In cryptocurrencies, a recovery seed, or shortly seed, is a list of words in a specific order which store all the information needed to recover a wallet. Keeping the recovery seed private and safe is key for long-term safety of the user's cryptocurrency funds.
Synonyms: recovery sentence, recovery phrase, mnemonic.
Recovery seed and Trezor
While using Trezor Wallet, Trezor Model T creates a wallet with 12 seed words and Trezor One generates a 24-word seed. Both models are compatible with public standards and it is possible to recover your wallet with 12, 18 or 24-word seed on both devices. In terms of security 12-word recovery seed is safe enough (128 bits of entropy).
As mentioned above, it is imperative to store your recovery in a safe place. Without the recovery seed, it is impossible to restore your funds in case your Trezor device is lost, stolen, or destroyed.
In addition, anyone with access to your recovery seed can also access and steal all your funds. See Keep your recovery seed safe for some security tips.
Lost or compromised recovery seed
In case you cannot find your recovery seed or you feel that it might have been compromised, the article Emergency situations might be helpful.
See also our Security section.
Recovery seed and master binary seed creation
During Trezor device initialization, the "Create a new wallet" process creates a new wallet with a new recovery seed. This recovery seed consists of a certain amount of English words (12, 18 or 24) from which the account private keys, all private keys, public keys, and addresses are mathematically derived. Creation of the recovery seed and master binary seed is as follows.
First, the 256-bit random number is generated in the Trezor device on its Microcontroller by the RNG (Random Number Generator). This number has 256 zeros or ones, so the entropy, or randomness, of this number is 2 ^ 256. This equals approximately 10 ^ 77. For comparison, it is estimated that there are 10 ^ 78 to 10 ^ 82 atoms in the known universe.
See also How secure is 256-bit security?
A random number of the same length is then generated in the connected computer and sent to the Trezor device. These two numbers are now together hashed by the SHA-256 algorithm - this number, which is again 256-bit, is the basis for the creation of the recovery seed, let's call it initial entropy.
See also GitHub code
The implementation of a mnemonic code or mnemonic sentence - a group of easy to remember words - for deterministic wallets is described in BIP39 - bitcoin improvement proposal. Before splitting the number - our initial entropy - to recovery seed words, we need to add a checksum. This checksum is created by hashing the initial entropy number by the SHA-256 algorithm, taking the first 8 numbers of this hash and putting them on the end of the initial entropy - so now we have a 264-bit number. A checksum is a way to let you know if you got the right sequence of numbers.
The 264-bit number is now divided into 24 numbers, and every number now has 11-bits. An 11-bit number is a number from 0 to 2047 in the decimal system. That's 24 numbers from 0-2047, e.g., 745, 15, 2012, etc.
These numbers are now assigned to the English words which are part of the standard, and you can check the list here, the recovery seed or mnemonic is created, e.g., fringe, achieve, window, etc.
From recovery seed to master binary seed
A user may decide to protect the recovery seed with a Passphrase. If a passphrase is not present, an empty string "" is used instead. A mnemonic sentence is created by concatenating all recovery seed words without spaces.
To create a master binary seed from the recovery seed (which is then used in BIP32), the PBKDF2 function is used. The mnemonic sentence (in UTF-8 NFKD) is used as the password, and the string "mnemonic" + passphrase (again in UTF-8 NFKD) is used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the inner function. The length of the derived key is 512 bits. This derived key, or master binary seed, is then used to create all private keys, public keys, and addresses in your wallet using BIP32 standard.
Why do Trezor One and Trezor Model T generate recovery seeds of different lengths?
This difference comes down to the level of security in the process of recovering the seed. Trezor One produces a 24-word recovery seed because of the established method of writing your recovery seed in your browser while recovering the wallet.
To mitigate any risks of the seed being compromised by malicious key-logging software, the Trezor One device instructs the user to enter the individual words in random order - instead of entering all words in sequence from the first word to the last one. Computing a valid seed out of 24 random seed words is almost impossibly difficult (i.e., this never happens).
To add more strength (randomness) when recovering a 12-word seed on Trezor One, there are 12 fake dummy words introduced by the device and mixed in the pool with the real words. The user inputs the real words mixed with the fake ones, all randomly shuffled, and the device itself sorts them out.
The recovery process using Trezor Model T is limited to the "on-device" input, meaning that the words never touch a potentially compromised environment and always stay safe as you type them in using the touchscreen. In this case, 12 words are sufficient. The 128-bit entropy (randomness) provided by 12 words is widely considered to be plenty secure.
If you wish to achieve the same level of security using Trezor One, take a look at the Advanced recovery which allows you to limit the seed input to the device and never let the seed words touch the browser interface.