How to backup multiple seeds derived from one: BIP-85

[Forsyth Jones]

I'm impressed by how little content there is related to BIP-85, which is one of the most interesting features ever implemented in the Bitcoin code and which makes life easier for those who maintain multiple seeds due to having to create seeds for each occasion or device.

Many people use more than one recovery seed for different purposes or on different wallets, making the backup process laborious and tedious, doing some research on Google, I found this reddit article and so far it is the best explanation about BIP-85. I used it as a basis to write this post and added more technical details.

BIP39 mnemonics carry an incredible amount of information: a hex seed that generates the BIP32 root key (xpriv), from which you can generate infinite addresses for each derivation path, and if you add a passphrase, you can generate new BIP32 extended keys, child keys, etc. BIP-85 is simply a function that mathematically derives in a deterministically way new values ​​such as mnemonics, extended keys, WIF keys (and even passwords) from your seed, acting as a parent seed or master seed. Derived seeds are unique and have no relation to each other; you cannot use a child seed to calculate another seed derived from the parent seed, nor can they be traced back to the value of the parent seed. You can use the parent seed to recreate any derived seed.

Just as your recovery seed always generates the same keys and addresses for a wallet, with BIP85, your seed will always generate the same child seeds using an index number. I should also mention that it is impossible for anyone with a child seed and its index number to calculate the parent seed that generated it. The derived seed cannot be reverse engineered to determine the parent seed. If one or more seeds are compromised, the parent seed will still be safe.

With the deterministic entropy generated by BIP85 from your parent seed, you can create a variety of seeds to set up virtually any type of wallet or for friends and family by assigning an index to each of them, remembering that each index generates a different child seed. Since the calculations involved are repeatable (deterministic), you only need to backup the parent seed and remember the index number, and whenever you want, you can use the parent seed to derive the child seed by specifying the index number of the child seed.

How will BIP85 help you make the most of your wallet?

You can use your current recovery seed or create a new one if you prefer, but don't use it as your wallet. Instead, use that seed as a parent seed with a BIP85 index number to generate child seeds.

For example, you can assign an index like "0" to use as your desktop wallet, you can use index "1" to use as your mobile wallet, and so on. You have saved 2 seeds in one (parent seed).

Combining BIP85 + Passphrase

It's extremely important that you have come this far and fully understand how the passphrase and BIP85 work, otherwise you run the risk of doing something you may regret! This is where we start to add more complexity by bringing more security.

When adding a passphrase, the derived child seeds will be completely different due to the use of the passphrase, so if you are going to use a passphrase, you must save the parent seed, passphrase and the index number, otherwise you will not be able to derive the seeds derived by the original seed + passphrase.

Combining BIP85 by deriving a new child seed adds an extra layer of security with the passphrase, the generated child seeds will be fully protected by the passphrase. You can think of this as a second factor of authentication, so even if your parent seed is compromised, since your child seeds are protected by the passphrase, these child seeds will only be accessible if you have the combination: parent seed + passphrase + index number used.

In short...

Child seeds derived from the parent seed without passphrase = Anyone who has your parent seed has access to all child seeds derived from the parent seed through their index numbers. All the attacker can do is try to guess your child seed with a balance by trial and error or by using a computer to brute force it.

Child seeds derived from the parent seed with passphrase = Your parent seed, even if compromised, anyone who has your parent seed but not the passphrase, DOES NOT have access to the child seeds derived from your seed through BIP85 in conjunction with the passphrase, because to generate the same child seeds, both the parent seed + passphrase are needed and there is also the index number, in case the user used a completely random index number.

Disadvantages...

Unfortunately, despite being an incredible feature, it's present in few wallets, even in most hardware wallets it's not present, but you can use the iancoleman script and similar ones to run it offline and generate your child seeds.

It's very complex for beginners, so at least in my opinion, i do not encourage its use if you are a complete beginner, because despite the practicality and extra security provided, it can bring a big headache if you don't have enough knowledge and are not aware of the risks.

Some wallets that I am aware of that support BIP-85:

• Coldcard
• Passport batch 2
• Bitbox02
• JADE Blockstream
• SeedSigner DIY
• Krux
• Specter DIY
• Airgap

There are more wallets that have such support, but i didn't mention them here for these reasons: i don't recommend them and/or I've never used them.

Have you ever used the BIP85? Do you think it adds any practicality to your setup?

Below i leave all the links I have gathered that address the subject.


https://github.com/bitcoin/bips/blob/master/bip-0085.mediawiki

https://bip85.com/

https://www.reddit.com/r/Bitcoin/comments/1bawk6a/tutorial_using_bip85_to_back_up_your_seeds/

https://bitcointalk.org/index.php?topic=5493685.msg64107683#msg64107683

https://airgapit.medium.com/secure-mnemonic-management-with-bip85-9af386159657

https://jirijakes.com/text/bip85/

https://www.reddit.com/r/BitcoinBeginners/comments/11sk6k6/help_me_better_understand_bip85/

https://guides.bitcoinsupport.com/guides/v/coldcard/more-features/bip-85-wallets

[satscraper]

Have you ever used the BIP85? Do you think it adds any practicality to your setup?

I use the child SEED (generated from the master SEED on my Passport 2 which follows BIP 85 path) to feed my Tangem 2 wallet and find this to be very easy-to-handle as it eliminates the need for extra backup. The child SEED I use can be always restored from the master SEED ( backed up in the way described here) using either Passport2  or even iancoleman tool kept by airgapped Tails.

Besides, Passport 2 has a strong entropy source ( Avalanche diode), thus I trust both master and child Seeds as nothing else.

[Felicity_Tide]

I must say that you've done a great job in your explanation, though I only understood to some extent. When trying to grasp/understand certain things that are related to Bitcoin, I always appreciate some kind of visual/graphical explanation, because it has really helped me in learning so many things. Aside that, here are my questions.

Derived seeds are unique and have no relation to each other; you cannot use a child seed to calculate another seed derived from the parent seed, nor can they be traced back to the value of the parent seed. You can use the parent seed to recreate any derived seed.

The derived seed cannot be reverse engineered to determine the parent seed. If one or more seeds are compromised, the parent seed will still be safe.

With the deterministic entropy generated by BIP85 from your parent seed, you can create a variety of seeds to set up virtually any type of wallet or for friends and family by assigning an index to each of them, remembering that each index generates a different child seed.

Child seeds derived from the parent seed with passphrase = Your parent seed, even if compromised, anyone who has your parent seed but not the passphrase, DOES NOT have access to the child seeds derived from your seed through BIP85 in conjunction with the passphrase,

But, in as much as much as the parent seed happens to be very important, derived/child seeds exposure is a big risk to once wallet?.

I guess the second quoted text has answered my intial question already, so do you advice that passphrase should be used alongside the derived child seeds?.

You can use your current recovery seed or create a new one if you prefer, but don't use it as your wallet. Instead, use that seed as a parent seed with a BIP85 index number to generate child seeds.

I assume the current recovery seeds is used to recover the parent seed?,
And what if someone misplaces the current recovery seeds, how is the person going to go about making changes? and what will be the fate of those child seeds that has been generated?.

When adding a passphrase, the derived child seeds will be completely different due to the use of the passphrase, so if you are going to use a passphrase, you must save the parent seed, passphrase and the index number, otherwise you will not be able to derive the seeds derived by the original seed + passphrase

Original seed same as parent seeds right?.

It's very complex for beginners, so at least in my opinion, i do not encourage its use if you are a complete beginner, because despite the practicality and extra security provided, it can bring a big headache if you don't have enough knowledge and are not aware of the risks.

I think I am interested in learning more about it, even though I won't be making use of the knowledge in real life practice anytime soon.

[Forsyth Jones]

I guess the second quoted text has answered my intial question already, so do you advice that passphrase should be used alongside the derived child seeds?.

Just as i recommend using passphrases, it's ideal to generate child seeds using a passphrase, remembering that you can use a passphrase in the child seed as well, so you will have 2 passphrases in this case. However, for many people, this is a lot to maintain and the risk of losing one of the two can be high.

Or you can generate a child seed without a passphrase and use a passphrase in the child seed.

I assume the current recovery seeds is used to recover the parent seed?,
And what if someone misplaces the current recovery seeds, how is the person going to go about making changes? and what will be the fate of those child seeds that has been generated?.

If you lose your current recovery seed that is used as the parent seed, as long as you still have access to the child seed generated by it somewhere physically or on a device saved as a wallet, you will still have access to the funds in this child seed wallet.

Or you can use this child seed as a new parent seed to generate new child seeds, remembering that child seeds are common seeds like any other, there is no differentiation cryptographically speaking.

Original seed same as parent seeds right?.

Yes.

[Meuserna]

Moving this BIP85 conversation here, from another thread...

...
Instead of saving your seed phrase in a secure element, Krux lets you encrypt it (AES-CBC, PBKDF2 Iterations: 100,000 or more) using as strong of a decryption key as you want, and Krux can save the encrypted seed on a micro SD card (I don't) or as an encrypted QR code (yes!).  However you save it, you'll need your decryption key to decrypt it.
...

I find Krux's purpose interesting. I wonder if it's possible to decrypt the encrypted file or QR code of your seed outside of Krux? That is, via the command line, because the algorithm used is AES-CBC, which is already built into Linux...

Yup!  On the Krux github, they've posted a script for doing it, or I'm sure you could just write one (or edit theirs to suit your needs if you have something you're working on).  Krux doesn't use anything proprietary.  It's all open source.

And if you use BIP85, you can use the text from child seed phrases as passphrases or decryption keys, which means it's all deterministic and recoverable if lost.

Are you referring to using the BIP-85 child seeds generated by passphrase and using them as a second or third layer of additional protection? If not, I don't understand...

Yes, I'm referring to BIP85.

Let's say this is your parent seed and passphrase:

SEED: catalog outer turn nerve immense labor mail jungle session secret crime buffalo

PASSPHRASE: live monkey mask future portion powder

You could use that as a wallet, of course.  But let's say you use it as a parent seed instead, to generate child seeds to use for all kinds of things.

For example, using the above parent seed and passphrase, here's a pair of child seeds:

BIP85 index #2001

24 word seed phrase:
gallery ill gaze palm medal zero depart negative rent monkey life sugar arch trophy brisk eternal decorate milk author skate rigid south soup foam

12 word seed phrase:
spell hockey enroll runway blast avoid expect pyramid unusual goddess blind rapid

Why not use the 24 word seed phrase as the seed for a wallet, and use the text from the 12 word child seed as the passphrase for the wallet?

That's a 24 word seed phrase with a 12 word passphrase.  Uncrackable.  And both parts are backed up by a master key, which is the parent seed & passphrase.

And let's say you want to create an encrypted disk image, to secure some personal stuff, or some work documents.  Use a child seed from your parent seed as a decryption key:

BIP85 index #80201:

above lamp soldier ignore eternal recall amused debate vacuum front renew village

If you ever lose that passphrase / decryption key, you can get it back by using BIP85 with your parent seed & passphrase.

Obviously, this makes securing your parent seed and passphrase very important, but that goes without saying for any seed.

I think BIP85 is a mostly overlooked gem.  It's easy to look at it and think "Ooh, deterministic seeds.  Nice!"  But a seed phrase is also text, which means it can be used for much more than just a seed phrase.

Here's another example:  Let's say you have a device that, for whatever reason, only allows numbers to be used as a password.

No problem.  Here's BIP85 index #5050 for that parent, as a standard Seed QR (the words are represented as numbers instead of plaintext).

023913300541072314561984200001340339188405101019

Using a parent seed with BIP85 gives you a master backup for anything you could ever need a seed phrase or a strong passphrase for.

And, of course, everything needs to be documented for future reference so you'll know why you set everything up the way you did, and so you'll know how to get it all back if anything goes wrong, or if you just want to confirm something ("Did I make a mistake here?  Both 'act' and 'actor' work to form the same checksum.  Am I sure the correct word is 'act'?"  Go back to your parent to confirm it by regenerating the child with the same index number.  ("Yup.  It's just 'act'.  Good to know").

I especially like this for inheritance, because it creates a way for someone else, who gets the documentation, to rebuild everything manually in case anything goes wrong.  "Here's the seed.  Here's the passphrase.  And if there's a problem, here's a more complicated way to prove the seed and the passphrase are correct."

P.S.  Hopefully I didn't make any errors in my examples here.  I just quickly rattled this off to further explain it.  In real world use, when generating BIP85 child seeds, I like to doublecheck my work by using different devices that use different libraries.  I tend to use Krux and a Blockstream Jade, or SeedSigner and a Jade, to doublecheck.  I'm also a huge fan of testnet.

[Meuserna]

Because that last reply was from another thread...  if anyone is interested, here's a quick recap / overview:

I. LOVE. BIP85.

I first heard about BIP85 a few years ago.  As soon as I started testing it, it felt like a giant lightbulb lit up.  It was like "Ah HA!  This is incredible!!!"

Most people think of BIP85 as using a parent seed to generate child seeds.

Let's say you do multisig.  You take a parent seed & generate 3 child seeds to use as the keys for your multisig.  If you ever lose a key, you can get it back, using your parent seed with BIP85.

For example:

Parent Seed:
summer scorpion segment news talk coil gate lemon tray skin camera galaxy

Child Seed, index 1:
heavy sign taste chaos calm ill athlete manual drip custom cactus clutch

Child Seed, index 2:
silver enough champion vacant wrist range chicken often possible laundry light turkey

Child Seed, index 3:
admit enhance thunder inner unknown tattoo dance broom street main legend zero

That's awesome.  If you lose a key, you can always get it back by using your parent seed.

But I realized BIP85 can be used for so much more than that.

Because seed phrases are text - they're just words with a space between each word - you can use child seed phrases as passphrases or decryption-key text for anything.

Want to create an encrypted disk image with an uncrackable pecryption key?  Use the text from a 12 word child seed phrase:

Parent Seed:
summer scorpion segment news talk coil gate lemon tray skin camera galaxy

Child Seed, index 43533:
float random upgrade rebuild addict alarm become ability vessel grape chapter elbow

Maybe you don't want to use all 12 words for a passphrase?  Just use the first 6, or the first 8, or whatever.  Just make sure sure sure you document your work, so you'll always know how you set it up and why you set it up that way.  Well, the why isn't necessary, but I like reminding myself why I set something up the way I did, for future reference.

Let's put it in context for use with a hardware wallet:

I use Krux.

Krux is free and open source firmware that runs on K210 devices, such as the Yahbook K210 visual module ($40 ish), or the WonderVM ($60 ish).  Both of those are devices with a camera, 2 inch touchscreen, and no wifi or bluetooth.  This makes them perfect for using as an airgapped hardware wallet.

Krux does BIP85, which makes generating child seeds easy.  And did I mention airgapped?

Anything you could ever want a strong passphrase for...  even if it has nothing to do with Bitcoin: use Krux to generate a QR for a child seed (choose "plaintext" to get the seed phrase as text, rather than as a seed QR, which is a more compact QR using numbers to represent the words).

Krux & BIP85 are a very powerful and surprisingly versatile combo.

[Forsyth Jones]

Yup!  On the Krux github, they've posted a script for doing it, or I'm sure you could just write one (or edit theirs to suit your needs if you have something you're working on).  Krux doesn't use anything proprietary.  It's all open source.

That's good to know.

And let's say you want to create an encrypted disk image, to secure some personal stuff, or some work documents.  Use a child seed from your parent seed as a decryption key:

Using a child seed as a passphrase can be a good strategy, but BIP-85 allows deriving passwords with Base64 encoding... e.g: AwMJYOqM+ibwWt/s4BCcH.

However, most wallets that have implemented BIP-85 support only allow deriving child seeds, but BIP-85 also allows deriving WIFs, HEX, xpriv, and BIP-85 Passwords...

You can explore the features of BIP-85 Passwords here: https://bitcoiner.guide/seed/

Warning: Keep in mind that this is an online site, although it's open-source, and you can review what it does, unless you use it for your tests and playground, you should not use what this site generates as your seed or passwords!

What you can do is download the html file to use in an offline environment for greater security.

The only tool other than this that supports BIP-85 Passwords is Coldcard (MK4 or Q).

The site provided, as well as the encryption resources available through it, are safe as long as they are used in an offline environment, preferably with air-gapped for generating seeds, child seeds and BIP-85 passwords... preferably, use an existing seed, as the entropy generated by browsers' javascript is questionable, that is, it isn't good enough.

[satscraper]

The only tool other than this that supports BIP-85 Passwords is Coldcard (MK4 or Q).

If I got it right what is meant here is the ability of device to generate the child seed from master SEED extended by passphrase, If this correct then Passport batch 2 also supports BIP-85 Passwords ^{being the owner of this device I say this for certain}. I utilize this feature to generate ^{on passport 2}the child SEED for my Tangem 2 which is used by me for on-the-go activity.

[Meuserna]

And let's say you want to create an encrypted disk image, to secure some personal stuff, or some work documents.  Use a child seed from your parent seed as a decryption key:

Using a child seed as a passphrase can be a good strategy, but BIP-85 allows deriving passwords with Base64 encoding... e.g: AwMJYOqM+ibwWt/s4BCcH.

Yeah, I don't go anywhere near that.  No way.

I know it's deterministic, and that's great, but I prefer using the text from 12 word child seeds as passphrases instead.

Imagine trying to write this down, by hand:
AwMJYOqM+ibwWt/s4BCcH

Now, imagine writing this:
core private bacon derive phone soon baby gun main local bench you

I love the simplicity of 12 words as easily readable text.

However, most wallets that have implemented BIP-85 support only allow deriving child seeds, but BIP-85 also allows deriving WIFs, HEX, xpriv, and BIP-85 Passwords...

Good to know!  I wasn't aware of that.  Still, I'm going to stick with words, with a space between each word. as text.  It's so easy and foolproof.  But it's great to know what other options exist.  Maybe I'll find a use for them someday.  Even if I don't, I love learning about all of this stuff.

The only tool other than this that supports BIP-85 Passwords is Coldcard (MK4 or Q).

Krux supports BIP85 Base64 passwords too, but I don't use that feature.  I only use BIP85 Mnemonics.

To be honest, I'm not convinced BIP85 Base64 passwords are a good idea.  The point of BIP39 (the use of words to represent the numbers that generate xpub/xprv master keys) is to eliminate the errors that come with trying to write down meaningless strings of text.  I say "meaningless" in the sense that this "305564451dba399e84433f865068547f" isn't meaningful to the eye, compared to "core private bacon" etc.  One has characters that are easy to screw up.  The other is made up of text where each word is meaningful, thus greatly reducing user error, and also making me wish I had some bacon.  MMMmmm...

The use of words, instead of numbers or strings, reduces user error in many ways.  I feel like BIP85 Base64 passwords re-creates the problem BIP39 was created to solve.  That's my take, anyway.

[JayJuanGee]

The only tool other than this that supports BIP-85 Passwords is Coldcard (MK4 or Q).

If I got it right what is meant here is the ability of device  to generate the child seed from master SEED extended by passphrase, If this correct then  Passport batch 2  also supports BIP-85 Passwords ^{being the owner of this device I say this for certain}. I utilize this feature to generate ^{on passport 2} the child SEED for my Tangem 2 which is  used by me for on-the-go activity.

If I go to the bitcoinhole website and I filter based on deterministic entropy (BIP-85) (on the top left and in the private keys portion), the site shows HW wallets supporting BIP85 to be: Jade, Jade Plus, Coldcard Mk4, Coldcard Q, Passport Batch 2, Passport Prime (not yet released), Bitbox02, SeedSigner, Specter DIY and Krux.

[Forsyth Jones]

If I got it right what is meant here is the ability of device  to generate the child seed from master SEED extended by passphrase, If this correct then  Passport batch 2  also supports BIP-85 Passwords ^{being the owner of this device I say this for certain}. I utilize this feature to generate ^{on passport 2} the child SEED for my Tangem 2 which is  used by me for on-the-go activity.

I thought only coldcard and seed.tools supported BIP-85 passwords, so Passport2 also has this feature? That’s great to know! I couldn’t find anything about them announcing support for this feature.

I know it's deterministic, and that's great, but I prefer using the text from 12 word child seeds as passphrases instead.

Imagine trying to write this down, by hand:
AwMJYOqM+ibwWt/s4BCcH

Now, imagine writing this:
core private bacon derive phone soon baby gun main local bench you

I love the simplicity of 12 words as easily readable text.

However, there are services that will require you to register your passwords with specific criteria: lowercase and uppercase letters, special characters, and so on... In that case, what do you do? I use KeepassXC or Keepass2 to manage that for me.

If I go to the bitcoinhole website and I filter based on deterministic entropy (BIP-85) (on the top left and in the private keys portion), the site shows HW wallets supporting BIP85 to be: Jade, Jade Plus, Coldcard Mk4, Coldcard Q, Passport Batch 2, Passport Prime (not yet released), Bitbox02, SeedSigner, Specter DIY and Krux.

All of these support BIP-85 for generating child seeds, but not for BIP-85 passwords like this set: KE2F23IB4STme9Xdx+5in.



However, as satscraper and Meuserna mentioned, it seems that both Krux and Passport2 also provide support for BIP-85 passwd.

If I got it right what is meant here is the ability of device  to generate the child seed from master SEED extended by passphrase, If this correct then  Passport batch 2  also supports BIP-85 Passwords ^{being the owner of this device I say this for certain}. I utilize this feature to generate ^{on passport 2} the child SEED for my Tangem 2 which is  used by me for on-the-go activity.

Krux supports BIP85 Base64 passwords too, but I don't use that feature.  I only use BIP85 Mnemonics.

[Meuserna]

I know it's deterministic, and that's great, but I prefer using the text from 12 word child seeds as passphrases instead.

Imagine trying to write this down, by hand:
AwMJYOqM+ibwWt/s4BCcH

Now, imagine writing this:
core private bacon derive phone soon baby gun main local bench you

I love the simplicity of 12 words as easily readable text.

However, there are services that will require you to register your passwords with specific criteria: lowercase and uppercase letters, special characters, and so on... In that case, what do you do? I use KeepassXC or Keepass2 to manage that for me.

You're absolutely right, that's a valid use for it.

I just fear that some folks will use it as a passphrase to secure their Bitcoin, and have it lead to disaster in the future.

They're either not going to back up their passphrase at all, or they'll make a mistake while writing it down, because writing down AwMJYOqM+ibwWt/s4BCcH opens up too many possibilities for errors.

But, sadly, most folks aren't going to realize they can use BIP85 child seeds as passphrases, because they're so stuck on the idea that it's a seed.  Yeah, it's a seed, but it's also just text.  Use it for any purpose.

The beauty of using BIP85 child seeds as plaintext passphrases is that if you also use a hardware wallet that generates QR codes, you can easily generate & scan your passphrase.

I use Krux for this.  In fact, I use 2 Krux hardware wallets.

Krux A: Load the parent seed.  Generate a 24 word child seed.

Krux B: Load the parent seed.  Generate a 12 word child seed & display it as a plaintext QR.

Krux A: "Add a passphrase."  Scan the QR on Krux B.


There's a SeedSigner fork that adds passphrase QR and display QR of a plaintext mnemonic (among other features), but I don't own 2 SeedSigners, so I haven't tried it yet.  I tested it with one SeedSigner & a Krux.  It's great.

That workflow goes like this:

SeedSigner: Load parent seed.  Generate a 24 word child seed.  Go back to the parent seed and generate a 12 word child seed.

Krux: Scan the 24 word child seed QR from SeedSigner.  Add a passphrase by scanning the 12 word child seed as a plaintext QR on the SeedSigner.

[arabspaceship123]

The names in the list support BIP 85 but I noticed Electrum wasn't so I looked at their github. I don't know if it's rated higher in security but the devs probably decided BIP 85 wasn't needed or won't benefit Electrum. They're fine with the mnemonic way to recover wallets from seeds.

[Forsyth Jones]

This BIP-85 will be very complex for a beginner like us, as I am even looking at what you wrote I’m confuse for real. But I will learn more about this.

Use only when you are confident that you have learned it, you can test BIP-85 on the iancoleman website and understand the whole key generation scheme.

It's a tool recommended for offline use, but it works online too. Use the online version only for playground and exploring the utilities in it (like BIP-85). Never enter sensitive information on any online site, your computer may have spyware. You never know.

[arabspaceship123]

You're making altcoin posts you aren't using the forum for Development & Technical Discussion posts. If you're limit in cryptos broadens to trading you won't have to worry about BIP 85. As a beginner there's sizable study if you want to learn about BIPs it isn't easy.

This BIP-85 will be very complex for a beginner like us, as I am even looking at what you wrote I’m confuse for real. But I will learn more about this.