In cryptocurrencies, a recovery seed, or shortly seed, is a list of words in a specific order which store all the information needed to recover a wallet. Keeping the recovery seed private and safe is key for long-term safety of the user's cryptocurrency funds. Synonyms: recovery sentence, recovery phrase, mnemonic.
Recovery seed and Trezor
While using Trezor Wallet, Trezor Model T creates a wallet with 12 seed words and Trezor One generates a 24-word seed. Both models are compatible with public standards and it is possible to recover your wallet with 12, 18 or 24-word seed on both devices. In terms of security 12-word recovery seed is safe enough (128 bits of entropy).
As mentioned above, it is imperative to store your recovery in a safe place. Without the recovery seed, it is impossible to restore your funds in case your Trezor device is lost, stolen, or destroyed.
In addition, anyone with access to your recovery seed can also access and steal all your funds. See Keep your recovery seed safe for some security tips.
Lost or compromised recovery seed
In case you cannot find your recovery seed or you feel that it might have been compromised, the article Emergency situations might be helpful.
See also our Security section.
Recovery seed and master binary seed creation
During Trezor device initialization, the "Create a new wallet" process creates a new wallet with a new recovery seed. This recovery seed consists of a certain amount of English words (12, 18 or 24) from which the account private keys, all private keys, public keys, and addresses are mathematically derived. Creation of the recovery seed and master binary seed is as follows.
First, the 256-bit random number is generated in the Trezor device on its Microcontroller by the RNG (Random Number Generator). This number has 256 zeros or ones, so the entropy, or randomness, of this number is 2 ^ 256. This equals approximately 10 ^ 77. For comparison, it is estimated that there are 10 ^ 78 to 10 ^ 82 atoms in the known universe.
See also How secure is 256-bit security?
A random number of the same length is then generated in the connected computer and sent to the Trezor device. These two numbers are now together hashed by the SHA-256 algorithm - this number, which is again 256-bit, is the basis for the creation of the recovery seed, let's call it initial entropy.
See also GitHub code
The implementation of a mnemonic code or mnemonic sentence - a group of easy to remember words - for deterministic wallets is described in BIP39 - bitcoin improvement proposal. Before splitting the number - our initial entropy - to recovery seed words, we need to add a checksum. This checksum is created by hashing the initial entropy number by the SHA-256 algorithm, taking the first 8 numbers of this hash and putting them on the end of the initial entropy - so now we have a 264-bit number. A checksum is a way to let you know if you got the right sequence of numbers.
The 264-bit number is now divided into 24 numbers, and every number now has 11-bits. An 11-bit number is a number from 0 to 2047 in the decimal system. That's 24 numbers from 0-2047, e.g., 745, 15, 2012, etc.
These numbers are now assigned to the English words which are part of the standard, and you can check the list here, the recovery seed or mnemonic is created, e.g., fringe, achieve, window, etc.
From recovery seed to master binary seed
A user may decide to protect the recovery seed with a Passphrase. If a passphrase is not present, an empty string "" is used instead. A mnemonic sentence is created by concatenating all recovery seed words without spaces.
To create a master binary seed from the recovery seed (which is then used in BIP32), the PBKDF2 function is used. The mnemonic sentence (in UTF-8 NFKD) is used as the password, and the string "mnemonic" + passphrase (again in UTF-8 NFKD) is used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the inner function. The length of the derived key is 512 bits. This derived key, or master binary seed, is then used to create all private keys, public keys, and addresses in your wallet using BIP32 standard.