Coldcard Q passphrase backup question

[Solo6R]

I'm getting more comfortable with my cold storage and was curious about storing the passphrase of my 24 seed word to an SD card like coldcard let's you do. I've been completely air gapped up until this point and wondered if it was safe to use the same SD card for transactions. This means the transactions get saved to the SD card from sparrow, and loaded and signed in coldcard, then back to sparrow to broadcast the signed tx. Does the act of having that passphrase backup on the same SD card now break the air gapped setup? Should I continue to use the same SD card or get another one for the passphrase backup, and keep one to sign transactions?

For further clarification I am NOT storing or doing a seed phrase backup, but JUST the passphrase.

[Charles-Tim]

Be it seed phrase or passphrase backup, it is better and secure to let it be left somewhere safe without using the SD card any other thing than backup. Make sure the backup are two or three in different locations.

I think Cold card Q supports QR code. Why not use the QR code option for making transactions instead of using SD card?


Seed phrase is the 12, 25, 18, 21 or the 24 words that the wallet generated for you.

Passphrase is the extended word if you prefer to add it. It will generate different keys and addresses. Just like the seed phrase, you need the passphrase with the seed phrase to access your coins if you add passphrase. Some people use it, backup the passphrase in different locations from the seed phrase and also having like two or three backups of it. It helps to increase the security of your coins against offline attackers.

[BitMaxz]

That's pretty risky if you put your backup phrase into the SD card that you usually use for signing coldcard and back to Sparrow wallet which we know is connected to the internet that's not a good idea you need to separate them to save your backup phrase to other storage. SD card is not a good place to save backup phrases writing them down on a piece of paper should be a safe way to protect your backup from online attacks but vulnerable to physical attacks and damages so if you can buy something harder than paper like keystone that would be the best backup storage.

[Solo6R]

That's pretty risky if you put your backup phrase into the SD card that you usually use for signing coldcard and back to Sparrow wallet which we know is connected to the internet that's not a good idea you need to separate them to save your backup phrase to other storage. SD card is not a good place to save backup phrases writing them down on a piece of paper should be a safe way to protect your backup from online attacks but vulnerable to physical attacks and damages so if you can buy something harder than paper like keystone that would be the best backup storage.

Just to be clear, I'm not storing the seed phrase, just the passphrase. Coldcard encrypts it and puts it on the SD card so it can use it, rather than typing it in every time. I'm not storing it as some kind of plain text in a text file that I made or something. Still not a great idea? Even though it's a feature of the device?

[Charles-Tim]

Just to be clear, I'm not storing the seed phrase, just the passphrase. Coldcard encrypts it and puts it on the SD card so it can use it, rather than typing it in every time. I'm not storing it as some kind of plain text in a text file that I made or something. Still not a great idea? Even though it's a feature of the device?

You mean Sparrow keep asking for passphrase after you put your password? I noticed this when I was using Sparrow also. To be on the safest side, it is better you backup the passphrase offline in a separate location from your seed phrase and use your keyboard to write it on Sparrow wallet. Although, if an offline attacker do not have any clue about it, your suggestion is safe. But I can not go for it.

[BitMaxz]

Just to be clear, I'm not storing the seed phrase, just the passphrase. Coldcard encrypts it and puts it on the SD card so it can use it, rather than typing it in every time. I'm not storing it as some kind of plain text in a text file that I made or something. Still not a great idea? Even though it's a feature of the device?

Since the passphrase is a part of the seed phrase it is still not safe if you just save and store it on an SD card that you usually use to connect to an online device. For complete protection and to make sure your wallet is safe better put your passphrase to any offline device you want or write it down on a piece of paper. If you keep your passphrase into that SD card that you usually use for signing and connecting to Sparrow you already break one of the rules to protect your wallet from online attacks.

[Solo6R]

Just to be clear, I'm not storing the seed phrase, just the passphrase. Coldcard encrypts it and puts it on the SD card so it can use it, rather than typing it in every time. I'm not storing it as some kind of plain text in a text file that I made or something. Still not a great idea? Even though it's a feature of the device?

You mean Sparrow keep asking for passphrase after you put your password? I noticed this when I was using Sparrow also. To be on the safest side, it is better you backup the passphrase offline in a separate location from your seed phrase and use your keyboard to write it on Sparrow wallet. Although, if an offline attacker do not have any clue about it, your suggestion is safe. But I can not go for it.

No, sparrow doesn't ask for it. Coldcard makes you put the passphrase in every time, which is fine. OR you have the option to backup your passphrase to an SD card and tell Coldcard to use that. Not sparrow. Sparrow has nothing to do with it.

[Charles-Tim]

Since the passphrase is a part of the seed phrase it is still not safe if you just save and store it on an SD card that you usually use to connect to an online device. For complete protection and to make sure your wallet is safe better put your passphrase to any offline device you want or write it down on a piece of paper. If you keep your passphrase into that SD card that you usually use for signing and connecting to Sparrow you already break one of the rules to protect your wallet from online attacks.

I think offline attack is more possible with this because coldcard seed phrase will be kind of impossible to be known by online attackers. If QR code is used, it is perfectly airgapped in a way nothing can reveal the seed phrase to any online attacker. I do not know much about the SD card but Coldcard kind of recommending it.

Your COLDCARD doesn't store passphrases, therefore backup files don't contain passphrases. Backups capture the original seed, not the extended private key created by the passphrase. Passphrases can be stored on a microSD card whenever they are applied.

But I prefer just QR code for making transactions and also my passphrase to be stored on offline in a way I will have to type it manually.

[Solo6R]

Since the passphrase is a part of the seed phrase it is still not safe if you just save and store it on an SD card that you usually use to connect to an online device. For complete protection and to make sure your wallet is safe better put your passphrase to any offline device you want or write it down on a piece of paper. If you keep your passphrase into that SD card that you usually use for signing and connecting to Sparrow you already break one of the rules to protect your wallet from online attacks.

I think offline attack is more possible with this because coldcard seed phrase will be kind of impossible to be known by online attackers. If QR code is used, it is perfectly airgapped in a way nothing can reveal the seed phrase to any online attacker. I do not know much about the SD card but Coldcard kind of recommending it.

Your COLDCARD doesn't store passphrases, therefore backup files don't contain passphrases. Backups capture the original seed, not the extended private key created by the passphrase. Passphrases can be stored on a microSD card whenever they are applied.

But I prefer just QR code for making transactions and also my passphrase to be stored on offline in a way I will have to type it manually.

I would have no problem using QR code but I don't have a webcam. Just the QR code reader on my coldcard.