Extra security for a paper wallet

[Stalker22]

I'm just throwing my thinking here so excuse me if the question is stupid.

Would it be possible to add an additional layer of protection to seed phrase paper wallet? Some kind of randomization so no one can read it without a magic word.
I know it's possible to use a one-way encryption with keyword, but I wonder if there's a way without using additional tools or services? I wouldn't want to use anything that could compromise security.

What do you think? Maybe someone has already developed some proven system?

[1715218315]

1715218315

[1715218315]

1715218315

[1715218315]

1715218315

[1715218315]

1715218315

[1715218315]

1715218315

[Charles-Tim]

Would it be possible to add an additional layer of protection to seed phrase paper wallet?

Paper wallet do not generate seed phrase, it generate private key and address.

I know it's possible to use a one-way encryption with keyword, but I wonder if there's a way without using additional tools or services? I wouldn't want to use anything that could compromise security.

Using bitaddress.org, you do not need additional tool to generate bip38 passphrase protected paper wallet which is enough for the paper wallet protection.

What do you think? Maybe someone has already developed some proven system?

No other recommendation than to use bip38 passphrase and also protect your private key.

[NeuroticFish]

Would it be possible to add an additional layer of protection to seed phrase paper wallet?

If you want to safely save your seed, I see at least 2 options:
1. Add some extra "custom" words to the seed. It means that you write down 12 or 24 words, but when creating the wallet in Electrum you'll put de seed in the correct place, then select that you want to add custom words.
2. Use Shamir backup
3. Use your imagination   (I'm sure that you can find other non-standard things to do)


LE: I recommend that you save your seed in more geographically different locations if it's life changing money there

[Stalker22]

Would it be possible to add an additional layer of protection to seed phrase paper wallet?

Paper wallet do not generate seed phrase, it generate private key and address.

Maybe I didn't explain well. I WANT to create a paper wallet (backup) with, for example, electrum on an offline computer and use generated address from it for long-term storage.

[Charles-Tim]

Maybe I didn't explain well. I WANT to create a paper wallet (backup) with, for example, electrum on an offline computer and use generated address from it for long-term storage.

Yes, that is very possible. You can create a paper wallet and import the private key on electrum. Download electrum wallet from electrum.org, open the wallet, then click on Next> import Bitcoin addresses or private keys> paste or use the camara button to scan the QR code and press Next. Then, the wallet will be generated, but make sure you do it on offline device with no connection to the outside world. But, in this case, only that one private key and address will be used. The wallet will not be able to use new address(es).

But, why do you not just create an offline electrum wallet directly. All you need to do is to install electrum wallet on the airgapped/cold electrum device and should not connected to the internet, formatting the device before use will be the best for assurance that it is a cold wallet device. Then create a standard wallet and backup the seed phrase offline which will be accessible by you but safe from attackers. The wallet will be able to generate bech 32 addresses for you and also can be used to generate addresses to send Bitcoin to. The confirmation that you sent bitcoin to an address on the cold wallet can be tracked on blockchain explorer, or create a watch-only electrum wallet on another device for easy tracking.

[Stalker22]

Maybe I didn't explain well. I WANT to create a paper wallet (backup) with, for example, electrum on an offline computer and use generated address from it for long-term storage.

Yes, that is very possible. You can create a paper wallet and import the private key on electrum. Download electrum wallet from electrum.org, open the wallet, then click on Next> import Bitcoin addresses or private keys> paste or use the camara button to scan the QR code and press Next. Then, the wallet will be generated, but make sure you do it on offline device with no connection to the outside world. But, in this case, only that one private key and address will be used. The wallet will not be able to use new address(es).

But, why do you not just create an offline electrum wallet directly. All you need to do is to install electrum wallet on the airgapped/cold electrum device and should not connected to the internet, formatting the device before use will be the best for assurance that it is a cold wallet device. Then create a standard wallet and backup the seed phrase offline which will be accessible by you but safe from attackers. The wallet will be able to generate bech 32 addresses for you and also can be used to generate addresses to send Bitcoin to. The confirmation that you sent bitcoin to an address on the cold wallet can be tracked on blockchain explorer, or create a watch-only electrum wallet on another device for easy tracking.

Yes, I understand that part. But I would like to delete that wallet from the computer after generating the keys (address) and keep only the seed backup phrase. I wonder if there is a method to further protect a seed phrase from unauthorized use in case someone finds it.
For example, something like NeuroticFish suggested. But I'm not sure how secure the approach of inserting extra words would be and whether it would be easy to decode for a potential thief.
I've been thinking more about how to randomize word order or something like that.

[HCP]

Yes, I understand that part. But I would like to delete that wallet from the computer after generating the keys (address) and keep only the seed backup phrase. I wonder if there is a method to further protect a seed phrase from unauthorized use in case someone finds it.
For example, something like NeuroticFish suggested. But I'm not sure how secure the approach of inserting extra words would be and whether it would be easy to decode a potential thief.

The idea isn't that you insert extra words into the seed... and it's implemented in BIP39 already... it's the "BIP39 Passphrase"... the idea is that you have a "passphrase" that you store separately to the 12/24 words...

A user may decide to protect their mnemonic with a passphrase. If a passphrase is not present, an empty string "" is used instead.

Some wallet providers refer to this as "custom words" or the "25th word" etc... Essentially, it's just a passphrase that is used in conjunction with the 12/24 words to generate the seed. If you use this method, just make sure that they are stored separately. If you store them together, you're effectively making the BIP39 passphrase pointless.

Also note that you will need both to recover your wallet... the 12/24 word seed phrase will be useless without the passphrase... and vice versa. How you go about storing the passphrase is up to you... some people treat it like a "password" and just use memory, never writing it down or storing it anywhere... but that method has risks, as human memory is quite "fragile".

I've been thinking more about how to randomize word order or something like that.

This is asking for trouble... There have been numerous threads on these boards in the past where users have attempted to create some sort of system for randomising or otherwise obfuscating the seed phrase and then being unable to "undo" it to recover their wallets.

Use a BIP39 passphrase, or an established method like shamir secret sharing. Don't try and be "clever"... it probably won't work.

Would it be possible to add an additional layer of protection to seed phrase paper wallet?

Paper wallet do not generate seed phrase, it generate private key and address.

@Charles-Tim, he isn't talking about a "normal" paper wallet... he is asking about ways to secure the 12/24 word seed written down on paper... calling it a "paper wallet" was probably not a great idea, as it is easily confused with the more common "single private key + public key + address" type of paper wallet as generated by bitaddress.org etc.

I think the phrase "paper seed backup" or something similar is probably a better description...

[pooya87]

We really need wallets to let users encrypt what they "export", sadly none of the wallets I've seen offer that option so far and it is very easy to implement too because what you import is either your private key which has an excellent and easy to implement BIP called BIP38 or it is a mnemonic (seed phrase) which is simply a string and wallets already have a code to encrypt anything using AES256, in fact they are already encrypting it when they store it to disk! And adding the option to encrypt/decrypt your mnemonic should be added to the interface too.

I still don't like using the extra word as an encryption method because the algorithm used there is pretty weak so it relies heavily on your passphrase (the extra word) to be extremely strong compared to what AES with a better KDF would do with a much simpler password.

[bob123]

There is literally not a single good reason for something self-made which iterates the words.

If you want to add another layer of security, use encryption.
Either the BIP38 passphrase (for private keys), BIP39 passphrase (for mnemonic codes) or any other provably good encryption algorithm (AES).

Never do crypto yourself. And this includes any self-made algorithms to shuffle words.
Further, an algorithm which doesn't properly encrypt the words, but shuffles them, is a bad algorithm since it leaks information about the secret.

[Stalker22]

Thank you guys for your answers. Looks like I've got some reading to do.
I didn't know about the BIP39 passphrase, have to look into that.

[Dabs]

Maybe I didn't explain well. I WANT to create a paper wallet (backup) with, for example, electrum on an offline computer and use generated address from it for long-term storage.

But, why do you not just create an offline electrum wallet directly. All you need to do is to install electrum wallet on the airgapped/cold electrum device and should not connected to the internet, formatting the device before use will be the best for assurance that it is a cold wallet device.

I think this is the best and easiest solution. Run a freshly installed and verified Electrum on a freshly formatted airgapped offline laptop/desktop with your OS of choice. While many will recommend Linux, it is perfectly fine to use Windows 10. This laptop/desktop will be eternally quarantined, never to connect to any network ever again.

I can find plenty of refurbished or open box deals for cheap computers or laptops under $100. Then just get cheap new monitor, mouse, keyboard and webcam maybe (for scanning QR codes).

[bob123]

While many will recommend Linux, it is perfectly fine to use Windows 10.

The reason everyone recommends linux is that you can verify the download to make sure it has not been tampered with.
Further it's open source.

With Windows, you don't know whether your .iso has been tampered with. And therefore you can't know whether everything works as its expected (PRNG). Regardless of whether this system will ever go online, using Windows is not perfectly fine in such a case.

[Dabs]

While many will recommend Linux, it is perfectly fine to use Windows 10.

The reason everyone recommends linux is that you can verify the download to make sure it has not been tampered with.
Further it's open source.

With Windows, you don't know whether your .iso has been tampered with. And therefore you can't know whether everything works as its expected (PRNG). Regardless of whether this system will ever go online, using Windows is not perfectly fine in such a case.

There are published hashes (usually both SHA256 and MD5) from Microsoft. For this to be tampered with, they would have an internal problem, which is the same kind of problem other distros would have. This isn't as easily available information as with linux distros that are usually hashed, plus sometimes are PGP signed, but it's still there.

I would also download it directly from Microsoft's website.

Maybe that is "almost" perfectly fine enough? I mean, PGP = Pretty Good Privacy, not Perfectly.

As far as most people are concerned anyway. I agree that Linux Mint or Ubuntu would probably be perfectly fine then.

[ranochigo]

The reason everyone recommends linux is that you can verify the download to make sure it has not been tampered with.
Further it's open source.

With Windows, you don't know whether your .iso has been tampered with. And therefore you can't know whether everything works as its expected (PRNG). Regardless of whether this system will ever go online, using Windows is not perfectly fine in such a case.

There's an official Live CD creator directly from Windows and I would think that it poses pretty little risk. To be fair, same goes for Linux. You're trusting that the hashes for the ISOs are legit[1] and PGP isn't always foolproof either, a well established web of trust would be far more reliable than just importing the PGPs on the website.

IMO, for most people using an OS that they are familiar with is a good choice. It isn't always necessary to complicate the process too much.
[1] https://blog.linuxmint.com/?p=2994

[bob123]

There are published hashes (usually both SHA256 and MD5) from Microsoft.

Oh, i didn't knew that.
If these hashes then either 1) are signed by known developer keys or 2) are not hosted on the same server as the downloadable file, that's fine i guess.

There's an official Live CD creator directly from Windows and I would think that it poses pretty little risk. To be fair, same goes for Linux. You're trusting that the hashes for the ISOs are legit[1]

With most linux distros, the hashes are signed by the developers.

Hosting the hashes without a signature together with the downloadable file on the same server is useless and defeats the purpose (or rather the security aspect) of providing them in the first place. In this case you'd just use it to make sure there was no error when downloading the file.
Hosting the hashes and the downloadable file on different places or using signatures is necessary to make sure the file has not been tampered with by a malicious 3rd party (e.g. by compromising the server).

[Theb]

Yes, I understand that part. But I would like to delete that wallet from the computer after generating the keys (address) and keep only the seed backup phrase. I wonder if there is a method to further protect a seed phrase from unauthorized use in case someone finds it.
For example, something like NeuroticFish suggested. But I'm not sure how secure the approach of inserting extra words would be and whether it would be easy to decode for a potential thief.
I've been thinking more about how to randomize word order or something like that.

If we are talking about the protection of the seed phrase itself I think the best way to protect it is just to put it in a place where you are the only one who has access to it. Put the seed phrase in a safe or in a safety deposit box or if that kind of security is not enough for you then you can implement what NeuroticFish is doing and put in some random words, jumble the combinations of the words and have the decoder of it in another piece of paper in which the seed phrase and the decoder will be kept in different places. Personally I won't be messing around with the order of the seed phrase since I might screw some things up but if you want an added security for you wallet I think this is a good solution for what you are asking.

[NeuroticFish]

* HCP has already explained what I meant by extra words
* in the part of using your imagination, sky is the limit, really. For example, something that came now to my mind, but didn't test. You can have a 12 words seed, you can add then a passphrase made of 1 normal bip39 word, then add more random words from the same list until you get to 24 words. The 24 words will look like it's you seed, but it's actually not. Of course, you'll have to remember that you have done this.

[Dabs]

I would not recommend doing any sort of alteration of your seeds without instructions on what it really means to you, otherwise you might see your paper wallet in 10 years and forget, what are these words and how do I put them back together in the correct order.

Whereas, if you just have some personal password to an encrypted file which you have multiple backups of, offline preferably, then you have the all the words.

I'm having fun making seeds with Electrum:

>>> make_seed(256)
"exit pass vapor setup fossil away oppose quit safe element credit blouse doll naive this fat gospel jungle beach away bread hub speak deny"
>>> make_seed(256)
"gate viable affair resource garage divorce delay bean middle weird story innocent symptom butter palace rally target cycle scrub town kiss abandon actress rabbit"
>>> make_seed(256)
"glass poet explain next tired misery tool hover lab wrong lamp usual lemon hub creek repair radio lecture reveal behave since egg night faculty"
>>>

It's possible you could duplicate the words 3 times, then cross out some, but any 2 parts can form the whole set, in order. I think this is done with the iancoleman bip39 tool.

For example: using https://iancoleman.io/bip39/ and generating 24 words.

So the BIP39 full word phrase would be:

helmet rebuild obtain naive kid company belt wrist twice balcony supreme liberty bitter fee arrest develop shallow salute enemy layer candy market question hard

Then there is the Split Mnemonic which would be:

Card 1: XXXX rebuild XXXX naive kid company XXXX wrist twice XXXX supreme liberty XXXX fee arrest develop XXXX salute enemy layer candy XXXX question XXXX
Card 2: helmet XXXX obtain XXXX kid company belt XXXX XXXX balcony supreme liberty bitter XXXX XXXX XXXX shallow salute XXXX layer candy market question hard
Card 3: helmet rebuild obtain naive XXXX XXXX belt wrist twice balcony XXXX XXXX bitter fee arrest develop shallow XXXX enemy XXXX XXXX market XXXX hard

Time to hack with only one card: 3830854 years

You'd need any two of the cards to get the full 24 word phrase in correct order.

But I think paper wallets should remain as equivalent bearer instruments, then physically protect them. If you are intending to do any sort of encryption, then you'd store it in USB or flash media, or giant QR codes maybe.

Giant QR codes would make an excellent paper wallet actually.