-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mnemonic storage on a (dedicated) microSD card #190
Comments
2. is awesome... Sparrow, BlueWallet, Electrum and others already have this concept of a Wallet password (or PIN) to encrypt the mnemonics (and other wallet data), and it is important to make sure the user don't misunderstand this concept and the extra word (passphrase) of BIP-39 because some users don't backup their passphrase thinking that it is just a protections/lock in the software and not something necessary to restore your mnemonic seed bkp. So I think that reusing the BIP-39 passphrase automatically as a password for encryption too is somewhat confusing even for advanced users, because other software's don't have this behavior. 3. the way you described it seems to me that this will make the process unsafe. Most of the losses are related to the users own fault rather than an attack vector by a third party. Maybe we can add this feature in a way that if the user type a certain "wipe password", the mnemonic is not loaded and the encrypted file is deleted. We can also think about a "plausible deniability" way to access the mnemonic with the correct password but a different BIP-39 passphrase, allowing the user to verify addresses and sign transactions of a wallet with less funds than his "real wallet". 1. I don't see any problem to use the same SD card as settings, logging, PSBT, etc (as these information's are not sensitive). So only 2 SD cards would be needed. |
2. Good point. Better to keep them separate. 3. Yeah, wipe after load may be too aggressive to do by default, but the option to wipe the file from a card would be necessary if you wanted to retire an old card or something along those lines. 1. I probably wasn't clear. I'm envisioning the card holding a mnemonic to be only briefly used. Something like:
The "Remove your mnemonic card" could prevent continuing as long as So, yes, you would end up having one card if you only used microSD for your mnemonic, or two if you wanted to save settings, PSBTs, etc. |
Found a discussion of this same idea in the seedsigner-os repo: SeedSigner/seedsigner-os#31 They mention that ColdCard generates a 12-word mnemonic encryption key. Using a mnemonic for this is a good idea because:
All that said, the more I think about it I don't see why Krux should require a mnemonic to be encrypted when exporting to a dedicated microSD card. It being optional does make it easier to shoot yourself in the foot, but the same could be said for the existing export methods. A compromise between the two would be to use the SIGNER_PUBKEY to encrypt the mnemonic if the user chooses not to provide an encryption key of their own. Since Krux already knows this (public) key and uses it to verify firmware builds, it would be available on the device to both decrypt and encrypt mnemonics. Users who build Krux from source and change the signer pubkey to their own would be even safer. |
There are two schemes on Coldcard to secure your seed bkp. One is the Seed XOR, the ability to combine 2 seeds to create a third using the bitwise operator XOR (this third seed will only exist temporary on the device) https://seedxor.com/ . The other one is encrypted seed bkp https://coldcard.com/docs/backups . I think it is important to understand the differences and tradeoffs of both methods, that can be applied simultaneously too! I also agree that if Krux exports unencrypted bkps there is no need to require an encrypted bkp just because it's on an SD and the user can make a mess... IMHO Krux is just a tool to help the user interact with Bitcoin , it's always good to tell the user what Krux does (and maybe what the user should do), but I don't think Krux needs to "protect" the user from itself, or hide/disable features for the user "for its own safety" |
If you were to use a microSD card exclusively for storing a mnemonic, in theory there's no obvious difference between storing a plaintext file of your mnemonic on an SD card vs. as a QR code on paper, assuming:
However, in Krux we already use a microSD card for storing firmware updates, saving settings, and (if enabled) writing log files that we expect could be opened up on a computer. Therefore, given that we already set the precedent that microSD cards are for "safe" data to plug into a computer, I think we need to go a few steps further if we want to enable this functionality:
The text was updated successfully, but these errors were encountered: