All articles
What is Shamir backup?
The Trezor Model T was the first hardware wallet in the world to implement the fully functional SLIP-0039 security standard, Shamir Backup.
Read more on the Trezor Blog:
- "Shamir backup - A Better Way to Secure Your Keys"
- "Protecting your Bitcoin inheritance with Shamir backup"
- "Shamir Backup: A New Security Standard"
TABLE OF CONTENTS
- Overview
- Recovery shares
- Threshold
- Recovery Mode
- Comparison with single backup
- FAQs
- How is Shamir backup different from single recovery seed backup?
- What happens if some of the shares get lost or stolen?
- How can I move my coins to a wallet using Shamir Backup?
- Is Shamir backup available for Trezor Model One?
- What happens if I lose so many recovery shares that I can't meet the required threshold?
- Can I use a passphrase on a wallet created with Shamir backup?
Overview
Your recovery seed is the key to your digital assets. Losing it can mean losing access to your crypto forever.
To avoid such a disaster, Shamir backup lets you create multiple unique recovery shares to backup your private keys, specifying a set number (referred to as the threshold) needed to recover your wallet.
In a 2-of-3 Shamir backup scheme, you create three unique shares, any two of which can be combined to recover your wallet. If one share is lost or stolen, your wallet remains safe and accessible with the remaining shares.
Shamir backup comprises a few key steps:
- Generate: Decide on the number of shares and how many you need for recovery.
- Distribute: Share them among trusted friends and/or secure locations.
- Relax: Rest easy knowing your private keys are secured, safe from theft or destruction.
This security protocol is based on a cryptographic algorithm created by Adi Shamir, known as Shamir's Secret Sharing.
Recovery shares
Recovery shares bear some similarities to the BIP39 recovery seed generated during the single backup process. A recovery share is a sequence of 20 or 33 English words carrying a part of the cryptographic secret. Combining the necessary number (threshold) of shares creates the master secret (seed) needed to recover a wallet.Trezor Suite will automatically initiate a device with Shamir backup using 20-word shares (128-bit strength). It is also possible to initialize the Trezor Model T with 33-word shares by using trezorctl or Electrum wallet.
When creating a wallet with Shamir Backup as implemented in Trezor, the user chooses the number of shares to be generated. The number of shares can range from 1 to a maximum of 16.
One complete Shamir Backup consisting of three recovery shares might look something like this:
gesture necklace academic acid deadline width armed render filter bundle failure priest injury endorse volume terminal lunch drift diploma rainbow
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
gesture necklace academic agency alpha ecology visitor raisin yelp says findings bulge rapids paper branch spelling cubic tactics formal disease
gesture necklace academic always disaster move yoga airline lunar provide desire safari very modern educate decision loyalty silver prune physics
Notice the first three words are the same in all three shares.
- The first and second words serve as identifiers. They are the same for every share to help you recognize that these shares belong to the same backup.
- The third word encodes the group index used in Super Shamir Backup schemes.
Never make digital copies of your recovery seed or recovery shares. Never upload it online!
Threshold
The threshold is the predetermined number of shares necessary to recover a wallet. Any of the unique shares can be used to recover a wallet, as long as it fulfills the threshold requirement. The order of shares is not important.When generating a new wallet, you set the threshold in accordance with your needs. If you create a Shamir backup consisting of three recovery shares and set the threshold to "2/3", you will need any two of the three shares to reconstruct the wallet.
You can also set the threshold to "3/3", which will then enable you to recover the wallet if all three shares are used. It is not possible to set the threshold to just one share.
Recovery Mode
Recovery mode is a persistent state the device enters once the user initiates the recovery process.
When in recovery mode, the device remembers at which point of the recovery process it was it if the user unplugs their Trezor. Once the recovery mode is initiated, user can disconnect their device, move to collect the shares and complete the recovery process when the device is reconnected to any source of power (e.g., power bank, electric socket, phone).
When the first share is entered, the user can disconnect their device, move geographically, and continue entering the second share once the device is connected the next time. If the user disconnects the device while entering a 12-word classic recovery seed, the device resets the recovery process.
Comparison with single backup
The table below provides a concise overview of the key differences between single and Shamir backup methods:| Feature | Single Seed (BIP39) | Shamir Backup Seed |
|---|---|---|
| Word Length | 12, 18, or 24 words | 20 or 33 words |
| Number of Shares | 1 (Single Seed) | 1 to 16 (Multiple Shares) |
| Word List | BIP-39 Word List | Specific Shamir Word List |
| Threshold for Recovery | All words required (1/1) | User-specified (e.g., 2/3, 3/5) |
| Distribution Flexibility | None (Single copy) | Can distribute among trusted parties or locations |
| Redundancy | None | Configurable (e.g., 2/3 allows 1 backup) |
| Susceptibility to Loss/Theft | Complete loss if seed is lost/stolen | Loss tolerable up to threshold |
We also recommend watching the following video, where we explain Shamir Backup and how to use it with your Trezor Model T:
FAQs
How is Shamir backup different from single recovery seed backup?
- Shamir Backup lets you generate up to 16 recovery shares - sequences of 20 or 33 words.
- Single backup recovery seeds consist of 12, 18, or 24 words.
- Shamir Backup uses a different word list to the BIP-39 recovery seeds, i.e., some of the words used in Shamir backup recovery shares are never used in single seed backups and vice-versa.
What happens if some of the shares get lost or stolen?
Shamir Backup offers a significant advantage compared to the regular single recovery seed method. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold. For example: if you use a 7-of-10 scheme and 5 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
How can I move my coins to a wallet using Shamir Backup?
At this moment, there is no way to "transform" your original recovery seed to a wallet using Shamir Backup without creating a new wallet.This means that you will have to move your balances by sending valid transactions. Ultimately, the length and difficulty of this process depends on your own preferences and available options.
See "Moving funds to a wallet with a newly generated seed" for step-by-step instructions.
Is Shamir backup available for Trezor Model One?
No, Shamir backup is currently only available on the Trezor Model T (introduced in Firmware v2.1.3)
What happens if I lose so many recovery shares that I can't meet the required threshold?
If you can’t meet the required threshold, your wallet will become unrecoverable. For example: if you use a 3-of-4 scheme, where 3 is the required threshold to recover the wallet, and you lose 2 or more of the recovery shares, your wallet will be unrecoverable.If your Trezor is still set up, all is not lost. Move your coins to a new wallet ASAP.