Shamir backup is a reliable security standard that addresses the two most common risks associated with protecting your wallet backup (recovery seed):
theft and
loss. The Trezor Model T was the first hardware wallet in the world to implement the fully functional
SLIP-0039 security standard,
Shamir Backup.
Overview
Your wallet backup is the key to your digital assets. Losing it can mean losing access to your crypto forever. To avoid such a disaster, Shamir backup lets you create multiple unique recovery shares to backup your private keys, specifying a set number (referred to as the threshold) needed to recover your wallet.
In a 2-of-3 Shamir backup scheme, you create three unique shares, any two of which can be combined to recover your wallet. If one share is lost or stolen, your wallet remains safe and accessible with the remaining shares.
Shamir backup comprises a few key steps:
- Generate: Decide on the number of shares and how many you need for recovery.
- Distribute: Share them among trusted friends and/or secure locations.
- Relax: Rest easy knowing your private keys are secured, safe from theft or destruction.
This security protocol is based on a cryptographic algorithm created by Adi Shamir, known as
Shamir's Secret Sharing.
Recovery shares
Recovery shares bear some similarities to the BIP39 recovery seed generated during the single backup process. A recovery share is a sequence of 20 or 33 English words carrying a part of the cryptographic secret. Combining the necessary number (threshold) of shares creates the master secret (seed) needed to recover a wallet.
Trezor Suite will automatically initiate a device with Shamir backup using 20-word shares (128-bit strength). It is also possible to initialize your Trezor with 33-word shares by using
trezorctl or
Electrum wallet.
When creating a wallet with Shamir Backup as implemented in Trezor, the user chooses the number of shares to be generated. The number of shares can range from 1 to a maximum of 16.
One complete Shamir Backup consisting of three recovery shares might look something like this:
gesture necklace academic acid deadline width armed render filter bundle failure priest injury endorse volume terminal lunch drift diploma rainbow
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
Notice the first three words are the same in all three shares.
- The first and second words serve as identifiers. They are the same for every share to help you recognize that these shares belong to the same backup.
- The third word encodes the group index used in Super Shamir Backup schemes.
Never make digital copies of your recovery seed or recovery shares. Never upload them online!
Threshold
The threshold is the
predetermined number of shares necessary to recover a wallet. Any of the unique shares can be used to recover a wallet, as long as it fulfills the threshold requirement. The order of shares is not important.
When generating a new wallet, you set the threshold in accordance with your needs. If you create a Shamir backup consisting of three recovery shares and set the threshold to "2/3", you will need any two of the three shares to reconstruct the wallet.
You can also set the threshold to "3/3", which will then enable you to recover the wallet if all three shares are used. It is not possible to set the threshold to just one share.
Comparison with single backup
The table below provides a concise overview of the key differences between single and Shamir backup methods:
Feature |
Single Seed (BIP39) |
Shamir Backup (SLIP39) |
Word Length |
12, 18, or 24 words |
20 or 33 words |
Number of Shares |
1 (Single Seed) |
1 to 16 (Multiple Shares) |
Word List |
BIP-39 Word List |
Specific Shamir Word List |
Threshold for Recovery |
All words required (1/1) |
User-specified (e.g., 2/3, 3/5) |
Distribution Flexibility |
None (Single copy) |
Can distribute among trusted parties or locations |
Redundancy |
None |
Configurable (e.g., 2/3 allows 1 backup) |
Susceptibility to Loss/Theft |
Complete loss if seed is lost/stolen |
Loss tolerable up to threshold |
FAQs
How is Shamir backup different from single recovery seed backup?
- Shamir Backup lets you generate up to 16 recovery shares - sequences of 20 or 33 words.
- Single backup recovery seeds consist of 12, 18, or 24 words.
- Shamir Backup uses a different word list to the BIP-39 recovery seeds, i.e., some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.
What happens if some of the shares get lost or stolen?
Shamir Backup offers a significant advantage compared to the regular single recovery seed method. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold. For example: if you use a 7-of-10 scheme and 5 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
What happens if I lose so many recovery shares that I can't meet the required threshold?
If you can’t meet the required threshold, your wallet will become unrecoverable. For example: if you use a 3-of-4 scheme, where 3 is the required threshold to recover the wallet, and you lose 2 or more of the recovery shares, your wallet will be unrecoverable.
Can I use a passphrase on a wallet created with Shamir backup?
Yes, but make sure to back up your passphrase offline as well. Don’t rely solely on your memory, as the passphrase is an integral part of the backup.