Suggestions about the best ways to backup seed phrase

[AakZaki]

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Using backup paper is a good choice in my opinion, because backup paper will not be connected directly to the online network and is always offline. If you are afraid of being exposed to liquids, the spare paper can be given plastic lamination so that it will be safe from liquids and won't be easily damaged.

However, the main factor is how you store it so that the backup paper containing the seed phrase is safe from the hands of others and only you and the people you trust can hold it.

[Charles-Tim]

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Maybe you have drafted this immediately I created this article, I have changed it even before the first person commented, I changed it from poor to good because writing seed phrase down is one of the best ways for seed phrase back up. Many people have commented and they did not see such an obbious mistake because I changed it even before first person commented.

[Macadonian]

You should in any circumstance allow your seed to touch a digital storage device after creating it and I would even give the advice to people that you should avoid creating your Bitcoin wallet and its seed on a live computer connected to the internet. What you should do is create it on a offline computer which has been secured and then write the seed down physically. Its up to you if you want to use lamented paper to avoid it getting wet or place it in a fire proof safe what is important is that seed has not been on a computer which is connected to the internet otherwise you are at risk of it already being compromised before even storing it.

[Ryker1]

2. Paper back up
Seed phrase can be written on a sheet of paper with pencil, but this method is poor as it can be affected by liquid, but still good if you can save it in a place that no liquid can contact or touch it.

Using backup paper is a good choice in my opinion, because backup paper will not be connected directly to the online network and is always offline. If you are afraid of being exposed to liquids, the spare paper can be given plastic lamination so that it will be safe from liquids and won't be easily damaged.

However, the main factor is how you store it so that the backup paper containing the seed phrase is safe from the hands of others and only you and the people you trust can hold it.

Well, there are some factors that perhaps back up paper will be lost even it is well laminated or covers with hard plastic, --just like what happened to my friend. All papers documents he had were burnt when their house was accidentally burnt and nothing left. Perhaps OP includes of back up seed phrase through a piece of hard metal engraving. You can hide this anywhere without worried about being wet or burn. Indeed, this is a good suggestion of OP thread and we are the one who is responsible for this to keep in a safe place and my suggestion though is good for an uninspected disaster.

[witcher_sense]

"Seed phrase" and "mnemonic phrase" are the same thing. I think you are confusing "seed number" with "seed phrase". See here: https://en.bitcoin.it/wiki/Seed_phrase#Alternative_name_.22Mnemonic_Phrase.22

Further, a 512 bit seed is not derived directly from entropy. The steps are generate 128 or 256 bits of entropy, use SHA256 to calculate and then append the 4 or 8 bit checksum, split in to 11 bit sections and convert to a seed phrase, then use the seed phrase and optional passphrase as input parameters for 2048 rounds of PBKDF2 to generate the 512 bit seed.

Until I read it on wiki, I had no idea that "mnemonic" is a obsolete term, especially, when there is a constant string called "mnemonic" in function used to derive root seeds and is being used as an input in HMAC-SHA512 function. This part may be confusing because there are plenty of things called "seed number", "seed phrase", "root seed" and so on. So, root seed is the number which is derived from seed phrase plus some salt. Salt is the passphrase we use to add some additional security, it also can be equal to "none" when we decide not to use a passphrase at all. Root seed plus passphrase is the number that is used to generate HD wallets. What did I miss here, because it seems I used older literature to find out how things work, maybe I have missed something? Why do we prefer to backup a seed phrase instead of entropy?

[pooya87]

encryption is missing here.
although it may not be the critical factor for many since the backup is stored at home and usually outside of reach of anyone, but it still is a good idea to encrypt what you store too.
unfortunately i have not seen any tools or proposals about encrypting mnemonics but it still isn't a complicated thing since you can easily treat it as a text that you encrypt and then print the encrypted result on paper.

BTW we can't consider Shamir Secret Sharing as an alternative to encryption. it is for secret "Sharing".

I think that part of the reason we haven't got any proposals or solutions regarding encryption of mnemonics yet is because this contradicts the idea of ​​the mnemonic phrases themselves. Encrypted mnemonics are no longer easy to remember, it would be look like getting back to storing of single private keys to each address, which was not very convenient approach, quite the opposite. It also contradicts to the idea of plausible deniability, since there will be the only one key to decrypt your mnemonic. Of course, you still can encrypt it with additional passphrase, but it might become very complex security, which means you have to keep too much private key, possibility of losses increases.

you are thinking about it all wrong.
mnemonic is the human readable encoding of raw data. that raw data can be your entropy (which is what BIP39 or any similar proposal does) or it can be the encrypted result.
for example the phrase could be encrypted using AES-256 to get a fixed vector result then that "raw data" can be encoded using the same scheme used by BIP39 to get similar looking set of words with different lengths depending on the length of the input.

example

Code:

mnemonic: legal winner thank year wave sausage worth useful legal winner thank yellow

AES-256-CBC encrypt using (http://cryptojs.altervista.org/secretkey/aes_cryptojs-v3.html)

Code:

passphrase: 8352dd9eb8b64669e0a8347fd37ae6e5
{
"iv":"b73afe9d14be3180f8e2001c9b86e601",
"mode":"CBC",
"padding":"NoPadding",
"keySize":256,
"cipher":"aes",
"salt":"0ed17b7de6e75d7d",
"ciphertext":"VTJGc2RHVmtYMSsvekJFdXpRTHlnUVc2R0RvaTAyQlNBdnRnSERnYlRCZm90enFDZGxKWlBhV2hSUVB3ZEdycAo5Z2R4dkdTR0hIZWNKci9mYlNOZGRhWnZaUFUyWkprdEk5MERMNXlzZUlMQzRoQTBsRVBMdmpKWktRPT0=",
"time":0,
"status":"success"
}

playing with the encrypted result (ciphertext) ignoring salt and IV for simplicity:

Code:

base64: VTJGc2RHVmtYMSsvekJFdXpRTHlnUVc2R0RvaTAyQlNBdnRnSERnYlRCZm90enFDZGxKWlBhV2hSUVB3ZEdycAo5Z2R4dkdTR0hIZWNKci9mYlNOZGRhWnZaUFUyWkprdEk5MERMNXlzZUlMQzRoQTBsRVBMdmpKWktRPT0=
base16: 553246736447566b58312b2f7a4245757a514c796751573647446f693032425341767467484467625442666f747a7143646c4a5a5061576852515077644772700a3967647876475347484865634a722f6662534e6464615a765a5055325a4a6b74493930444c35797365494c43346841306c45504c766a4a5a4b513d3d
base2: 01010101 00110010 01000110 01110011 01100100 01000111 01010110 01101011 01011000 00110001 00101011 00101111 01111010 01000010 01000101 01110101 01111010 01010001 01001100 01111001 01100111 01010001 01010111 00110110 01000111 01000100 01101111 01101001 00110000 00110010 01000010 01010011 01000001 01110110 01110100 01100111 01001000 01000100 01100111 01100010 01010100 01000010 01100110 01101111 01110100 01111010 01110001 01000011 01100100 01101100 01001010 01011010 01010000 01100001 01010111 01101000 01010010 01010001 01010000 01110111 01100100 01000111 01110010 01110000 00001010 00111001 01100111 01100100 01111000 01110110 01000111 01010011 01000111 01001000 01001000 01100101 01100011 01001010 01110010 00101111 01100110 01100010 01010011 01001110 01100100 01100100 01100001 01011010 01110110 01011010 01010000 01010101 00110010 01011010 01001010 01101011 01110100 01001001 00111001 00110000 01000100 01001100 00110101 01111001 01110011 01100101 01001001 01001100 01000011 00110100 01101000 01000001 00110000 01101100 01000101 01010000 01001100 01110110 01101010 01001010 01011010 01001011 01010001 00111101 00111101 

Code:

groups of 11:
01010101001 -> 681 -> festival
10010010001 -> 1169 -> mutual
10011100110 -> 1254 -> orphan
....

now you have the encrypted mnemonic with a new set of words!

[witcher_sense]

~
now you have the encrypted mnemonic with a new set of words!

So, instead of keeping in secret only one piece of data, which is unencrypted seedphrase, the average user will have to keep several pieces of data. Encrypted seed phrase needs to be hidden just in case to avoid undesired leaks of information, I don't want to expose even encrypted one. A passphrase to decrypt our AES encrypted file needs to be hidden, otherwise, it becomes a lot easier to crack our security (in case we used additional passphrase to our unencrypted seed). A passphrase to our unencrypted seed phrase needs to be hidden. We also need a back up of our seed phrase, just in very possible case we forget or lose our key used to encrypt a seed phrase. What s the point of such complexity in the first place?

[pooya87]

~
now you have the encrypted mnemonic with a new set of words!

So, instead of keeping in secret only one piece of data, which is unencrypted seedphrase, the average user will have to keep several pieces of data. Encrypted seed phrase needs to be hidden just in case to avoid undesired leaks of information, I don't want to expose even encrypted one. A passphrase to decrypt our AES encrypted file needs to be hidden, otherwise, it becomes a lot easier to crack our security (in case we used additional passphrase to our unencrypted seed). A passphrase to our unencrypted seed phrase needs to be hidden. We also need a back up of our seed phrase, just in very possible case we forget or lose our key used to encrypt a seed phrase. What s the point of such complexity in the first place?

only 2 not several: 1 piece is the encrypted result and 1 piece is the password used for encryption.
and yes it is a little more complicated than just writing down the unencrypted mnemonic but that is how security is. it requires a lot of effort.

P.S. note that what i posted above is just an example showing the idea. i don't know how secure the site used for AES encryption is, or the method might have some flaws.

[o_e_l_e_o]

So, root seed is the number which is derived from seed phrase plus some salt.

Correct.

Salt is the passphrase we use to add some additional security, it also can be equal to "none" when we decide not to use a passphrase at all.

Almost. For BIP39 wallets, the salt is actually the word "mnemonic" concatenated with your passphrase. If you don't use a passphrase, then the salt is just the word "mnemonic" on its own.

Root seed plus passphrase is the number that is used to generate HD wallets.

Not quite. Seed phrase plus passphrase is used to generate 512 bit root seed. Root seed on its own is used to generate the master private key and master chain code for your HD wallet.

What did I miss here, because it seems I used older literature to find out how things work, maybe I have missed something?

There's a very good explanation of how we go from entropy all they to addresses in Mastering Bitcoin here: https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#wallet-technology-details

Why do we prefer to backup a seed phrase instead of entropy?

Because it is human readable, and far less error prone. You are far less likely to make a mistake writing down 24 words than you are writing down a sequence of 256 ones and zeros.

[hatshepsut93]

Banks are the same, though the difference is mostly if the bank is robbed, then it's almost a guaranteed goodbye tbh.

When banks are robbed these days, it happens with small local branches and robbers only take cash. No one does those heists that you see in movies when they break into storage room, and even if it somehow happened, no one would care about personal deposit boxes, where you'd store a seed. The danger of bank is that it's a their party custodian and they can seize your coins, if the private key isn't encrypted.

Home is both a safe and dangerous place to hide your stuff. Thefts coulld easily determine which is important or not if you hide it in safes and the like so it's actually just better to hide it in a nonconspicious way or just make a hidden compartment.

This is an example of security by obscurity, which is generally regarded as a bad things. Thieves and police officers know how to quickly search a house for hidden things, so if someone know what to look for, in this case a piece of paper or a USB stick, then they will likely find it.

No method is perfect, if you store seed in plaintext, you're risking your coins getting stolen, if you encrypt it, you risk locking yourself out of your coins if you lose the password.