Do you mean running Tails as a virtual machine within Windows? Or do you mean bypassing Windows altogether and simply booting the computer from the Tails USB? I wouldn't recommend the former, but I suspect you are talking about the latter.

If you boot to Tails, therefore completely ignoring Windows, and never connect to the internet or any other methods of communication while within Tails, then this is certainly a safer option than simply using Windows, and a good option if you cannot dedicate a device to be permanently airgapped. It would be even better if you can physically disconnect any connectivity hardware (unplug Ethernet cables, disconnect WiFi modules, etc.) and better still if you can physically disconnect any persistent storage (such as your hard drive(s)) while you are using Tails. But obviously the best option would be if you can dedicate an old machine to do this on which will never boot Windows or go online ever again.

It is very easy to descramble a 12 word seed phrase in which all the words are known, and this can be done in under an hour on even a modest home computer. A 24 word scrambled seed phrase, however, will be impossible to unscramble.

If an attacker was going to try to brute force your seed phrase, then sure, a longer seed phrase makes it more difficult for them. But as pooya says, the individual keys will always have 128 bits of security, so an attacker whose best attack is simple brute forcing will obviously choose to target this instead.

There is already precedence for this. Blockchain.com, for example, used to give out recovery phrases which were not BIP39 phrases, but rather simply to recover access to wallet files on their platform if uses had forgotten their passwords. Now, many years later, although they claim to still support these phrases many users find themselves unable to recover their wallets. Another example is Coinbase, which used to run multi-sig vaults, have discontinued their support of them, and users can no longer recover access to their funds despite possessing the necessary back ups. Even something as simple as a wallet using a non-standard derivation path is enough to cause huge amounts of problems trying to recover your coins. And that's without even mentioning bugged, flawed, or malicious software, which might not derive the correct keys like you think it is doing.

It is always smart to test your back up or private keys with different software.

Was just about to upload it, but looks like it's already doing the rounds on Twitter: https://nitter.it/Arthur_van_Pelt/status/1575785115061432320#m

---

If you open the file "Bilag 15" from the pack that Greg has rehosted above, you can see the emails from Andresen pertaining to the signing session. In particular page 5, an email from Jon Matonis to Gavin Andresen, includes the following quote (emphasis mine):

On the following pages it seems that the only convincing Andresen asked for beyond that was an email from CSW on the current "State of Bitcoin". CSW's reply on pages 9-11 reads very much like CSW and not at all like Satoshi, but apparently was enough to convince Andresen.

This becomes fairly clear in the emails you can read in the following pages of the same document as above.

I've got the archive downloaded. I can share images of the NDA tomorrow when I'm back home. If someone can tell me somewhere that will host the archive which won't 404, happy to upload it there too.

Edit: Greg beat me to it: https://www.reddit.com/r/bsv/comments/xp5qy9/fresh_from_oslo_craig_wrights_submitted_evidence/iqmpu1f?context=3

If you're interested, you can actually see the NDA that Andresen signed. It's part of the archive that Greg linked to earlier: https://bitcointalk.org/index.php?topic=5413844.msg61016128#msg61016128. The file is "Bilag 13" in the "attachments" folder.

There is an identical NDA for Jon Matonis under "Bilag 12", and a similar one for GQ Magazine under "Bilag 14".

Sure, but a flash drive is just a storage chip and nothing else, with no ongoing development needed. With a hardware wallet like Ledger, not only are you paying for more expensive hardware such as a screen and a secure element, but you are also paying for ongoing software development, new firmware, app updates, and so on, as well as a much larger and technical customer support base.

If you want a hardware wallet which is shock resistant and waterproof, there are ones out there which will fulfill that niche, but you will obviously pay more for them. It's never something I've been interested in - my hardware wallets are rarely in a situation where such things are a concern, and my seed phrase back ups render such features unnecessary.

But why? You can't be 100% certain you won't accidentally reuse an old address in the future, or someone who sent you coins to one of your old addresses won't send coins to that address again in the future, assuming you still have access to it. If it's a wallet on your phone or PC, as you say, then you have nothing to lose by keeping a copy just in case. The file will be few megabytes at most. In the words of Satoshi:

---

The other way around this issue is to use full disk encryption, which I use on all my devices. If you use a strong enough decryption key, then it doesn't matter if you leave some data behind after shredding, as it will be meaningless to anyone who is able to recover it.

To expand on hosseinimr93's answer above:

The computational expensive part of brute forcing a seed phrase is turning that seed phrase in to the first address in the first account to check if it matches a known address or to check for history. This involves 2048 rounds of HMAC-SHA512 to produce the root seed, followed by another round to produce the master keys and chain code, followed by several more rounds to work down the derivation path m/84'/0'/0'/0/0 or similar, followed then by elliptic curve multiplication to produce a public key, then three SHA256s and one RIPEMD160s and a conversion to Base58 to produce an address, and potentially then looking that address up to check for history.

Conversely, rejecting a seed phrase with an invalid checksum is as simple as performing a single SHA256.

With a 24 word seed phrase with one missing word, on average I can reject 2,040 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 8 times.
With a 12 word seed phrase with one missing word, on average I can reject 1,920 possibilities with a single SHA256, meaning I have to perform the additional steps outlined above 128 times.

Glad you got it all figured out.

For future, if you are planning on using this method (coin flips, calculate checksum, convert to seed phrase manually) to generate a seed phrase, then you should do it on a device which is permanently airgapped. That means it does not have an internet connection and it will never have an internet connection again. Even better if you physically remove things like the WiFi card and Bluetooth chip to ensure it has no wireless connectivity whatsoever. You should also make sure the device is completely clean, which means formatting it and installing a clean OS on it. If you are going through all this trouble anyway, then you would probably be better served simply installing a reputable open source Linux distro rather than Windows and Linux on top. There are a number of very easy to use Linux distros. Mint is probably the closest to Windows in terms of look and feel.

Correct. Hence me asking if you are sure the characters you have posted here are accurate. If I go to bitaddress and create a page of encrypted paper wallets, I can brute force missing characters with 100% accuracy. So either the string you have shared above has incorrect characters or is not a BIP38 key at all.

Are you able to share a high resolution picture of the key you have shared above (the one you said has no funds on it)? You can crop out the other keys. And you can share it privately if you prefer.

There is nothing it can do stop people from locally scaling the page it produces, so much that it is too large for a single piece of paper, which is what has happened here.

It could be, but it's unlikely. bitaddress's source code hasn't changed for 6 years. Are you 100% sure all the other characters are correct?

It can, and indeed, knowledge of the password is unnecessary. BIP38 keys use Base58Check, so it can brute force a few missing characters until it finds those that match with the checksum.

Edit:

I've tested the string you shared above: rgHM7eKVe37vCGtGQRVNRcN6pfa2gRAzaxdsG86RSmKdnMAEkPZnHJ

I'm unable to find any combination of 6P** (or 6P*string* or 6Pstring**) which creates a valid key. Again, are you sure you have the right characters?

The BIP38 encrypted private key will be right aligned with the line of text above it which should say "Encrypted Private Key (Password required)". If you can read all of that line (I can't quite make out whether you can see "required)" under the QR code from the small image you have attached), then you should also therefore have the end of the private key.

This would mean that OP's printer has cut off the the first 4 characters, the first 2 of which will be "6P", meaning he just has to brute force 2 characters in a known position, which will be relatively easy to do provided he knows the decryption password.

Edit: Actually, I've been able to recreate this by trying to print my own page of paper wallets from bitaddress and messing with the scaling factor up to around ~150%. It does indeed only cut characters off from the start. And actually, bitaddress only generates EC multiplied compressed keys, meaning all the keys will have the prefix "6Pn". So OP is only missing a single character from each key, in the 4th position, which will be between the characters "M" and "Z". Given that "O" isn't used in Base58Check, then that only leaves 13 possibilities for each key.

So much for Wasabi's coinjoin being compatible with centralized exchanges. This completely destroys that argument. And also note Gemini repeating the lie that everyone who wants privacy must be doing something illegal.

What a shitshow. Avoid all centralized exchanges, and avoid Wasabi.

A 2-of-3 multi-sig wallet requires two signatures to make a transaction. Usually, a 2-of-3 multi-sig wallet is split across three wallets, so that each wallet contains only a single set of private keys. With such a set up, to make a transaction you must first sign it from one wallet with one private key, then move it to one of the other two wallets to sign it with a second private key. Once it has two signatures, it can be broadcast.

However, you can also set it up so that a single wallet contains more than one set of private keys. If you have a wallet file which contains both an Electrum seed and can sign from your Trezor wallet, then this wallet will be able to provide the necessary two signatures on its own.

If you lose your hardware device, then you will still be able to recover your multi-sig wallet by using the seed phrase from your hardware device which you should have backed up.

To restore a 2-of-3 multi-sig wallet you either need all three seed phrases, or two seed phrases plus the missing master public key.

That's not how it works. Once you've created a 2-of-3 multi-sig, it will always be a 2-of-3 multi-sig. You cannot convert it to 2-of-2 and you cannot "partially" restore it. You will always need all three components to restore it.

Yes, your Trezor should be able to simultaneously support a bitcoin multi-sig wallet and altcoin single-sig wallets using the same seed phrase.

Ok, so if you've got the seed phrases then you should be able to recreate things and your funds should not be lost.

The signing you are doing with your Trezor wallet - are you doing this via Electrum too? If so, when you created this wallet, did you use the master public keys from the other two seed phrases along with your Trezor wallet?
If this is the case, then that wallet will only ever be able to sign one of the three parts, since it does not have the private key from the two Electrum seed phrases.

You'll need to create a new Electrum wallet, using one of the Electrum seed phrases, the other Electrum master public key, and the Trezor master public key. Once you've signed the transaction once with the Trezor, you can save it to your disk and then load it in a wallet created with one of the Electrum seed phrases to sign it a second time.

What makes you think I'm not already?

We'll need a bit more information to be able to help you out here.

First of all, do you have the three seed phrases, one from each of the co-signing wallets? Secondly, you say you can sign a transaction using your Trezor, but you can't sign it from either of your Electrum multi-sig wallets? Do the addresses in the multi-sig Electrum wallets match up with addresses from the Trezor multi-sig wallet?

If they are tracking your IP and/or location then it absolutely isn't anonymous. It doesn't matter whether or not you cross borders. If I can see from your location data that you spend 10 hours each night at the same address, then it becomes trivial to identify that as your house and therefore identify you. If I can see from your IP data (assuming you are not using Tor) that the same IP accessed this Facebook page or that Instagram page, then again, it becomes trivial to link that to an identity.

And there is no way to know what they are doing with that data. Blockchain analysis companies would pay top dollar for a list of names, locations, and IPs of individuals who are known to own bitcoin, doubly so when those names, locations, and IPs can be easily linked via Arculus' servers to all the wallets, addresses, and coins that those individuals own.

Because the -0 argument tells it to run in bits mode, but in your command you are not feeding it a string of bits, but a string of bytes. You need to feed it the entropy in 0s and 1s as I said before:

Try this command and see if you get the correct checksum.