Shamir backup is a reliable security standard that addresses the two most common risks associated with protecting your recovery seed: theft and loss.
The Trezor Model T was the first hardware wallet in the world to implement the fully functional SLIP-0039 security standard, Shamir Backup.
Read more on the Trezor Blog:
TABLE OF CONTENTS
- Recovery shares
- Recovery Mode
- Comparison with single backup
- How is Shamir backup different from single recovery seed backup?
- What happens if some of the shares get lost or stolen?
- How can I move my coins to a wallet using Shamir Backup?
- Is Shamir backup available for Trezor Model One?
- What happens if I lose so many recovery shares that I can't meet the required threshold?
- Can I use a passphrase on a wallet created with Shamir backup?
Your recovery seed is the key to your digital assets. Losing it can mean losing access to your crypto forever.
To avoid such a disaster, Shamir backup lets you create multiple unique recovery shares to backup your private keys, specifying a set number (referred to as the threshold) needed to recover your wallet.
In a 2-of-3 Shamir backup scheme, you create three unique shares, any two of which can be combined to recover your wallet. If one share is lost or stolen, your wallet remains safe and accessible with the remaining shares.
Shamir backup comprises a few key steps:
- Generate: Decide on the number of shares and how many you need for recovery.
- Distribute: Share them among trusted friends and/or secure locations.
- Relax: Rest easy knowing your private keys are secured, safe from theft or destruction.
This security protocol is based on a cryptographic algorithm created by Adi Shamir, known as Shamir's Secret Sharing
Recovery shares bear some similarities to the BIP39 recovery seed generated during the single backup process. A recovery share is a sequence of 20 or 33 English words carrying a part of the cryptographic secret. Combining the necessary number (threshold) of shares creates the master secret (seed) needed to recover a wallet.
Trezor Suite will automatically initiate a device with Shamir backup using 20-word shares (128-bit strength). It is also possible to initialize the Trezor Model T with 33-word shares by using trezorctl or Electrum wallet.
When creating a wallet with Shamir Backup as implemented in Trezor, the user chooses the number of shares to be generated. The number of shares can range from 1 to a maximum of 16.
One complete Shamir Backup consisting of three recovery shares might look something like this:
gesture necklace academic acid deadline width armed render filter bundle failure priest injury endorse volume terminal lunch drift diploma rainbow
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
Notice the first three words are the same in all three shares.
- The first and second words serve as identifiers. They are the same for every share to help you recognize that these shares belong to the same backup.
- The third word encodes the group index used in Super Shamir Backup schemes.
Never make digital copies of your recovery seed or recovery shares. Never upload it online!
The threshold is the predetermined number of shares necessary to recover a wallet. Any of the unique shares can be used to recover a wallet, as long as it fulfills the threshold requirement. The order of shares is not important.
When generating a new wallet, you set the threshold in accordance with your needs. If you create a Shamir backup consisting of three recovery shares and set the threshold to "2/3", you will need any two of the three shares to reconstruct the wallet.
You can also set the threshold to "3/3", which will then enable you to recover the wallet if all three shares are used. It is not possible to set the threshold to just one share.
Recovery mode is a persistent state the device enters once the user initiates the recovery process.
When in recovery mode, the device remembers at which point of the recovery process it was it if the user unplugs their Trezor. Once the recovery mode is initiated, user can disconnect their device, move to collect the shares and complete the recovery process when the device is reconnected to any source of power (e.g., power bank, electric socket, phone).
When the first share is entered, the user can disconnect their device, move geographically, and continue entering the second share once the device is connected the next time. If the user disconnects the device while entering a 12-word classic recovery seed, the device resets the recovery process.
Comparison with single backup
The table below provides a concise overview of the key differences between single and Shamir backup methods:
||Single Seed (BIP39)
||Shamir Backup Seed
||12, 18, or 24 words
||20 or 33 words
|Number of Shares
||1 (Single Seed)
||1 to 16 (Multiple Shares)
||BIP-39 Word List
||Specific Shamir Word List
|Threshold for Recovery
||All words required (1/1)
||User-specified (e.g., 2/3, 3/5)
||None (Single copy)
||Can distribute among trusted parties or locations
||Configurable (e.g., 2/3 allows 1 backup)
|Susceptibility to Loss/Theft
||Complete loss if seed is lost/stolen
||Loss tolerable up to threshold
We also recommend watching the following video, where we explain Shamir Backup and how to use it with your Trezor Model T:
How is Shamir backup different from single recovery seed backup?
- Shamir Backup lets you generate up to 16 recovery shares - sequences of 20 or 33 words.
- Single backup recovery seeds consist of 12, 18, or 24 words.
- Shamir Backup uses a different word list to the BIP-39 recovery seeds, i.e., some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.
Shamir Backup offers a significant advantage compared to the regular single recovery seed method. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold.
What happens if some of the shares get lost or stolen?
For example: if you use a 7-of-10 scheme and 5 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
At this moment, there is no way to "transform" your original recovery seed to a wallet using Shamir Backup without creating a new wallet.
How can I move my coins to a wallet using Shamir Backup?
This means that you will have to move your balances by sending valid transactions. Ultimately, the length and difficulty of this process depends on your own preferences and available options.
See "Moving funds to a wallet with a newly generated seed" for step-by-step instructions.
No, Shamir backup is currently only available on the Trezor Model T (introduced in Firmware v2.1.3)
Is Shamir backup available for Trezor Model One?
If you can’t meet the required threshold, your wallet will become unrecoverable. For example: if you use a 3-of-4 scheme, where 3 is the required threshold to recover the wallet, and you lose 2 or more of the recovery shares, your wallet will be unrecoverable.
What happens if I lose so many recovery shares that I can't meet the required threshold?
If your Trezor is still set up, all is not lost. Move your coins to a new wallet ASAP.
Yes, but make sure to back up your passphrase offline as well. Don’t rely solely on your memory, as the passphrase is an integral part of the backup.
Can I use a passphrase on a wallet created with Shamir backup?