Shamir backup (available on the Trezor Model T) is a new security standard that counteracts the two greatest risks involved in protecting your recovery seed: theft and destruction.
The Trezor Model T was the first hardware wallet in the world to implement the fully functional SLIP-0039 security standard, Shamir Backup.
Read more on the Trezor Blog:
TABLE OF CONTENTS
- Recovery shares
- Recovery Mode
- Comparison with single backup
- How is Shamir backup different from single recovery seed backup?
- What happens if some of the shares get lost or stolen?
- How can I move my coins to a wallet using Shamir Backup?
- Is Shamir backup available for Trezor Model One?
- What happens if I lose so many recovery shares that I can't meet the required threshold?
- Can I use a passphrase on a wallet created with Shamir backup?
Your recovery seed is the key to your digital assets, and if you lose it then your crypto may be irretrievably lost. To avoid such a disaster, you can create multiple unique recovery shares to backup your private keys, and specify a set number (referred to as the threshold) of these unique shares that must be collected and used in order to recover your wallet. This is the basic principle underpinning Shamir backup.
Shamir backup comprises a few key steps:
- Generate: choose the number of shares you want to generate, and decide how many you want to use for recovery.
- Distribute: distribute those shares however you want, spread among trusted friends and/or secure locations.
- Relax: Sleep peacefully knowing that your private keys are secured by Shamir backup, safe from theft or destruction.
This security protocol is based on a cryptographic algorithm created by Adi Shamir, known as Shamir's Secret Sharing
Recovery shares bear some similarities to the BIP39 recovery seed generated during the single backup process. A recovery share is a sequence of 20 or 33 English words carrying a part of the cryptographic secret. Combining the necessary number (threshold) of shares creates the master secret (seed) needed to recover a wallet.
Trezor Suite will automatically initiate a device with Shamir backup using 20-word shares (128-bit strength). It is also possible to initialize the Trezor Model T with 33-word shares by using trezorctl or Electrum wallet.
When creating a wallet with Shamir Backup as implemented in Trezor, the user chooses the number of shares to be generated. The number of shares can range from 1 to a maximum of 16.
One complete Shamir Backup consisting of three recovery shares might look something like this:
gesture necklace academic acid deadline width armed render filter bundle failure priest injury endorse volume terminal lunch drift diploma rainbow
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
Notice the first three words are the same in all three shares.
- The first and second words serve as identifiers. They are the same for every share to help you recognize that these shares belong to the same backup.
- The third word encodes the group index used in Super Shamir Backup schemes.
Never make digital copies of your recovery seed or recovery shares. Never upload it online!
The threshold is the predetermined number of shares necessary to recover a wallet. Any of the unique shares can be used to recover a wallet, as long as it fulfills the threshold requirement. The order of shares is not important.
When generating a new wallet, you set the threshold in accordance with your needs. If you create a Shamir backup consisting of three recovery shares and set the threshold to "2/3", you will need any two of the three shares to reconstruct the wallet.
You can also set the threshold to "3/3", which will then enable you to recover the wallet if all three shares are used. It is not possible to set the threshold to just one share.
Recovery mode is a persistent state the device enters once the user initiates the recovery process.
When in recovery mode, the device remembers at which point of the recovery process it was it if the user unplugs their Trezor. Once the recovery mode is initiated, user can disconnect their device, move to collect the shares and complete the recovery process when the device is reconnected to any source of power (e.g., power bank, electric socket, phone).
When the first share is entered, the user can disconnect their device, move geographically, and continue entering the second share once the device is connected the next time. If the user disconnects the device while entering a 12-word classic recovery seed, the device resets the recovery process.
Comparison with single backup
The table below provides a concise overview of the key differences between single and Shamir backup methods:
||A single recovery seed
||Up to 16 recovery shares
||12, 18 or 24 word recovery seed
||20 or 33 words per share
||Easy to manage
||Choose your threshold
||Indepdendent control of recovery seed
||Administrative control of master seed
||Autonomous control of assets
||Autonomous control of assets
||Secure offline backup of private keys
||Secure offline backup of private keys
||Eliminated risk of loss or theft
We also recommend watching the following video, where we explain Shamir Backup and how to use it with your Trezor Model T:
How is Shamir backup different from single recovery seed backup?
Shamir Backup lets you generate up to 16 recovery shares - sequences of 20 or 33 words.
Single backup recovery seeds consist of 12, 18, or 24 words.
Shamir Backup uses a different word list to the BIP-39 recovery seeds, i.e., some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.
Shamir Backup offers a significant advantage compared to the regular single recovery seed method. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold.
What happens if some of the shares get lost or stolen?
For example: if you use a 7-of-10 scheme and 5 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
At this moment, there is no way to "transform" your original recovery seed to a wallet using Shamir Backup without creating a new wallet.
How can I move my coins to a wallet using Shamir Backup?
This means that you will have to move your balances by sending valid transactions. Ultimately, the length and difficulty of this process depends on your own preferences and available options.
See "Moving funds to a wallet with a newly generated seed" for step-by-step instructions.
No, Shamir backup is currently only available on the Trezor Model T (introduced in Firmware v2.1.3)
Is Shamir backup available for Trezor Model One?
If you can’t meet the required threshold, your wallet will become unrecoverable. For example: if you use a 3-of-4 scheme, where 3 is the required threshold to recover the wallet, and you lose 2 or more of the recovery shares, your wallet will be unrecoverable.
What happens if I lose so many recovery shares that I can't meet the required threshold?
Yes. Passphrase protection can be used to further enhanced the security of your wallet.
Can I use a passphrase on a wallet created with Shamir backup?