Encrypt PIN with MicroSD card

Encrypting your PIN with a microSD card

Encrypting your PIN using a microSD card provides extra protection against physical attacks on the Trezor Model T and Trezor Safe 5. When enabled, a randomly generated secret is stored on the microSD card.

When checking your PIN or using your PIN to unlock your Trezor, this secret is combined with the PIN to decrypt data stored on the device. Simply put, the device gets bound to the microSD card and cannot be unlocked without it until you intentionally disable the feature or factory reset your device.

If you need to perform a factory reset, please consult the relevant guide:

• How to wipe your Trezor Model T
• How to wipe your Trezor Safe 5

Activating and using SD protection

To enable this feature, you will need:

• trezorctl version 0.11.6 or later
• A FAT32-formatted microSD card

There are three commands related to SD protection:

The refresh command replaces the current SD card secret with a new one. This is useful if you inserted the SD card into a malware-infected computer and are worried that the secret stored on the card may have been compromised.

Connect your device and insert the MicroSD card into the card slot

Using the command line to enable the SD protection

Use the command:

Follow the on-screen instructions:

Congratulations! Your device is now bound to the secret on the microSD card. You will need insert the card into the device to use your PIN.