place?

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: witcher_sense on June 18, 2020, 04:00:54 AM

Quote from: pooya87 on June 18, 2020, 12:20:18 AM

encryption is missing here.
although it may not be the critical factor for many since the backup is stored at home and usually outside of reach of anyone, but it still is a good idea to encrypt what you store too.
unfortunately i have not seen any tools or proposals about encrypting mnemonics but it still isn't a complicated thing since you can easily treat it as a text that you encrypt and then print the encrypted result on paper.

BTW we can't consider Shamir Secret Sharing as an alternative to encryption. it is for secret "Sharing".

I think that part of the reason we haven't got any proposals or solutions regarding encryption of mnemonics yet is because this contradicts the idea of the mnemonic phrases themselves. Encrypted mnemonics are no longer easy to remember, it would be look like getting back to storing of single private keys to each address, which was not very convenient approach, quite the opposite. It also contradicts to the idea of plausible deniability, since there will be the only one key to decrypt your mnemonic. Of course, you still can encrypt it with additional passphrase, but it might become very complex security, which means you have to keep too much private key, possibility of losses increases.

you are thinking about it all wrong.
mnemonic is the human readable encoding of raw data. that raw data can be your entropy (which is what BIP39 or any similar proposal does) or it can be the encrypted result.
for example the phrase could be encrypted using AES-256 to get a fixed vector result then that "raw data" can be encoded using the same scheme used by BIP39 to get similar looking set of words with different lengths depending on the length of the input.

example

Code:

mnemonic: legal winner thank year wave sausage worth useful legal winner thank yellow

AES-256-CBC encrypt using (http://cryptojs.altervista.org/secretkey/aes_cryptojs-v3.html)

Code:

passphrase: 8352dd9eb8b64669e0a8347fd37ae6e5
{
"iv":"b73afe9d14be3180f8e2001c9b86e601",
"mode":"CBC",
"padding":"NoPadding",
"keySize":256,
"cipher":"aes",
"salt":"0ed17b7de6e75d7d",
"ciphertext":"VTJGc2RHVmtYMSsvekJFdXpRTHlnUVc2R0RvaTAyQlNBdnRnSERnYlRCZm90enFDZGxKWlBhV2hSUVB3ZEdycAo5Z2R4dkdTR0hIZWNKci9mYlNOZGRhWnZaUFUyWkprdEk5MERMNXlzZUlMQzRoQTBsRVBMdmpKWktRPT0=",
"time":0,
"status":"success"
}

playing with the encrypted result (ciphertext) ignoring salt and IV for simplicity:

Code:

base64: VTJGc2RHVmtYMSsvekJFdXpRTHlnUVc2R0RvaTAyQlNBdnRnSERnYlRCZm90enFDZGxKWlBhV2hSUVB3ZEdycAo5Z2R4dkdTR0hIZWNKci9mYlNOZGRhWnZaUFUyWkprdEk5MERMNXlzZUlMQzRoQTBsRVBMdmpKWktRPT0=
base16: 553246736447566b58312b2f7a4245757a514c796751573647446f693032425341767467484467625442666f747a7143646c4a5a5061576852515077644772700a3967647876475347484865634a722f6662534e6464615a765a5055325a4a6b74493930444c35797365494c43346841306c45504c766a4a5a4b513d3d
base2: 01010101 00110010 01000110 01110011 01100100 01000111 01010110 01101011 01011000 00110001 00101011 00101111 01111010 01000010 01000101 01110101 01111010 01010001 01001100 01111001 01100111 01010001 01010111 00110110 01000111 01000100 01101111 01101001 00110000 00110010 01000010 01010011 01000001 01110110 01110100 01100111 01001000 01000100 01100111 01100010 01010100 01000010 01100110 01101111 01110100 01111010 01110001 01000011 01100100 01101100 01001010 01011010 01010000 01100001 01010111 01101000 01010010 01010001 01010000 01110111 01100100 01000111 01110010 01110000 00001010 00111001 01100111 01100100 01111000 01110110 01000111 01010011 01000111 01001000 01001000 01100101 01100011 01001010 01110010 00101111 01100110 01100010 01010011 01001110 01100100 01100100 01100001 01011010 01110110 01011010 01010000 01010101 00110010 01011010 01001010 01101011 01110100 01001001 00111001 00110000 01000100 01001100 00110101 01111001 01110011 01100101 01001001 01001100 01000011 00110100 01101000 01000001 00110000 01101100 01000101 01010000 01001100 01110110 01101010 01001010 01011010 01001011 01010001 00111101 00111101

Code:

groups of 11:
01010101001 -> 681 -> festival
10010010001 -> 1169 -> mutual
10011100110 -> 1254 -> orphan
....

now you have the encrypted mnemonic with a new set of words!

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Quote from: o_e_l_e_o on June 18, 2020, 09:55:38 AM

"Seed phrase" and "mnemonic phrase" are the same thing. I think you are confusing "seed number" with "seed phrase". See here: https://en.bitcoin.it/wiki/Seed_phrase#Alternative_name_.22Mnemonic_Phrase.22

Further, a 512 bit seed is not derived directly from entropy. The steps are generate 128 or 256 bits of entropy, use SHA256 to calculate and then append the 4 or 8 bit checksum, split in to 11 bit sections and convert to a seed phrase, then use the seed phrase and optional passphrase as input parameters for 2048 rounds of PBKDF2 to generate the 512 bit seed.

Until I read it on wiki, I had no idea that "mnemonic" is a obsolete term, especially, when there is a constant string called "mnemonic" in function used to derive root seeds and is being used as an input in HMAC-SHA512 function. This part may be confusing because there are plenty of things called "seed number", "seed phrase", "root seed" and so on. So, root seed is the number which is derived from seed phrase plus some salt. Salt is the passphrase we use to add some additional security, it also can be equal to "none" when we decide not to use a passphrase at all. Root seed plus passphrase is the number that is used to generate HD wallets. What did I miss here, because it seems I used older literature to find out how things work, maybe I have missed something? Why do we prefer to backup a seed phrase instead of entropy?

Ryker1

sr. member

Activity: 1918

Merit: 442

Eloncoin.org - Mars, here we come!

Quote from: AakZaki on June 18, 2020, 02:26:49 PM

Quote from: Charles-Tim on June 17, 2020, 08:00:41 AM

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Using backup paper is a good choice in my opinion, because backup paper will not be connected directly to the online network and is always offline. If you are afraid of being exposed to liquids, the spare paper can be given plastic lamination so that it will be safe from liquids and won't be easily damaged.

However, the main factor is how you store it so that the backup paper containing the seed phrase is safe from the hands of others and only you and the people you trust can hold it.

Well, there are some factors that perhaps back up paper will be lost even it is well laminated or covers with hard plastic, --just like what happened to my friend. All papers documents he had were burnt when their house was accidentally burnt and nothing left. Perhaps OP includes of back up seed phrase through a piece of hard metal engraving. You can hide this anywhere without worried about being wet or burn. Indeed, this is a good suggestion of OP thread and we are the one who is responsible for this to keep in a safe place and my suggestion though is good for an uninspected disaster.

Macadonian

sr. member

Activity: 467

Merit: 578

You should in any circumstance allow your seed to touch a digital storage device after creating it and I would even give the advice to people that you should avoid creating your Bitcoin wallet and its seed on a live computer connected to the internet. What you should do is create it on a offline computer which has been secured and then write the seed down physically. Its up to you if you want to use lamented paper to avoid it getting wet or place it in a fire proof safe what is important is that seed has not been on a computer which is connected to the internet otherwise you are at risk of it already being compromised before even storing it.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: AakZaki on June 18, 2020, 02:26:49 PM

Quote from: Charles-Tim on June 17, 2020, 08:00:41 AM

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Maybe you have drafted this immediately I created this article, I have changed it even before the first person commented, I changed it from poor to good because writing seed phrase down is one of the best ways for seed phrase back up. Many people have commented and they did not see such an obbious mistake because I changed it even before first person commented.

AakZaki

legendary

Activity: 2310

Merit: 1076

zknodes.org

Quote from: Charles-Tim on June 17, 2020, 08:00:41 AM

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Using backup paper is a good choice in my opinion, because backup paper will not be connected directly to the online network and is always offline. If you are afraid of being exposed to liquids, the spare paper can be given plastic lamination so that it will be safe from liquids and won't be easily damaged.

However, the main factor is how you store it so that the backup paper containing the seed phrase is safe from the hands of others and only you and the people you trust can hold it.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: Wexnident on June 18, 2020, 11:42:31 AM

Home is both a safe and dangerous place to hide your stuff. Thefts coulld easily determine which is important or not if you hide it in safes and the like so it's actually just better to hide it in a nonconspicious way or just make a hidden compartment. Banks are the same, though the difference is mostly if the bank is robbed, then it's almost a guaranteed goodbye tbh. Plus the only way to avoid digital theft is to not use any digital device to store your seed phrase. Physical theft is unavoidable imo, and if you get hit, you get hit and that's that.

I see home as a safe place if properly planned, but only if the area is not prone to flood, earthquake, and other natural disaster as o_e_l_e_o said.
The likely questions that comes to my mind about the safety are:
How would the backup not exposed to liquids?
How would it not be affected by fire in case?

So, I think, getting it on little metal sheet is good and buried it in a safe place that is likely not to be affected by fire like bathroom. Burying itwo locations will make someone more secure about it.

Quote from: o_e_l_e_o on June 18, 2020, 11:56:30 AM

Fire, flood, earthquake, natural disaster, etc., is going to hit them both equally.

In such this situation, I can try to also always memorize the seed phrase but will only just see it as an alternative when I can no longer access it in such these situations. But trusting on memorizing as a way of backup is totally wrong but just in case.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18587

Quote from: Wexnident on June 18, 2020, 11:42:31 AM

Home is both a safe and dangerous place to hide your stuff.

Having a copy of your back up at home, either in a safe or hidden somewhere,* is fine, but you need at least one off site back up, and preferably more. There's no point keeping your cold wallet/airgapped wallet/hardware wallet/whatever and the only back up in the same physical location. Fire, flood, earthquake, natural disaster, etc., is going to hit them both equally.

*I sometimes wonder about inventive places to hide a seed phrase in a house that would take a thief the longest to find. We've all heard about the hiding it inside the pages of a book or making a story out of it methods, but I've been thinking of different physical locations within a house. Taking a door off its hinges, writing it on the bottom, and replacing the door was one thought which occurred. Opening a piece of soft furniture at at seam, such as a sofa or mattress, inserting a piece of paper and stitching it back up was another. Underneath a floorboard underneath a carpet underneath some heavy furniture would surely take a thief a while to find, or hidden in a wall, covered with plaster and then wallpaper, although the latter two do mean damaging your own house if you ever need to access your back up.

Wexnident

hero member

Activity: 2506

Merit: 628

I don't take loans, ask for sig if I ever do.

Home is both a safe and dangerous place to hide your stuff. Thefts coulld easily determine which is important or not if you hide it in safes and the like so it's actually just better to hide it in a nonconspicious way or just make a hidden compartment. Banks are the same, though the difference is mostly if the bank is robbed, then it's almost a guaranteed goodbye tbh. Plus the only way to avoid digital theft is to not use any digital device to store your seed phrase. Physical theft is unavoidable imo, and if you get hit, you get hit and that's that.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18587

Quote from: witcher_sense on June 18, 2020, 08:46:37 AM

-snip-

"Seed phrase" and "mnemonic phrase" are the same thing. I think you are confusing "seed number" with "seed phrase". See here: https://en.bitcoin.it/wiki/Seed_phrase#Alternative_name_.22Mnemonic_Phrase.22

Further, a 512 bit seed is not derived directly from entropy. The steps are generate 128 or 256 bits of entropy, use SHA256 to calculate and then append the 4 or 8 bit checksum, split in to 11 bit sections and convert to a seed phrase, then use the seed phrase and optional passphrase as input parameters for 2048 rounds of PBKDF2 to generate the 512 bit seed.

witcher_sense

legendary

Activity: 2310

Merit: 4313

🔐BitcoinMessage.Tools🔑

Quote from: o_e_l_e_o on June 18, 2020, 06:50:12 AM

This is the reason I dislike the words "mnemonic phrase" and tend to use the words "seed phrase" instead. Seed phrases should not be remembered, or at least, should not only be remembered. Committing something to memory is one of the most fragile and error prone back up methods, and the easiest for something to go wrong. Seed phrases should always be recorded on a physical medium.

Mnemonic phrase is just a convinient way to write a sequence of binary numbers. It is easier to backup, store, restore a wallet with using of mnemonic, especially for human beings who speak on machine language very very badly. Seed phrase is not the same as mnemonic phrase, it is derived from an entropy, which mnemonic actually represents (entropy plus checksum), by using special function. The result of calculation is the seed - 512 bit or so number, which is impossible for humans to remember or read. So, calling mnemonic a seed is not correct, however, I also prefer it over mnemonic because it is shorter to say.

Quote from: o_e_l_e_o on June 18, 2020, 06:50:12 AM

Seed phrases on their own have no plausible deniability to being with, so encrypting them does not change that. Only by the addition of a passphrase can you achieve plausible deniability.

That is what I meant.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Oshosondy on June 17, 2020, 06:08:51 PM

Using Shamir's Secret Sharing, the seed phrase can be divided into two in a way that each halve will be useless to hackers if seen. But using the common sense to separate the seed phrase, if one halve of it is known to hackers, it is possible to know the other halve of the phrase.

Shamirs secret sharing scheme is a N out of M scheme, which means you can not only divide it into 2 shares, but a (somewhat) freely chosen amount of shares.
The reason such a scheme is used, is that having N-1 shares does reveal any information about the secret at all. You inevitably need all N shares to learn the secret.

Quote from: Bitbtc8 on June 18, 2020, 04:25:08 AM

I don't know about others but I do back up with a private email address that I dont use for any online things[...]

Emails are unencrypted.
If you not explicitly encrypt the content, the mail server (i.e. your mail provider) can read the content.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: Bitbtc8 on June 18, 2020, 04:25:08 AM

I don't know about others but I do back up with a private email address that I dont use for any online things, just for backup seeds only and also I back up seeds by writing on steel just in case of email access lost.

Backups on private email can still lead to breaches, I will not suggest this as it is a poor method to back up seed phrase. I will suggest you to use the second method you said, writing the seed phrase on steel is better but should be in a place not accessible to people.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18587

Quote from: Oshosondy on June 17, 2020, 06:08:51 PM

After using Shamir's Secret Sharing to divide the seed phrase, it can be replicated and the four can be stored in four locations. I will prefer it laminated or on metallic sheet and be buried in a safe place.

If you are going to make use a secret splitting method anyway, and you are going to make 4 shares, then you would probably be better off with a 3-of-4 arrangement, rather than a duplicated 2-of-2 arrangement, as it adds more security to your set up.

Quote from: witcher_sense on June 18, 2020, 04:00:54 AM

Encrypted mnemonics are no longer easy to remember

This is the reason I dislike the words "mnemonic phrase" and tend to use the words "seed phrase" instead. Seed phrases should not be remembered, or at least, should not only be remembered. Committing something to memory is one of the most fragile and error prone back up methods, and the easiest for something to go wrong. Seed phrases should always be recorded on a physical medium.

Quote from: witcher_sense on June 18, 2020, 04:00:54 AM

It also contradicts to the idea of plausible deniability, since there will be the only one key to decrypt your mnemonic.

Seed phrases on their own have no plausible deniability to being with, so encrypting them does not change that. Only by the addition of a passphrase can you achieve plausible deniability.

Quote from: gentlemand on June 18, 2020, 04:45:29 AM

They get placed in various areas around the globe and are regularly replaced.

That's my biggest issue with using electronic devices for long term storage - these things have a lifespan. Best case scenario they might last for 10 years, but I'm sure we've all had hardware which has failed on us well before it should have. You have no way of knowing if the SD card with your seed phrase is on might fail before the next time you access it, even if you are replacing it regularly. There are no such concerns with paper or metal, although I'll concede this is largely mitigated if you use multiple cards and multiple locations.

gentlemand

legendary

Activity: 2590

Merit: 3014

Welt Am Draht

I used a wiped laptop with no wifi card to create encrypted folders on multiple micro SD cards. They get placed in various areas around the globe and are regularly replaced. They're only accessed on the same computer. There's no reason not to encrypt them

I'm not really a fan of anything written out in the open like paper or steel. You're creating a security problem that doesn't need to exist.

Bitbtc8

full member

Activity: 1148

Merit: 116

I don't know about others but I do back up with a private email address that I dont use for any online things, just for backup seeds only and also I back up seeds by writing on steel just in case of email access lost.

Topic: Suggestions about the best ways to backup seed phrase (Read 790 times)