Topic: What's the best way to create a super/meta/mother/master mnemonic seed? (Read 432 times)

It can't happen. There is no way on earth, especially considering that we should check our backups every now and then. Bugs and mice will never eat a backup seed phrase.

BTW: I just noticed the "professional shitposter" 

Toner. I like toner a lot better.

I have books that I've owned since childhood. They're fine. If I'd place a piece of paper between them, the mice would have to eat so many books that I'd have to notice. Or use a metal container, or a safe.

That's an interesting solution, thank you for detailing it here but unfortunately, neither multisig wallets nor SLIP39(Mnemonic Shamir's Secret Shared) seeds resolve my main issue "For obvious privacy concerns, I would like to be able to use several wallets based on different seeds."  I should have said multiple wallets and multiple seeds.

You should have a better ink than mine. Yes bugs can eat paper, but mice too. I don't have mice at home, but if one day I get some it could be too late for my paper once I discover it.

It's a good idea, maybe I should think about it. For me it doesn't look useful and to be the most safe practice to generate seeds long time before using them but it could be the most convenient way to solve my problem actually.

Why don't use a PRNG and use a 12 words mnemonic phrase as the seed for generation ?

You can F.E. just add at the generation to the seed a nonce for each wallet ...    ( + 0001 , 00010 ... )





but you should learn your lessons about the PRNG very hard to not stay depending on the available provided tool !  

Yes. And by default it works for Legacy addresses only.

Using BIP-38 encryption to store mnemonic seed phrase.

Looks promising, I need to study it a bit more. Does it work only with encrypting single private keys? Or does it also work with seeds (HD wallets)?

This is all theoretical: I'd be comfortable printing it, but I wouldn't be comfortable using multisig.

You'll print this:
6PYS1nzuGgFB4WunA9xzHRWxd5xWhLBFxpgTGEQ2z7fggB767rLnKSYHQK (I created this one with a random private key as password, so there's absolutely no way this can ever be recovered (but the 6P-key is valid)).
An attacker has no idea what's in it. But for your own convenience, adding the address makes funding a lot easier. As always, it's a balancing act between security and convenience.

Or print a whole page filled with lines like this, and only one that works with your password. The attacker will have no idea which one is the real one, and if you forget, you can spend half an hour trying your password on all of them. I consider half an hour of typing a small price to pay for peace of mind.

Okay, so it sounds are comfortable with printing the xpubs. Unfortunately I am not.

I am also reluctant to store all the xpubs in the same place. I am not extra-paranoid, I just don't want to expose my addresses to the attacker for privacy reasons. Yeah, I know, no big deal, because I will find out that one of my backups was compromised in one of my regular health checks, but still, I want to avoid this.


This sounds interesting, gonna check it now. I was aware of it, but I never dived into it.

Print it?

Or store all xpubs on each location. The drawback is that "a thief" would know your address and balance, but you add redundancy in case you can't read all characters on the paper.

I've typed some private keys (for offline Fork recovery), and in my experience my typing is more accurate than my reading. So now I print everything in a large font, which makes it easier to distinguish between similar characters. If you make a mistake, just keep trying until you get it right.

I like BIP38 encryption.

Well... Look, I understand that a 2-of-3 seems better and many people advise in favour of it.

However, I don't like it because I haven't found a way to properly backup the xpubs.

For those who read this, but don't know how multisig works, you basically need all the xpubs of all the cosigners to describe the wallet, but you need part of them to sign the transaction.

So:

2-of-3 : A, B, C - You need all the xpubs and 2 of the seed phrases

2-of-2: A, A, B, B: You need all the xpubs and the 2 seed phrases.

Let's back these up.

In the 2-of-2 you need 4 backups for the seed phrases but you don't need to backup the xpubs because they can be derived from the seeds.

In the 2-of-3 you need one backup of each seed phrase and one backup of each xpub.
You could do it like this:

Location 1: Seed A, xpub B
Location 2: Seed B, xpub C
Location 3: Seed C, xpub A

You have the same redundancy, because losing one location will allow you to have the necessary pieces to unlock the wallet (all the xpubs and the 2 seeds)

But, I haven't found a good way to backup the xpubs. They are huge sentences of random characters, so one simple mistake can lead to money loss.

This is why I avoid 2-of-3.


I understand. So, without giving away your setup, what do you think is a better way to do your self-custody ?

That would be the holy grail of self-custody. I've never been able to find it, and until this day I'm not completely comfortable with the balance between keeping my funds secure, and making sure nobody else gains access. I am content with my current setup, but it's not perfect. I've never seen a perfect solution.

Why not 2-of-3, so you only need locations A, B and C? With this setup, 2 locations are always enough to restore your funds. With your 4 locations, having only 2 remaining locations gives a 50% chance of losing access to your funds.

I don't like multisig. It's not intuitive, I'd always fear I'd mess up, and it increases transaction fees.

So your biggest fears are

• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).

Well in this occasion you are clearly looking for a multisig wallet.
The easiest way to go about it is:

1. Generate 2 wallets (A, B) with 12 words each. Generate them offline of course.
2. Create a dual backup for each wallet. So you will have the following backups: A, A, B, B.
3. Generate a multisig vault, offline. Set it up to be a 2-of-2 multisig where the cosigners are A and B. Create the vault in watch only mode, using the xpubs of A and B.
4. Send a small amount of funds to one of the addresses. Then try to send the amount of the wallet, signing offline with both the wallets. This will essentially test the wallet
5. Fund the wallet with your funds.
6. Save the backups A, A, B, B in 4 separate locations.
7. Check the locations once or twice a year, replacing the old paper with new ones.

So, now, you have eliminated both of your fears.

1. Its highly unlikely that the backups will be destroyed at the same time due to some flood or fire. In fact even if 2 of the 4 papers get destroyed you still have a chance to recover the wallet if the backups were not from the same wallet. Even if one of the backups gets destroyed you are perfectly fine.

2. You have great redundancy with this system. The wallet is safe because there is not a single point of failure. As I said, you can lose one of the backups. It's ok. You can even lose two and still have a chance to save the situation with a bit of luck.

To be honest, the 2nd and the 4th event are my biggest fear, and I think the most likely to happen to me, objectively. The first one(robbery) comes after them. And I would put the 2 last ones at the same rank, after those 3. Because if you think you are unable to cope with that, or too much afraid of that, for me it doesn't make sense to invest or at least, to hold critical amounts of funds in cryptocurrencies since it's an inherent risk to this asset.

Ok, let's narrow down the solution list. Shall we?
Firstly, can you put in order your biggest fears / threats?

• Thief finding the backup and stealing the money.
• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out of the wallet due to some technical error (example: not being able to re-create a multisig vault properly).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).
• Losing funds because of a hack (brute-force, malware, keylogger etc).

Add any other threat you want.

It's not safe enough for me, a sheet of paper can be too easily burnt, torn, erased, lost, eaten... and even with a back-up hidden in another place it's not a convenient solution for me, since I can't go to this place whenever I want, especially within few hours when I need to add a new seed.

I'm looking for a safe and convenient solution precisely, if I already knew one way to address all those matters you are referring to, I wouldn't open a topic for that purpose. But I don't think your first 2 questions are really difficult to overcome. At least, I'm less scared by that, than to lose my seeds because of an unexpected event. The 2 last ones, are more concerning actually.

Me too. It all depends on what you are most afraid of.
If you fear that the backup location is not very safe, then you can add a passphrase.
If you are sure that the location is safe, then there is no need to add a passphrase, since the backup can't be easily compromised in the first place.

Following BIP85 standard Passport 2 allows to generate up to 20 child-seeds from the single master SEED. Those master SEED can be stored in both way SeedQR format (either Compact SeedQR or SeedQR) and ordinary writable one.  Also, each of 20 child-seeds can be saved in both format. Initial master SEED can not be found back by using any number of those child-seeds.

You could use words instead of a password, to prevent mistakes writing it down. I prefer to use different seeds though, it seems easier.

Well, to be exact, it is not very difficult to brute-force, but it rather, it is infeasible to brute-force.

This passphrase will never be brute-forced. But, I make 2 assumptions here:
1. There are no uppercase characters.
2. There seem to be some patterns, but I guess they must be copy-pasted to showcase the length of the passphrase.

If the assumptions are true, then:

(a) You have 146 characters.
(b) Your dataset consists of LowerCase, Numbers and Symbols. Thus, your dataset includes 95 (total printable ASCII characters) - 26 (upper case letters) = 69.

Therefore, the complexity in bits is: ln(146^69)/ln(2) = 496.09 bits.

---

BIP85:

• BIP85 is easier to backup. You will only backup 12 words twice and then you will backup the "index number" for each wallet. The latter can be backed-up anywhere. It's just a number (eg. 107, or 9, or 999), so nobody can expect that this has anything to do with Bitcoin. So, you can just backup the words and you can derive all the wallets at indices 107, 9, 999 with the same words and a wallet that supports BIP85.
• It's not as secure as passphrases. The index numbers can go up to 10,000 so brute-forcing the wallets is super easy, if the attacker gains access to the words.

Passphrases:

• Passphrases are better if you want to make sure the the attacker who gains access to the words has no way to access your wallet.
• Passphrases are more difficult to backup. You absolutely need to backup the passphrase twice. Not once. So this leads to the need for more secure places to store your backups.

To conclude, if you are afraid that the seed words can be compromised, then use passphrases, making sure to backup the passphrases in separate locations.
If you think that your words are safe, then simply use BIP85 and use random index numbers from 1 to 10,000. Also add some sats to the wallet on index 0, so that the attacker may think that these are your only funds.

That is true. But I have made no mistake yet. I will read more about BIP85. I have not read about it before and it can be a good solution and it is exactly what Saint-loup is looking for. Thanks for bringing my notice to some flaws about my backup.

This brings me to the next problem: the seed phrase is a human readable interpretation of a long random number. It's easy to write down, without a high risk of making mistakes.
Your password doesn't have that luxory. If you make a mistake, you're screwed.

I have several seed phrase but I decided to use this for my online wallet when the seed phrase is getting too much for me. I have offline wallet that I used passphrase with also and I have muitisig which I have for different purposes but their seed phrase are not many unlike my online wallets. The purpose for the 3 wallets with the same seed phrase are for online reasons and I use it for small amount of money.

The passphrase is something like this @_++3$+sbsgsvsvsghsgshs$$((_-466-4;$$;3-_+32-$-dbdhsvshshjjdjdhshdhe+_+4+33-$-$;3-3&$-$;3;3;;3-nsbshdbrjsusbendkdudbebdbdhhddb$$7_63;$!38!;_+4!3++ which will be very difficult to brute force.

Anyone that will brute force the seed phrase would have spent more money that is far more than the coins on it.

Offline wallet seed phrases should be different from online wallet seed phrases.

Why? Writing down multiple seeds is a small effort to keep your funds safe.

That means you'll enter your seed on multiple devices, which (by definition) increases the risk of exposing your seed.

As Stalker22 suggested, the closest solution to what you are looking for is BIP85.

To summarize, BIP85 makes it possible to derive from the original seed infinite seeds, WIF or XPRIV through indexing from 0 to what is allowed by this BIP similar to what an HD wallet does to derive the private key addresses via index i.e: m/0/0/0 address1, m/0/0/1 address2 and so on. But in BIP85 it's directly from a number that goes from 0 to unknown, for example 999999.

When choosing an index number, it'll always generate the same seed, WIF or XPRIV, if the seed is protected by the BIP39 passphrase it'll generate completely different seeds and the rest.

In BIP85, the seeds generated are unique and the child seed cannot reach the mother seed, so there is no problem if an attacker discovers your child seeds if your funds are in the mother seed (this is just an example), because with the child seeds they'll not be able to calculate up to the mother seed.

You can use this for plausible deniability, for example, generating a BIP39 seed, protecting it with Passphrase BIP39 and generating a new seed using this seed in BIP85, with this you can safely store your original seed, because even if an attacker physically accesses your original seed, he still needs to know the BIP39 Passphrase and in addition, he still needs to know which index you used to access the seed that contains your funds, and you can still protect this child seed with BIP39 Passphrase making it even more difficult for any attacker.

Realize that your security increases, but with great power comes great responsibilities, the risk also increases a lot:

• There is a high chance that you will make a mistake in the middle of the setup.
• Will you remember how to recover the funds if many years pass?

I think that an extended seed (seed + passphrase) would already meet your demand, because a wallet protected with BIP39 passphrase, even if the attacker physically accesses your seed, unless he doesn't know your BIP39 Passphrase, it will be useless for him to try anything.

Furthermore, as some mentioned, passphrases make it possible to create infinite wallets using a single seed.
Be careful, do your research before making any decision, because in bitcoin, one slip-up can cost you all your funds.

This is a very good initiative, to even make it better I will have to go through the process of even sending a little amount into the single wallet without passphrase so that should it be compromised the scammer can be lure to thinking that’s the only thing behind that seed phrase and that gives one the opportunity to create a new seed phrase and move funds out of those in the encrypted with passphrase.


This seems to be a good idea for those looking to have many different wallets with different seed phrases but the only problem I have is that the master seed phrase is still a single point of failure to all the other parent seed phrases, just like we currently have with master private key in HD wallets

Your question sounds a lot like the proposal described in BIP-85:
https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki

According to this article post, AirGap Wallet uses this method to manage multiple mnemonics: Secure Mnemonic Management with BIP85

When I was having to many seed phrases, I was thinking about this. But the solution I went for at the time was that I created several passphrase from a single seed phrase. Presently I have just one of it which is a seed phrase with 3 strong passphrase which I backup separately in different places that people can not notice.

That is going to be hard because you can't convert the master private key to a seed. What wallet software are you using by any chance?

Have you tried using a single seed phrase, but with different seed passphrases for each one (so called 13th word)?

Thank you very much for your solution, and sorry if I was not clear enough in my topic but I want to derive BIP39 mnemonic seeds. I don't want to cope with keys because (almost) all wallets accept BIP39 seeds currently. But not all of them accept master keys unfortunately. In addition it's more easy to deal with mnemonic seeds than with BIP32 hexadecimal or base58 keys actually.  

Your answer is to use the Hierarchical Deterministic (HD) derivation technique used inside most wallets.

When you make a seed phrase, it encodes a Master private key. From this, you can derive more Master private keys given a non-negative number, and a Boolean (hardened or not hardened).

That means you can derive the seed phrase at m/0', m/1', and so on, depending on how many seeds you need, to create your child seed. The ' quote stands for hardened derivation. It prevents the parent key from being reverse-engineered.

IanColeman website should be able to help with that.

Hello
For obvious privacy concerns, I would like to be able to use several wallets based on different seeds. But it's very difficult to safeguard and safely manage multiple seeds.
So I would like to be able to deterministically produce several bip39 standard mnemonic seeds from an initial one I can protect. But I don't want to be able to find back the initial seed in any way from one or several daughter seeds. And I don't want to be able to find any sister seed from one or several other ones.
What is the most convenient way to do that please?