User manual:SD card protection

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/User/User manual/ SD card protection

SD protection provides extra protection against physical attacks on the Trezor Model T. When it is enabled, a randomly generated secret is stored on the microSD card that you can insert into your Trezor Model T.

During every PIN checking and unlocking operation this secret is combined with the entered PIN value to decrypt data stored on the device. Simply put, the device gets bound to the SD card and cannot be unlocked without it until you intentionally disable the feature or factory-reset your Trezor.

If you are concerned about physical attacks, you can remove the SD card whenever the device is not in use and keep the two in separate locations. One without the other is worthless to an attacker, because the SD card secret is an entirely random value which carries no information about the seed or passphrase.

Activating and using the SD protection[edit]

To enable this feature you will need trezorctl version 0.11.6 or later and a FAT32 formatted microSD card.

NoteIf the card is not properly formatted, then Trezor will offer to erase and format the card for you.

There are three commands related to SD protect:

trezorctl device sd-protect enable

trezorctl device sd-protect disable

trezorctl device sd-protect refresh

The refresh command replaces the current SD card secret with a new one. This is useful if you inserted the SD card into a malware-infected computer and are worried that the secret stored on the card may have been compromised.

1. Connect your device and insert the MicroSD card into the card slot[edit]

2. Use the Trezor command-line interface to enable the SD protection[edit]

Use the command trezorctl device sd-protect enable

Congratulations! Your device is now bound to the secret on the microSD card. You will need insert the card into the device to use your PIN.

Like Trezor? Get one here!