[Sparrow Wallet] Use it to generate a BIP39 24 word seed in a safe environment.

[Lyr2]

I would like to create a BIP39 24 word seed for holding.

Is Sparrow Wallet trusted for such task?

I'm planning on doing it on an offline PC without ethernet cable and booting Linux from a USB installation disk (Example:"Try Ubuntu before Install" option). And then following these steps: https://sparrowwallet.com/docs/quick-start.html#creating-your-first-wallet

Once the seed phrase is generated I'll backup and import it into an air-gapped hardware wallet. But I personally prefer to use a popular open-source wallet for creating the seed running on my Desktop PC (my hardware). I'd use Electrum or Bitcoin-Qt but I understand they cannot create BIP39 seeds.

Additionally, if anybody knows in the sparrow github where is the code that generates the seed phrase, that would be appreciated as well. (I'm not a real software developer, but I can try reading it).

Thanks in advance

[1714604293]

1714604293

[1714604293]

1714604293

[1714604293]

1714604293

[1714604293]

1714604293

[Zaguru12]

I don’t quite understand what code GitHub code you’re asking of but yes can definitely generate a Bip39 seed phrase from sparrow wallet, here is a GitHub link. Make sure the device been used for the wallet creation is free from existing malwares removing Those Ethernet cable alone can free an already compromised device. Since it’s Bip39 seed phrase you can even create it from. Those hardware wallets. And yes you’re right electrum generates its own custom seed phrase and the Bip39 format or word list but you can import in a Bip39 seed phrase into it. If you choose to go ahead with sparrow it is is good and recommended wallet too

[BlackHatCoiner]

Is Sparrow Wallet trusted for such task?

It is good software for generating seed phrases, but it seems like you want to introduce more complexity than needed.

I'm planning on doing it on an offline PC without ethernet cable and booting Linux from a USB installation disk (Example:"Try Ubuntu before Install" option).

Just to clarify in case you didn't know about this: removing the ethernet cable alone does NOT make the machine airgapped. You'll have to isolate it from every network it can potentially connect. That means, removal of Wi-Fi and Bluetooth adapters at least.

Once the seed phrase is generated I'll backup and import it into an air-gapped hardware wallet.

My question is: why don't you generate the seed phrase on your hardware wallet? If you trust using it, then you should trust it for generating you the seed phrase.

Also, another question: what's your hardware wallet? The majority are not airgapped.

[satscraper]

I would like to create a BIP39 24 word seed for holding.

Is Sparrow Wallet trusted for such task?

I'm planning on doing it on an offline PC without ethernet cable and booting Linux from a USB installation disk (Example:"Try Ubuntu before Install" option). And then following these steps: https://sparrowwallet.com/docs/quick-start.html#creating-your-first-wallet

Once the seed phrase is generated I'll backup and import it into an air-gapped hardware wallet.

I would advocate  hardware wallet as a SEED source. At least with such opt you could be able to use the multisig set up grounded on Sparrow and your air-gapped HW. Here you can find the  instance relevant to Passport-Sparrow-multisig wallet.

Even offline computers (being infected ) may deliver compromised SEED.

[Charles-Tim]

Once the seed phrase is generated I'll backup and import it into an air-gapped hardware wallet. But I personally prefer to use a popular open-source wallet for creating the seed running on my Desktop PC (my hardware). I'd use Electrum or Bitcoin-Qt but I understand they cannot create BIP39 seeds.
.

My question is: why don't you generate the seed phrase on your hardware wallet? If you trust using it, then you should trust it for generating you the seed phrase.

Also, another question: what's your hardware wallet? The majority are not airgapped.

Good question. I will like to know about this. From how he posted it, I thought he was referring to his computer.

I would advocate  hardware wallet as a SEED source. At least with such opt you could be able to use the multisig set up grounded on Sparrow and your air-gapped HW. Here you can find the  instance relevant to Passport-Sparrow-multisig wallet.

Even offline computers (being infected ) may create compromised SEED.

Airgapped devices are also good if you know what you are doing. You can also use airgapped device for seed generation. As long as you format the device and reinstall its OS with the Bluetooth and WiFi card removed, then you have nothing to be worried about. Some people can even go for Tails operating system which comes with Electrum installed, or using formated drive or card to save the wallet downloaded file and install it on the airgapped device.

[satscraper]

Airgapped devices are also good if you know what you are doing. You can also use airgapped device for seed generation. As long as you format the device and reinstall its OS with the Bluetooth and WiFi card removed, then you have nothing to be worried about.

I wouldn't trust entirely airgapped devices.

Even airgapped  machines might be infected via BIOS/EIFE  (and or hardware drivers) malicious payloads.

You can not get completely airgapped device as  machine might be subjected to  pre-shipment inspection by manufacture that includes the checking its connectivity to Internet.

[Charles-Tim]

I wouldn't trust entirely airgapped devices.

Even airgapped  machines might be infected via BIOS/EIFE  (and or hardware drivers) malicious payloads.

Once you formatted the computer and reinstall the OS, there is no problem.

That aside, if the airgapped device is infected, not going online but completely airgapped, how can it affect the wallet installed? No malware that can modify wallet. Unless you downloaded the wallet from a fake site or you downloaded a fake wallet which can make it compromised. As long as the wallet is legit, recommended and airgapped, there is nothing that will happen because you only want to use the device for signing transaction and also for other offline purposes. I am not recommending this but this is how it is

Sometimes hardware wallet is not necessary, especially if you need the wallet just for bitcoin. I have an old laptops that is now completely useless. That is how some people old laptops are and they can use it to setup airgapped device than wasting money on a hardware wallet.

[BlackHatCoiner]

You can not get completely airgapped device as  machine might be subjected to  pre-shipment inspection by manufacture that includes the checking its connectivity to Internet.

If the machine is provably airgapped, then how can such inspection harm the user?

As long as the wallet is legit, recommended and airgapped, there is nothing that will happen because you only want to use the device for signing transaction and also for other offline purposes.

Technically speaking, there can be other attacks. If the manufacturer knows you're going to install a particular wallet software under a particular operating system, they can tamper with the BIOS and inject malicious code to compromise the security of the computer. However, I have never heard of any such attacks in practice. But, this is a reason why it's recommended to buy general purpose computers (like Raspberry Pi with SeedSigner) and not hardware wallets.

[satscraper]

I wouldn't trust entirely airgapped devices.

Even airgapped  machines might be infected via BIOS/EIFE  (and or hardware drivers) malicious payloads.

Once you formatted the computer and reinstall the OS, there is no problem.

Nope, there   are still  problems as   BIOS/UEFI viruses can survive  formatting and/or reinstalling.

The same is true for malware hidden in firmware of HDD/SSD.

Thus my stance regarding  the preference of HW generated SEED  stands unaffected.

[hosseinimr93]

but you can also generate BIP39 seed phrase on desktop Electrum.

There is no way to generate a BIP39 seed phrase in electrum.
The command you mentioned generates a 12 word legacy seed phrase using electrum algorithm. That wouldn't generate a BIP39 seed phrase.

If you want to have a wallet with BIP39 seed phrase in electrum, you have to generate your seed phrase using other tools and then import it in electrum.

[o_e_l_e_o]

Additionally, if anybody knows in the sparrow github where is the code that generates the seed phrase, that would be appreciated as well. (I'm not a real software developer, but I can try reading it).

Sparrow uses Java's SecureRandom function to generate its entropy, which sources entropy from /dev/urandom: https://github.com/sparrowwallet/sparrow/blob/02a0a3277bdc4469d7369cb1915a1f47c05e05d1/src/main/java/com/sparrowwallet/sparrow/control/MnemonicKeystoreEntryPane.java#L57-L71

[Lyr2]

Thank you all.

Yesterday I was taking a look at the SecureRandom in Bip39Dialog.java (from the Sparrow Wallet github) but this was too complex for my level of knowledge. I get lost in the github. I understood that I was putting my trust in the implemented Java (more than Sparrow).
In parallel I spent more time reading about the "dice roll method". My Hardware Wallet is an MK4, I will only use it with PSBT.

In the end, I went with the following steps (a bit more risky than just using the MK4):

1) Booted an Ubuntu installation disk in my homemade Desktop PC (ethernet unplugged, bluetooth usb unplugged). @BlackHatCoiner Yeah this is not air-gapped, but the odds of a risk happening I think are very low.
2) Manually rolled a dice a bit more than 100-110 times generating a number.
3) Used following Coinkite simple script to generate the seed: https://coldcard.com/docs/rolls.py (I copied this python script into an empty USB drive so I could use it in the cold~ booted Ubuntu. I understood how the script works for the peace of my mind). (I generated the same seed in MK4, because I was going to import in there anyway).
4) Finally did a full format (overwriting with zeros) of the Ubuntu Live Disk USB and the other USB Disk (containing the rolls.py file) to not leave any evidence.

I fully understand that is more risky than just using the Hardware Wallet, that always would return the same result. And to be honest I don't believe that what I did is safer than just using Sparrow Wallet generator. But I did it anyway because looks like a very low risk task and I understood the small python script.

---

I will also add a passphrase later.

[satscraper]

Thank you all.

Yesterday I was taking a look at the SecureRandom in Bip39Dialog.java (from the Sparrow Wallet github) but this was too complex for my level of knowledge. I get lost in the github. I understood that I was putting my trust in the implemented Java (more than Sparrow).
In parallel I spent more time reading about the "dice roll method". My Hardware Wallet is an MK4, I will only use it with PSBT.

In the end, I went with the following steps (a bit more risky than just using the MK4):

1) Booted an Ubuntu installation disk in my homemade Desktop PC (ethernet unplugged, bluetooth usb unplugged). @BlackHatCoiner Yeah this is not air-gapped, but the odds of a risk happening I think are very low.
2) Manually rolled a dice a bit more than 100-110 times generating a number.
3) Used following Coinkite simple script to generate the seed: https://coldcard.com/docs/rolls.py (I copied this python script into an empty USB drive so I could use it in the cold~ booted Ubuntu. I understood how the script works for the peace of my mind). (I generated the same seed in MK4, because I was going to import in there anyway).
4) Finally did a full format (overwriting with zeros) of the Ubuntu Live Disk USB and the other USB Disk (containing the rolls.py file) to not leave any evidence.

I fully understand that is more risky than just using the Hardware Wallet, that always would return the same result. And to be honest I don't believe that what I did is safer than just using Sparrow Wallet generator. But I did it anyway because looks like a very low risk task and I understood the small python script.

---

I will also add a passphrase later.

Looks like to be a decent approach to get SEED for your stash.

Passphrase is overkill unless your aim is the "hidden" wallet. 24/12 words SEED alone is in position to withstand any attempts of breaking. But, sure,  it's up to you whether to implement it or not.

[NotATether]

Airgapped devices are also good if you know what you are doing. You can also use airgapped device for seed generation. As long as you format the device and reinstall its OS with the Bluetooth and WiFi card removed, then you have nothing to be worried about.

I wouldn't trust entirely airgapped devices.

Even airgapped  machines might be infected via BIOS/EIFE  (and or hardware drivers) malicious payloads.

You can not get completely airgapped device as  machine might be subjected to  pre-shipment inspection by manufacture that includes the checking its connectivity to Internet.

I think you mean EFI, EFIE isn't a word.

Anyway, during the process of fiddling with OpenCore EFIs, I have learned a lot of information about how EFI works. In the /boot partition there is an EFI folder that contains all the files and stuff which are read into the computer before booting the OS. Since you can actually verify what is in your EFI and replace it with a non-infected file if you find you really need to, then it is trivial to do so as superuser or admin. I don't think BIOS has that kind of capability, and actually it may be burned in to the motherboard in such a case and firmware update that is in many cases, non-existent.

Therefore I would prefer to use the newer EFI systems over BIOS to set up an airgapped system.

[Charles-Tim]

Therefore I would prefer to use the newer EFI systems over BIOS to set up an airgapped system.

It is true that UEFI has better security. Also it has faster boot time as I noticed 7 second boot time in the Windows computer that has it, unlike legacy BIOS.

Recently made computers are using UEFI and not the the legacy BIOS which people called BIOS. Or maybe legacy BIOS is still used on low budget computers. But if you have an old computer that make use of legacy BIOS instead and you need a cold wallet, that means you will not use it?

If my old computer is using legacy BIOS, I will still format and reinstall the OS and use it as cold storage wallet hardware for bitcoin and I am certain that nothing will happen as long as it remain as cold wallet.

But I will appreciate your sincere answer if you will use the old computer with legacy BIOS or not.

It is worth knowing that the old BIOS is referred to as legacy BIOS while the new BIOS is referred to as UEFI or EFI. UEFI is still Basic Input Output System (BIOS).

[NotATether]

It is true that UEFI has better security. Also it has faster boot time as I noticed 7 second boot time in the Windows computer that has it, unlike legacy BIOS.

Recently made computers are using UEFI and not the the legacy BIOS which people called BIOS. Or maybe legacy BIOS is still used on low budget computers. But if you have an old computer that make use of legacy BIOS instead and you need a cold wallet, that means you will not use it?

If my old computer is using legacy BIOS, I will still format and reinstall the OS and use it as cold storage wallet hardware for bitcoin and I am certain that nothing will happen as long as it remain as cold wallet.

But I will appreciate your sincere answer if you will use the old computer with legacy BIOS or not.

It is worth knowing that the old BIOS is referred to as legacy BIOS while the new BIOS is referred to as UEFI or EFI. UEFI is still Basic Input Output System (BIOS).

I think only people who are high-value targets should be concerned about how their airgapped computer boots. Because it's highly unlikely that someone is infected with a BIOS/EFI malware unless they are of the not-so-smart type that always clicks on "You Won $1000! Click To Get Your Prize" ads across the internet.

Makes me wonder why people are not using adblockers more, to be honest. Doesn't help that Google is trying to break adblockers with Manifest V3 (which will become mandatory this June). Ironically they also have a cybersecurity division in their company, so the mess that they are making for everyone else comes back to bite them in the form of botnet DDoS.

[Saint-loup]

Thank you all.

Yesterday I was taking a look at the SecureRandom in Bip39Dialog.java (from the Sparrow Wallet github) but this was too complex for my level of knowledge. I get lost in the github. I understood that I was putting my trust in the implemented Java (more than Sparrow).
In parallel I spent more time reading about the "dice roll method". My Hardware Wallet is an MK4, I will only use it with PSBT.

In the end, I went with the following steps (a bit more risky than just using the MK4):

1) Booted an Ubuntu installation disk in my homemade Desktop PC (ethernet unplugged, bluetooth usb unplugged). @BlackHatCoiner Yeah this is not air-gapped, but the odds of a risk happening I think are very low.
2) Manually rolled a dice a bit more than 100-110 times generating a number.
3) Used following Coinkite simple script to generate the seed: https://coldcard.com/docs/rolls.py (I copied this python script into an empty USB drive so I could use it in the cold~ booted Ubuntu. I understood how the script works for the peace of my mind). (I generated the same seed in MK4, because I was going to import in there anyway).
4) Finally did a full format (overwriting with zeros) of the Ubuntu Live Disk USB and the other USB Disk (containing the rolls.py file) to not leave any evidence.

I fully understand that is more risky than just using the Hardware Wallet, that always would return the same result. And to be honest I don't believe that what I did is safer than just using Sparrow Wallet generator. But I did it anyway because looks like a very low risk task and I understood the small python script.

---

I will also add a passphrase later.

It's interesting but you still need to trust a method and a script from a stranger, along with your OS, your software environnement, and your hardware.
Why not just trying to follow the BIP39 algorithm by your own?
You would just need a computer to compute the SHA256 hash of your entropy to get the checksum.
You could still use your dices to generate the entropy but 256bits for a 24 words seed is only 256 coin flips if you prefer.


https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

[virasog]

Airgapped devices are also good if you know what you are doing. You can also use airgapped device for seed generation. As long as you format the device and reinstall its OS with the Bluetooth and WiFi card removed, then you have nothing to be worried about.

I wouldn't trust entirely airgapped devices.

Even airgapped  machines might be infected via BIOS/EIFE  (and or hardware drivers) malicious payloads.

You can not get completely airgapped device as  machine might be subjected to  pre-shipment inspection by manufacture that includes the checking its connectivity to Internet.

Well, if you can't trust the machines (PC) or the Android devices for the air gapped purpose, you can use the simple USB, install the tails OS software, never connect it to the Internet and you're good to go. Electrum becomes built-in in the tails OS but you will need to manually install the Sparrow wallet. I do not know if it is possible or not as I haven't experimented with the Sparrow wallet.

Sometimes hardware wallet is not necessary, especially if you need the wallet just for bitcoin. I have an old laptops that is now completely useless. That is how some people old laptops are and they can use it to setup airgapped device than wasting money on a hardware wallet.

When you buy a hardware wallet, still there are things that you need to be aware like buying it from a official store and then other stuff like updating the firmware etc. If we use the airgapped  USB with tails OS , it is a better, secure and cheap solution than a hardware wallet (although it requires a bit of technicality to perfectly setup and use it).

[NeuroticFish]

Well, if you can't trust the machines (PC) or the Android devices for the air gapped purpose, you can use the simple USB, install the tails OS software, never connect it to the Internet and you're good to go. Electrum becomes built-in in the tails OS but you will need to manually install the Sparrow wallet. I do not know if it is possible or not as I haven't experimented with the Sparrow wallet.

And, if OP doesn't trust the Electrum installed on Tails OS or simply prefers BIP39 seed instead of Electrum "flavor", he can use the stick for the OS with no storage, but use /dev/urandom and Ian Coleman's page (copied to that stick or another one) like explained here: https://bitcointalk.org/index.php?topic=5475496.msg63228430#msg63228430