Shamir Backup is a method of splitting the seed into multiple unique shares. To recover the wallet, a specified number of shares has to be collected and used. The feature got its name from Adi Shamir, the author of Shamir's Secret Sharing algorithm.
- 1 Important terms
- 1.1 Recovery share
- 1.2 Threshold
- 1.3 Recovery Mode
- 1.4 FAQ
- 1.4.1 How is Shamir Backup different from the single recovery seed backup?
- 1.4.2 How can I move my coins to a wallet using Shamir Backup?
- 1.4.3 What happens if some of the shares get lost or stolen?
- 1.4.4 Can I use a passphrase on a wallet created with Shamir Backup?
- 1.4.5 Is this available for Trezor One?
Create a wallet with Shamir Backup
A step-by-step tutorial for creating a new wallet with Shamir Backup
Recover a wallet with Shamir Backup
A step-by-step tutorial for recovering a wallet with Shamir Backup
Recovery shares bear some similarities to the BIP39 recovery seed generated during the single backup process. A recovery share is a sequence of 20 or 33 English words carrying a part of the cryptographic secret. Combining the necessary number of shares creates the master secret (seed) needed to recover a wallet.
When creating a wallet with Shamir Backup as implemented in Trezor, the user chooses the number of shares to be generated.The number of shares can range from 2 to a maximum of 16.
One complete Shamir Backup consisting of three recovery shares might look something like this:
gesture necklace academic acid deadline width armed render filter bundle failure priest injury endorse volume terminal lunch drift diploma rainbow
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
Notice the first three words are the same in all three shares. The first and second words serve as identifiers. In other words, they are the same for every share to help you recognize that these shares belong to the same backup. The third word encodes the group index, which is not yet implemented in the currently available version of Shamir Backup.
The threshold is the predetermined number of shares necessary to recover a wallet. Any of the unique shares can be used to recover a wallet, as long as it fulfills the threshold requirement. The order of shares is not important.
When generating a new wallet, you set the threshold in accordance with your needs. If you create a Shamir backup consisting of three recovery shares and set the threshold to "2/3", you will need any two of the three shares to reconstruct the wallet.
You can also set the threshold to "3/3", which will then enable you to recover the wallet if all three shares are used. It is not possible to set the threshold to just one share.
Recovery mode is a persistent state the device enters once the user initiates the recovery process.
When in recovery mode, the device remembers at which point of the recovery process it was it if the user unplugs their Trezor. Once the recovery mode is initiated, user can disconnect their device, move to collect the shares and complete the recovery process when the device is reconnected to any source of power (e.g., power bank, electric socket, phone).
When the first share is entered, the user can disconnect their device, move geographically, and continue entering the second share once the device is connected the next time.
How is Shamir Backup different from the single recovery seed backup?
- Shamir Backup lets you generate up to 16 recovery shares - sequences of 20 or 33 words. Single backup recovery seeds consist of 12, 18, or 24 words.
- Shamir Backup uses a different wordlist than BIP-39 recovery seeds. In other words, some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.
How can I move my coins to a wallet using Shamir Backup?
At this moment, there is no way to "transform" your original recovery seed to a wallet using Shamir Backup without creating a new wallet.
This means that you will have to move your balances by sending valid transactions. Ultimately, the length and difficulty of this process depends on your own preferences and available options.
See "Moving funds to a wallet with a newly generated_seed" for step-by-step instructions.
- From a practical standpoint:
Losing one or more shares can present some practical issues within the context of your threshold setting. If you generated a wallet with just two shares, losing one is as fatal as losing your only copy of the classic recovery seed. This is because the minimum allowed threshold setting is two shares.
If you lose one share of your 3-of-5 scheme, you can still use any three of the other four available - it does not affect the usability of your backup.
- From the security standpoint:
Shamir Backup offers a significant advantage compared to the single recovery seed. Individual shares do not leak any information about the shared secret, as long the number of compromised shares does not reach the required threshold. In other words, if you use a 7-of-10 scheme and 5 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
Even if the attacker lacks only one share to reach the necessary threshold (e.g., 2 compromised shares in a 3-of-5 scheme), your backup is safe because the attacker would still need to attempt to guess the last share about 2^128 times, which is not computationally feasible.
Can I use a passphrase on a wallet created with Shamir Backup?
Sure. Passphrase protection can be used to further enhance the security of your wallet.
Is this available for Trezor One?
Shamir Backup is currently implemented and available to use only with Trezor Model T.