Are there people using Shamir backups

[Somegory]

Just like the saying that "No knowledge is Lost" is the reason why I feel like I should know about this, when I got my airgapped hardware wallet two days ago I chose to use the 12 recovery seed and everything is up and active since then, but what I could not get off my mind is something called shamir backup



I did proceeded but to say the truth I don't know what I am looking at.

There are lessons that I have learned from, that some things are better left alone especially when you don't know what you are looking at or when you have no single clue about them..

Numbers of shares and Threshold? I have no single clue, so I chose to bring it up here, please tell me what this is and what type of extra security that this does, also what type of people need this the most.

[BattleDog]

Shamir backup is basically splitting your seed into pieces, then require a minimum number of pieces to rebuild it. So if you pick 5 shares with a threshold of 3, you can lose up to 2 shares and still recover, but a thief would need to steal 3 of them before they can do anything. It's not multisig and it doesn't change your wallet on-chain, it's just a fancier way of storing the same secret.

People use it when they want redundancy across locations or some light "steal one paper and you get nothing" protection.

The tradeoff is complexity: most losses I've seen over the years came from people getting cute with backups and then not being able to reconstruct them under stress. If you do try it, do a full recovery test once (on a fresh device, with no cameras around) and consider something boring like 2-of-3 with each share stored separately...... otherwise a well-protected standard seed (and maybe a passphrase if you understand it) is honestly fine for most folks.

Cheers

[Charles-Tim]

I know how Shamir was even before it was modified to be words, they were characters before, when after it was modified to be words, I still did not see any reason to use it as I prefer with seed phrase and passphrase, or multisig wallet if 2 or more people are involved. If I can use these, why alternatives.

[hd49728]

Just like the saying that "No knowledge is Lost" is the reason why I feel like I should know about this, when I got my airgapped hardware wallet two days ago I chose to use the 12 recovery seed and everything is up and active since then, but what I could not get off my mind is something called shamir backup

You can read about wallet backup guide.

How to back up a seed phrase?
There are many backup methods and the Generic Shamir's Secret Sharing is one of them but this method has its pitfalls too.
Shamir's Secret Sharing shortcomings

Seed splitting need to be avoided as your backup method too.
Bitcoin Q&A: Why is Seed Splitting a Bad Idea?

[melinoe]

You basically put your seed in shares, each one would be on a card, and if you have at least 2 out of 3, you are good to go and get access to your wallet.

[Ucy]

Looks similar to a multi signature setup, but unlike multisig where 5 people(5 shares, in the case of your device) control 5 different secret keys, your device 5 shamir shares are made of 5 different keys (with each Share having one different key) and all Shares controlled by one person (you) which maybe distributed or shared to different people to keep for you.. A minimum of 3 of the 5 share are needed to access your assets.

*While "Threshold" is probably the length of key in each Share

[hosemary]

You basically put your seed in shares, each one would be on a card, and if you have at least 2 out of 3, you are good to go and get access to your wallet.

Your shamir backup doesn't have to be 2 of 3.
You can choose any number from 1 to 16 for the number of shares and any number from 1 to total shares for threshold.

*While "Threshold" is probably the length/number of keys in each Share or bunch

Threshold is the number of shares that will be required for generating the wallet.

[Cricktor]

What I like about Shamir Secret Shares:

• As long as you have shares below the threshold number, the shares don't reveal anything about the encoded secret. So if you distribute shares over locations and someone finds or peeks at one or few (below threshold) shares, nothing is compromised.
• You can afford to loose shares for whatever reason as long as you have the threshold number of unique shares intact which allows successful recovery.

What I don't like about Shamir Secret Shares:

• It adds complexity.
• Only very few wallets support it.
• It's to my knowledge not really standardized. Yes, I know about SLIP-39, primarily supported by Trezor (Electrum can import, but not create it). I'm certainly missing other wallets that may support it.
• It's way less common than BIP-39.

[Antona]

Good instinct to ask, think of it like a treasure map torn into pieces, you decide how many pieces (shares) and how many are needed to read the map (threshold) it adds complexity but protects against a single point of failure useful if you have a lot of value to protect and trusted family-locations to split shares with. For most of us it's overkill and adds more things to manage safely.

[SquirrelJulietGarden]

Good instinct to ask, think of it like a treasure map torn into pieces, you decide how many pieces (shares) and how many are needed to read the map (threshold) it adds complexity but protects against a single point of failure useful if you have a lot of value to protect and trusted family-locations to split shares with. For most of us it's overkill and adds more things to manage safely.

Adding more complexity into the wallet backup process and wallet recovery later means adding more risk factors for wallet recovery. In his helpful blog post, Jameson Lopp warned about seed backup threat model.

With whatever backup method you use, Shamir or not, if it is too complex and if you can not restore your wallet in the future, you fail and you lose your bitcoin.

We already know why we are creating seed backups - to protect against loss of whatever devices (if any) we are storing the keys on for regular use. But what do we need to worry about protecting the backups themselves against?

Loss due to destruction
Loss due to complexity / not being able to restore from backup
Loss to an attacker

[Kruw]

• It's to my knowledge not really standardized. Yes, I know about SLIP-39, primarily supported by Trezor (Electrum can import, but not create it). I'm certainly missing other wallets that may support it.

Wasabi Wallet supports SLIP39 and it will become the default seed type in the next release - https://github.com/WalletWasabi/WalletWasabi/pull/14209

[Furball808]

Shamir backup is basically splitting your seed into pieces, then require a minimum number of pieces to rebuild it. So if you pick 5 shares with a threshold of 3, you can lose up to 2 shares and still recover, but a thief would need to steal 3 of them before they can do anything. It's not multisig and it doesn't change your wallet on-chain, it's just a fancier way of storing the same secret.

People use it when they want redundancy across locations or some light "steal one paper and you get nothing" protection.

The tradeoff is complexity: most losses I've seen over the years came from people getting cute with backups and then not being able to reconstruct them under stress. If you do try it, do a full recovery test once (on a fresh device, with no cameras around) and consider something boring like 2-of-3 with each share stored separately...... otherwise a well-protected standard seed (and maybe a passphrase if you understand it) is honestly fine for most folks.

Cheers

First time hearing of this shamir backup but it seems like others have discussed about this before. Here are some threads about shamir backups.

Shamir backup sounds dumb to me
Single vs Shamir vs Multisig, which is easiest to hack statistically?

I have lost myself reading these threads and basically what I have concluded is that multisig is still the best method for security. Some even say they see no point in using shamir backups if you’re keeping it yourself. I have seen others say that with shamir backups they distribute the shares to trusted people. Most I’ve seen discourage the use of this though. Here’s an article about its shortcomings

[SquirrelJulietGarden]

First time hearing of this shamir backup but it seems like others have discussed about this before. Here are some threads about shamir backups.

Shamir backup sounds dumb to me
Single vs Shamir vs Multisig, which is easiest to hack statistically?

I have lost myself reading these threads and basically what I have concluded is that multisig is still the best method for security. Some even say they see no point in using shamir backups if you’re keeping it yourself. I have seen others say that with shamir backups they distribute the shares to trusted people. Most I’ve seen discourage the use of this though. Here’s an article about its shortcomings

If it is your first time hearing and knowing about Shamir backup method, and you still don't understand about it after reading some documents, you can simply ignore this wallet backup method until a time you fully understand about Shamir backup and are able to use it properly.

The purpose of wallet backups is to have it for your wallet recovery later, that is vital for safety of your bitcoins. It's the ultimate goal of wallet backups and if you can not recover your wallets from backups, can not access your bitcoins, what you did before are actually non sense and even harmful.

The best wallet backup method is the one you master well enough from how to make backups and how to use backups for recovery.

[FinneysTrueVision]

Keystone uses the same SLIP 39 standard that was created by Satoshi Labs, the company that makes Trezor. With SLIP 39 you can have a single share, although from your screenshot, it looks like Keystone requires a minimum of 2 shares for some reason. By now it is already supported by the most popular Bitcoin wallets Electrum, Sparrow, Wasabi and Blue Wallet. Compatibility isn’t much of a concern anymore for anyone worried they might not be able to recover their funds easily if their hardware wallet stops working.

[dkbit98]

Plenty of people use Shamir backup as alternative for multisig setup.
In fact all new Trezor hardware wallets are using Slip39 setup that is just a different name for Shamir Secret Sharing.
Keystone and Trezor SLIP39 is compatible, and I am sure more wallets will adopt this backup in future.
Electrum and Sparrow wallet also support importing SLIP39 shares but cannot sign transactions.

[hosemary]

Electrum and Sparrow wallet also support importing SLIP39 shares but cannot sign transactions.

Electrum cannot sign transactions?
After importing the required shares of a SLIP39 seed, electrum will generate the wallet and the wallet file will contain the master private key. I don't understand why electrum shouldn't be able to sign transactions.

Am I missing something here?