Trezor T + SD card

[PawGo]

Hello

Anyone using Trezor T with enabled SD card protection - kind of 2FA for unlocking the device?
https://wiki.trezor.io/User_manual:SD_card_protection

Are there any known issues with that solution (like one for old Trezor's Ledger's devices: https://bitcointalk.org/index.php?topic=5406503.0)
Does SD card become dedicated to that purpose or may I use that card for any other needs (store my data) and just enter into device to unlock?

[1715019337]

1715019337

[Pmalek]

Are there any known issues with that solution (like one for old Trezor's devices: https://bitcointalk.org/index.php?topic=5406503.0)

That's not for old Trezor devices, it's for old and discontinued Ledger hardware wallets.

Does SD card become dedicated to that purpose or may I use that card for any other needs (store my data) and just enter into device to unlock?

I personally don't have the answer to that question, but you might want to check with Coin-Keeper about that. He says he has several Trezor wallets (both brands). According to one of his posts from last year, you can store additional data on that Micro SD card besides the encrypted secret. I just hope that data wont interfere with the decrypting process in any way.

While the SD Encrypt feature is slick as can be, and it is, you can actually use the other space on the Micro SD card for storing files, even encrypted containers to use on other systems. Its easy.

[PawGo]

Are there any known issues with that solution (like one for old Trezor's devices: https://bitcointalk.org/index.php?topic=5406503.0)

That's not for old Trezor devices, it's for old and discontinued Ledger hardware wallets.

Yep, I fixed that.

Does SD card become dedicated to that purpose or may I use that card for any other needs (store my data) and just enter into device to unlock?

I personally don't have the answer to that question, but you might want to check with Coin-Keeper about that. He says he has several Trezor wallets (both brands). According to one of his posts from last year, you can store additional data on that Micro SD card besides the encrypted secret. I just hope that data wont interfere with the decrypting process in any way.

While the SD Encrypt feature is slick as can be, and it is, you can actually use the other space on the Micro SD card for storing files, even encrypted containers to use on other systems. Its easy.

That's interesting. It would also mean that one may easily copy/backup encrypted file for Trezor (the same way how one may accidentally delete it). Sometimes SD cards could be problematic in use (damaged) or just lost, because of their size.

[Pmalek]

It would also mean that one may easily copy/backup encrypted file for Trezor (the same way how one may accidentally delete it). Sometimes SD cards could be problematic in use (damaged) or just lost, because of their size.

You just provided more reasons not to store other files on the same SD card as your encrypted secret. Besides, why not just extend your seed with a complex passphrase and not use the SD cards at all? That will provide you with even more security, if you aren't already using them. And you can even create several passphrase-protected accounts.

For example:
Standard account with no passphrase holds 0.1 BTC.
Passphrase-protected account #1 holds 1 BTC.
Passphrase-protected account #2holds 10 BTC
... 

[Husires]

Besides, why not just extend your seed with a complex passphrase and not use the SD cards at all?

I don't think this will solve the problem, the philosophy of SD card is to protect against physical attacks of the device. For example, if someone managed to find your device and knew PIN code, then you lost your money, here comes SD card role as a second password.

In the end, it is a password (encrypted file) found in that card, and you can copy it to another card, so I don't see any objection to using it for storage, but in this case you reduce the security of your coins.

[o_e_l_e_o]

Besides, why not just extend your seed with a complex passphrase and not use the SD cards at all?

I don't think this will solve the problem, the philosophy of SD card is to protect against physical attacks of the device.

If someone with the equipment and expertise required was able to physically attack your Trezor, then they are "only" able to extract your seed phrase and access your base wallet, or unlock with your PIN and access your base wallet. Any passphrase protected wallets would remain both hidden and protected by the passphrase (which should obviously be long and complex enough to be resistant to brute force attacks).

For example, if someone managed to find your device and knew PIN code, then you lost your money, here comes SD card role as a second password.

Again, only your base wallet, not any passphrased wallets.

But, you can quite happily use both the SD card and one or more passphrases, so no need to choose one or the other.

[Pmalek]

<Snip>

If someone gains physical access to your Trezor hardware wallet, pray that the person doesn't know how to take advantage of Trezor's seed and PIN extraction vulnerability, which can be done with relatively cheap hardware equipment. Any security measures you have installed, whether that's a SD card or passphrase-protected accounts, should buy you enough time to safely generate a new wallet and move your assets to it while the perpetrator may or may not be working on gaining access to your coins. That's how I see it at least. Despite having SD cards or passphrases, I wouldn't be comfortable having someone doing work on my hardware wallet in an attempt to steal from me.

[Coin-Keeper]

Yes, you can use the unused/available space on the SD for other things.  TRUTH - I would not do that because I would not expose my dedicated SD to any vulnerabilities other software or uses might present.  The SD file created is very small and simply performs the function of encrypting your SEED.  That renders physical possession of the Trezor T useless to the thief.  I do fortify all my wallets with additional passphrases (at least 30 digits) as well.

Bear in mind that possession of your loaded SD AND the Trezor T puts you back in the same place as if you didn't have that feature enabled.  However; the SD file is super small so you can simply wipe it OFF the SD card (not merely delete), or more cleverly load a prepared decoy SD file.  When you need your Trezor it takes a couple of seconds to write the correct file back to the device and use you Trezor!

One thing I would like to add:  if you have trezorctl working ----- since you are considering using SD protect, I would recommend wipe PIN as well.  We can debate the merits or the reverse all day long, but for me its comforting.  I leave my Trezor T in a little case with a note where my "PIN" is written down.  That note says to remember not to carry the written PIN anywhere when I leave my house.  Conveniently the PIN written on the note is a wipe PIN where if entered the Trezor is wiped!  The note makes it look like I want to make sure I don't forget my PIN, but to remind me to NEVER go anywhere with the note.  I believe 99% of crooks would never suspect this PIN is actually a "bomb".


edit:  obviously I maintain several encrypted copies of my Trezor SD file to prevent loss of the file!  Even in the case of loss (almost 0% possibility) I could restore my Trezors in a few minutes by having needed SEED and needed passphrases for each wallet.