What's the best way to create a super/meta/mother/master mnemonic seed?

[Saint-loup]

Hello
For obvious privacy concerns, I would like to be able to use several wallets based on different seeds. But it's very difficult to safeguard and safely manage multiple seeds.
So I would like to be able to deterministically produce several bip39 standard mnemonic seeds from an initial one I can protect. But I don't want to be able to find back the initial seed in any way from one or several daughter seeds. And I don't want to be able to find any sister seed from one or several other ones.
What is the most convenient way to do that please?

[1714512052]

1714512052

[1714512052]

1714512052

[1714512052]

1714512052

[NotATether]

Your answer is to use the Hierarchical Deterministic (HD) derivation technique used inside most wallets.

When you make a seed phrase, it encodes a Master private key. From this, you can derive more Master private keys given a non-negative number, and a Boolean (hardened or not hardened).

That means you can derive the seed phrase at m/0', m/1', and so on, depending on how many seeds you need, to create your child seed. The ' quote stands for hardened derivation. It prevents the parent key from being reverse-engineered.

IanColeman website should be able to help with that.

[Saint-loup]

Your answer is to use the Hierarchical Deterministic (HD) derivation technique used inside most wallets.

When you make a seed phrase, it encodes a Master private key. From this, you can derive more Master private keys given a non-negative number, and a Boolean (hardened or not hardened).

That means you can derive the seed phrase at m/0', m/1', and so on, depending on how many seeds you need, to create your child seed. The ' quote stands for hardened derivation. It prevents the parent key from being reverse-engineered.

IanColeman website should be able to help with that.

Thank you very much for your solution, and sorry if I was not clear enough in my topic but I want to derive BIP39 mnemonic seeds. I don't want to cope with keys because (almost) all wallets accept BIP39 seeds currently. But not all of them accept master keys unfortunately. In addition it's more easy to deal with mnemonic seeds than with BIP32 hexadecimal or base58 keys actually.  

[NotATether]

Thank you very much for your solution, and sorry I was not enough clear in my topic but I want to derive BIP39 mnemonic seeds. I don't want to cope with keys because (almost) all wallets accept BIP39 seeds currently. But not of all them accept master keys unfortunately. In addition it's more easy to deal with mnemonic seeds than with keys.  

That is going to be hard because you can't convert the master private key to a seed. What wallet software are you using by any chance?

Have you tried using a single seed phrase, but with different seed passphrases for each one (so called 13th word)?

[_act_]

[I don't want to cope with keys because (almost) all wallets accept BIP39 seeds currently. But not of all them accept master keys unfortunately. In addition it's more easy to deal with mnemonic seeds than with keys.  

When I was having to many seed phrases, I was thinking about this. But the solution I went for at the time was that I created several passphrase from a single seed phrase. Presently I have just one of it which is a seed phrase with 3 strong passphrase which I backup separately in different places that people can not notice.

[Stalker22]

What is the most convenient way to do that please?

Your question sounds a lot like the proposal described in BIP-85:
https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki

According to this article post, AirGap Wallet uses this method to manage multiple mnemonics: Secure Mnemonic Management with BIP85

[Zaguru12]

When I was having to many seed phrases, I was thinking about this. But the solution I went for at the time was that I created several passphrase from a single seed phrase. Presently I have just one of it which is a seed phrase with 3 strong passphrase which I backup separately in different places that people can not notice.

This is a very good initiative, to even make it better I will have to go through the process of even sending a little amount into the single wallet without passphrase so that should it be compromised the scammer can be lure to thinking that’s the only thing behind that seed phrase and that gives one the opportunity to create a new seed phrase and move funds out of those in the encrypted with passphrase.

According to this article post, AirGap Wallet uses this method to manage multiple mnemonics: Secure Mnemonic Management with BIP85

This seems to be a good idea for those looking to have many different wallets with different seed phrases but the only problem I have is that the master seed phrase is still a single point of failure to all the other parent seed phrases, just like we currently have with master private key in HD wallets

[Forsyth Jones]

As Stalker22 suggested, the closest solution to what you are looking for is BIP85.

To summarize, BIP85 makes it possible to derive from the original seed infinite seeds, WIF or XPRIV through indexing from 0 to what is allowed by this BIP similar to what an HD wallet does to derive the private key addresses via index i.e: m/0/0/0 address1, m/0/0/1 address2 and so on. But in BIP85 it's directly from a number that goes from 0 to unknown, for example 999999.

When choosing an index number, it'll always generate the same seed, WIF or XPRIV, if the seed is protected by the BIP39 passphrase it'll generate completely different seeds and the rest.

In BIP85, the seeds generated are unique and the child seed cannot reach the mother seed, so there is no problem if an attacker discovers your child seeds if your funds are in the mother seed (this is just an example), because with the child seeds they'll not be able to calculate up to the mother seed.

You can use this for plausible deniability, for example, generating a BIP39 seed, protecting it with Passphrase BIP39 and generating a new seed using this seed in BIP85, with this you can safely store your original seed, because even if an attacker physically accesses your original seed, he still needs to know the BIP39 Passphrase and in addition, he still needs to know which index you used to access the seed that contains your funds, and you can still protect this child seed with BIP39 Passphrase making it even more difficult for any attacker.

Realize that your security increases, but with great power comes great responsibilities, the risk also increases a lot:

• There is a high chance that you will make a mistake in the middle of the setup.
• Will you remember how to recover the funds if many years pass?

I think that an extended seed (seed + passphrase) would already meet your demand, because a wallet protected with BIP39 passphrase, even if the attacker physically accesses your seed, unless he doesn't know your BIP39 Passphrase, it will be useless for him to try anything.

Furthermore, as some mentioned, passphrases make it possible to create infinite wallets using a single seed.
Be careful, do your research before making any decision, because in bitcoin, one slip-up can cost you all your funds.

[LoyceV]

But it's very difficult to safeguard and safely manage multiple seeds.

Why? Writing down multiple seeds is a small effort to keep your funds safe.

I would like to be able to deterministically produce several bip39 standard mnemonic seeds from an initial one I can protect.

I wouldn't do this. It's probably possible, but too many things can go wrong. For starters: what device are you going to use to create "child" seeds from your "parent" seed? How are you going to keep that safe? How are you going to verify you can still reproduce the same "child" seeds? How are you going to remember which "child" seeds you used for which (exotic) wallet?

When I was having to many seed phrases, I was thinking about this. But the solution I went for at the time was that I created several passphrase from a single seed phrase. Presently I have just one of it which is a seed phrase with 3 strong passphrase which I backup separately in different places that people can not notice.

That means you'll enter your seed on multiple devices, which (by definition) increases the risk of exposing your seed.

[_act_]

That means you'll enter your seed on multiple devices, which (by definition) increases the risk of exposing your seed.

I have several seed phrase but I decided to use this for my online wallet when the seed phrase is getting too much for me. I have offline wallet that I used passphrase with also and I have muitisig which I have for different purposes but their seed phrase are not many unlike my online wallets. The purpose for the 3 wallets with the same seed phrase are for online reasons and I use it for small amount of money.

The passphrase is something like this @_++3$+sbsgsvsvsghsgshs$$((_-466-4;$$;3-_+32-$-dbdhsvshshjjdjdhshdhe+_+4+33-$-$;3-3&$-$;3;3;;3-nsbshdbrjsusbendkdudbebdbdhhddb$$7_63;$!38!;_+4!3++ which will be very difficult to brute force.

Anyone that will brute force the seed phrase would have spent more money that is far more than the coins on it.

Offline wallet seed phrases should be different from online wallet seed phrases.

[LoyceV]

The passphrase is something like this @_++3$+sbsgsvsvsghsgshs$$((_-466-4;$$;3-_+32-$-dbdhsvshshjjdjdhshdhe+_+4+33-$-$;3-3&$-$;3;3;;3-nsbshdbrjsusbendkdudbebdbdhhddb$$7_63;$!38!;_+4!3++ which will be very difficult to brute force.

This brings me to the next problem: the seed phrase is a human readable interpretation of a long random number. It's easy to write down, without a high risk of making mistakes.
Your password doesn't have that luxory. If you make a mistake, you're screwed.

[_act_]

The passphrase is something like this @_++3$+sbsgsvsvsghsgshs$$((_-466-4;$$;3-_+32-$-dbdhsvshshjjdjdhshdhe+_+4+33-$-$;3-3&$-$;3;3;;3-nsbshdbrjsusbendkdudbebdbdhhddb$$7_63;$!38!;_+4!3++ which will be very difficult to brute force.

This brings me to the next problem: the seed phrase is a human readable interpretation of a long random number. It's easy to write down, without a high risk of making mistakes.
Your password doesn't have that luxory. If you make a mistake, you're screwed.

That is true. But I have made no mistake yet. I will read more about BIP85. I have not read about it before and it can be a good solution and it is exactly what Saint-loup is looking for. Thanks for bringing my notice to some flaws about my backup.

[apogio]

The passphrase is something like this @_++3$+sbsgsvsvsghsgshs$$((_-466-4;$$;3-_+32-$-dbdhsvshshjjdjdhshdhe+_+4+33-$-$;3-3&$-$;3;3;;3-nsbshdbrjsusbendkdudbebdbdhhddb$$7_63;$!38!;_+4!3++ which will be very difficult to brute force.

Well, to be exact, it is not very difficult to brute-force, but it rather, it is infeasible to brute-force.

This passphrase will never be brute-forced. But, I make 2 assumptions here:
1. There are no uppercase characters.
2. There seem to be some patterns, but I guess they must be copy-pasted to showcase the length of the passphrase.

If the assumptions are true, then:

(a) You have 146 characters.
(b) Your dataset consists of LowerCase, Numbers and Symbols. Thus, your dataset includes 95 (total printable ASCII characters) - 26 (upper case letters) = 69.

Therefore, the complexity in bits is: ln(146^69)/ln(2) = 496.09 bits.


BIP85:

• BIP85 is easier to backup. You will only backup 12 words twice and then you will backup the "index number" for each wallet. The latter can be backed-up anywhere. It's just a number (eg. 107, or 9, or 999), so nobody can expect that this has anything to do with Bitcoin. So, you can just backup the words and you can derive all the wallets at indices 107, 9, 999 with the same words and a wallet that supports BIP85.
• It's not as secure as passphrases. The index numbers can go up to 10,000 so brute-forcing the wallets is super easy, if the attacker gains access to the words.

Passphrases:

• Passphrases are better if you want to make sure the the attacker who gains access to the words has no way to access your wallet.
• Passphrases are more difficult to backup. You absolutely need to backup the passphrase twice. Not once. So this leads to the need for more secure places to store your backups.

To conclude, if you are afraid that the seed words can be compromised, then use passphrases, making sure to backup the passphrases in separate locations.
If you think that your words are safe, then simply use BIP85 and use random index numbers from 1 to 10,000. Also add some sats to the wallet on index 0, so that the attacker may think that these are your only funds.

[LoyceV]

That is true. But I have made no mistake yet. I will read more about BIP85. I have not read about it before and it can be a good solution and it is exactly what Saint-loup is looking for. Thanks for bringing my notice to some flaws about my backup.

You could use words instead of a password, to prevent mistakes writing it down. I prefer to use different seeds though, it seems easier.

[satscraper]

Hello
For obvious privacy concerns, I would like to be able to use several wallets based on different seeds. But it's very difficult to safeguard and safely manage multiple seeds.
So I would like to be able to deterministically produce several bip39 standard mnemonic seeds from an initial one I can protect. But I don't want to be able to find back the initial seed in any way from one or several daughter seeds. And I don't want to be able to find any sister seed from one or several other ones.
What is the most convenient way to do that please?

Following BIP85 standard Passport 2 allows to generate up to 20 child-seeds from the single master SEED. Those master SEED can be stored in both way SeedQR format (either Compact SeedQR or SeedQR) and ordinary writable one.  Also, each of 20 child-seeds can be saved in both format. Initial master SEED can not be found back by using any number of those child-seeds.

[apogio]

You could use words instead of a password, to prevent mistakes writing it down. I prefer to use different seeds though, it seems easier.

Me too. It all depends on what you are most afraid of.
If you fear that the backup location is not very safe, then you can add a passphrase.
If you are sure that the location is safe, then there is no need to add a passphrase, since the backup can't be easily compromised in the first place.

[Saint-loup]

But it's very difficult to safeguard and safely manage multiple seeds.

Why? Writing down multiple seeds is a small effort to keep your funds safe.

It's not safe enough for me, a sheet of paper can be too easily burnt, torn, erased, lost, eaten... and even with a back-up hidden in another place it's not a convenient solution for me, since I can't go to this place whenever I want, especially within few hours when I need to add a new seed.

I would like to be able to deterministically produce several bip39 standard mnemonic seeds from an initial one I can protect.

I wouldn't do this. It's probably possible, but too many things can go wrong. For starters: what device are you going to use to create "child" seeds from your "parent" seed? How are you going to keep that safe? How are you going to verify you can still reproduce the same "child" seeds? How are you going to remember which "child" seeds you used for which (exotic) wallet?

I'm looking for a safe and convenient solution precisely, if I already knew one way to address all those matters you are referring to, I wouldn't open a topic for that purpose. But I don't think your first 2 questions are really difficult to overcome. At least, I'm less scared by that, than to lose my seeds because of an unexpected event. The 2 last ones, are more concerning actually.

[apogio]

It's not safe enough for me, a sheet of paper can be too easily burnt, torn, erased, lost, eaten... and even with a back-up hidden in another place it's not a convenient solution for me, since I can't go to this place whenever I want, especially within few hours when I need to add a new seed.

Ok, let's narrow down the solution list. Shall we?
Firstly, can you put in order your biggest fears / threats?

• Thief finding the backup and stealing the money.
• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out of the wallet due to some technical error (example: not being able to re-create a multisig vault properly).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).
• Losing funds because of a hack (brute-force, malware, keylogger etc).

Add any other threat you want.

[Saint-loup]

Ok, let's narrow down the solution list. Shall we?
Firstly, can you put in order your biggest fears / threats?

• Thief finding the backup and stealing the money.
• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out of the wallet due to some technical error (example: not being able to re-create a multisig vault properly).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).
• Losing funds because of a hack (brute-force, malware, keylogger etc).

Add any other threat you want.

To be honest, the 2nd and the 4th event are my biggest fear, and I think the most likely to happen to me, objectively. The first one(robbery) comes after them. And I would put the 2 last ones at the same rank, after those 3. Because if you think you are unable to cope with that, or too much afraid of that, for me it doesn't make sense to invest or at least, to hold critical amounts of funds in cryptocurrencies since it's an inherent risk to this asset.

[apogio]

To be honest, the 2nd and the 4th event are my biggest fear, and I think the most likely to happen to me, objectively. The first one(robbering) comes after them. And I would put the 2 last ones at the same rank, after those 3. Because if you think you are unable to cope with that, or too much afraid of that, for me it doesn't make sense to hold critical amounts of funds in cryptocurrencies.

So your biggest fears are

• Backup being destroyed by some unexpected event (fire, flood etc).
• Locking yourself out because you have lost / forgotten the backup of the wallet (or a piece of the backup).

Well in this occasion you are clearly looking for a multisig wallet.
The easiest way to go about it is:

1. Generate 2 wallets (A, B) with 12 words each. Generate them offline of course.
2. Create a dual backup for each wallet. So you will have the following backups: A, A, B, B.
3. Generate a multisig vault, offline. Set it up to be a 2-of-2 multisig where the cosigners are A and B. Create the vault in watch only mode, using the xpubs of A and B.
4. Send a small amount of funds to one of the addresses. Then try to send the amount of the wallet, signing offline with both the wallets. This will essentially test the wallet
5. Fund the wallet with your funds.
6. Save the backups A, A, B, B in 4 separate locations.
7. Check the locations once or twice a year, replacing the old paper with new ones.

So, now, you have eliminated both of your fears.

1. Its highly unlikely that the backups will be destroyed at the same time due to some flood or fire. In fact even if 2 of the 4 papers get destroyed you still have a chance to recover the wallet if the backups were not from the same wallet. Even if one of the backups gets destroyed you are perfectly fine.

2. You have great redundancy with this system. The wallet is safe because there is not a single point of failure. As I said, you can lose one of the backups. It's ok. You can even lose two and still have a chance to save the situation with a bit of luck.