All articles

Seedless Setup

Device setup methods


A seed phrase is a 12, 18 or 24 word phrase which acts as a backup to your Trezor hardware wallet.

A seed phrase backup is generated whenever a key on your Trezor device is created. If the device itself is either lost or damaged, the seed phrase can be used to restore the private keys on a new device.


For individual, end-user purposes, it is logical that we offer a backup method of their master recovery seed (from which all child private/public key-pairs are generated). However, we do realize that for business purposes, key backup may be undesirable. Therefore, we have implemented a second way to initialize and setup a Trezor device.
 

Seedless setup

Seedless mode only works in a multisig setup



If a Trezor is initialized in the so-called "seedless" mode, the device will generate the master seed as expected, using entropy from internal RNG, XOR-ed with entropy from the host device. However, instead of offering to create a backup in form of a recovery seed, the device will permanently show a label "SEEDLESS" on the device. This is to make sure that the user will know for certain which device is backed up and which not.


The purpose of seedless devices focuses on business use-cases, where either multisig is employed, allowing for safe extraction of the funds in case one device is lost or damaged. Alternatively, it is intended for enterprise-level development, where key management is done by other software in the company's infrastructure, allowing for key rotation upon device loss. These enterprise-level applications do not necessarily need to be related to cryptocurrencies, as they can be developed for custom use of the company, with Trezor being the authenticator or authorizator. As there is a central authority (the company), key rotation is possible.

 

Devices which are set up in the seedless mode cannot access the Trezor Suite interface. This is to avoid catastrophic coin loss, in case an inappropriately setup device is used for a wrong purpose.


Normal setup

Of course, Trezor also enables businesses to use the standard and backuped initialization method. (In this case, the seed is also generated from two sources of entropy, as in the seedless mode.) If the normal initialization method is chosen, it is highly advised to educate the employees and administrators well beforehand about the most important security precautions when handling a recovery seed. The recovery seed is ultimately a master key and therefore if compromised, the attacker can bypass the hardware device.


On the other hand, with the advent of Trezor's seed-splitting mechanism, thanks to Shamir backup, this normal setup procedure should become attractive for enterprise use as well, as it will be possible to cryptographically divide a master key into more pieces.