What is entropy and how does Trezor generate your wallet?

Your wallet's security starts with one invisible ingredient: entropy. This is the randomness that generates your private keys. Weak entropy makes keys predictable. Strong entropy makes them secure.

Trezor uses multiple hardware and software entropy sources when creating your wallet. This way, you never need to worry about whether the randomness is strong enough.

This article explains what entropy is and why it matters. You'll learn how Trezor keeps your wallet secure from the ground up.

What is entropy?

Entropy is unpredictability measured in bits. Think of each bit like a coin flip: heads or tails, 1 or 0.

One bit gives you 2 possibilities. Two bits give you 4 possibilities. Eight bits give you 256 possibilities.

When we talk about 128-bit entropy, we mean 2^128 possible combinations.

Why entropy matters for your wallet

Your wallet's security depends entirely on this initial randomness. When you create a wallet, entropy generates your private keys and wallet backup. Everything else—your addresses, your ability to sign transactions, your control over your funds—comes from that starting point.

If the entropy is strong, your private keys are unpredictable. No one can guess them.

If the entropy is weak, attackers can recreate the same "random" numbers your wallet used. They can calculate your private keys and steal your funds. It doesn't matter how carefully you store your backup or how strong your other security measures are—weak entropy at the start compromises everything.

Where entropy matters beyond your wallet

Strong randomness isn't just for crypto wallets. Every secure website connection, banking system, and encrypted messaging app relies on cryptographic entropy. Without good randomness, none of these systems work.

Every time you visit a secure website (the ones with the padlock icon), your browser creates random encryption keys for that session. If those keys are predictable, someone can intercept your connection and see everything you're doing. Banking apps, login systems, and password reset emails all depend on strong randomness to stay secure.

How random number generators work

Random number generators fall into three categories, each with different strengths and use cases:

TRNG (True Random Number Generator) uses physical processes to create randomness. It measures temperature fluctuations or timing variations in circuits. The output is truly non-deterministic: you cannot predict it even with knowledge of the full system.

CSPRNG (Cryptographically Secure Pseudorandom Number Generator) stretches a small amount of true entropy into many random-looking bits. It must be properly seeded with high-quality randomness from a TRNG. Predictable or weak seeds make the entire output predictable.

PRNG (Pseudorandom Number Generator) is fast but unsuitable for cryptography. It prioritizes speed over security. These generators are deterministic and predictable, which is fine for simulations or games, but unsuitable for generating cryptographic keys.

How Trezor generates strong entropy

Trezor never relies on a single entropy source. To create your wallet, your Trezor device combines randomness from its hardware components with randomness from your computer or phone’s operating system.

What entropy Trezor devices use

Trezor Model One and Model T combine two entropy sources: host computer or phone entropy plus a hardware TRNG in the STM32 microcontroller.

Trezor Safe 3 and Safe 5 add a third source: the Optiga secure element. Three independent sources work together. Learn more about secure elements in our article Secure Elements in Trezor Safe devices.

Trezor Safe 7 adds a fourth source: the TROPIC01 chip. Four independent sources combine when generating your wallet. Learn more about Trezor Safe 7's hardware entropy sources: What is the TROPIC01 chip? and Dual Secure Elements in Trezor Safe 7.

Get yours now

• 
• 

Trezor Safe 7

  

• 
• 
• 

Trezor Safe 5

  

• 
• 
• 
• 

Trezor Safe 3

  

From entropy to your wallet

When you create a new wallet, here's what happens:

• Your Trezor generates a random number (the entropy)
• This random number is converted into your wallet backup—those 12 or 20 words
• From that same random number, your wallet derives all your private keys and addresses
• The process is deterministic, so the same wallet backup always produces the same keys

Everything follows from that initial random number. This is why your backup can restore everything—it contains the randomness that generated your entire wallet.

Why you shouldn't choose your own wallet backup

Research consistently shows we follow predictable patterns. We gravitate toward dates, names, and keyboard patterns. We reuse familiar phrases without realizing it, and our choices reveal more about us than we think.

Our brains are pattern-matching machines. We're excellent at finding patterns, which makes us terrible at avoiding them.

User-chosen wallet backups have much less entropy than device-generated ones. When you think you're being creative and random, you're actually choosing from a much smaller set of possibilities than you realize.

Statistical patterns betray you even when you feel random. Attackers know which words people prefer and which combinations feel "random" to humans. They understand the patterns we use when trying to avoid patterns.

When entropy goes wrong: real world example

In July 2023, security researchers discovered a critical flaw in Libbitcoin Explorer, a tool used to create Bitcoin wallets. The vulnerability became known as "Milksad" because the predictable wallet backups it generated always started with the words "milk sad."

The tool's random number generator wasn't actually random. It used a fast algorithm designed for video games and simulations, not cryptography. Worse, it started from the same predictable point every time—based only on what second the computer's clock showed.

This meant attackers could simply try all the possible starting points (there weren't many) and recreate the "random" numbers the tool generated. If they found a match, they had the private key.

Attackers exploited this weakness systematically. Over 2,600 wallets were compromised across multiple blockchains. Confirmed losses reached approximately $900,000, though actual losses were likely much higher.

Weak entropy makes wallets predictable. Multi-source design protects against these failures. Combining multiple independent entropy sources prevents a single weak component from compromising your wallet.

Learn more about this real world entropy failure by visiting milksad.info

Creating secure passwords and passphrases

When creating passwords and passphrases—for email accounts, password managers, or your Trezor passphrase wallet—length matters, but human-created passwords and passphrases are far more predictable than you think.

We follow patterns without realizing it. We choose familiar words, common phrases, and predictable combinations. Attackers know this and test the most common patterns first.

Password managers solve this problem by generating truly random passwords for you. They use cryptographically secure random number generators—the same kind of system your Trezor uses for entropy.

Diceware offers another approach. You roll physical dice to select words from a standardized word list. Each word adds about 12.9 bits of entropy. The dice provide the randomness, not your brain. This method can be used to generate secure passwords and passphrases offline without using a computer. Learn more: Diceware word list.

Key takeaways

Entropy is the randomness that generates your wallet's private keys. Your wallet backup encodes this entropy in human-readable words so you can restore your wallet if needed.

Trezor uses multiple hardware and software entropy sources when creating your wallet. This multi-source approach protects you even if one source has a flaw.

Real incidents like Milksad prove entropy failures cause real losses. Weak randomness led to predictable keys and drained wallets across multiple blockchains.

Protect your wallet backup physically. Trezor handles the entropy generation—your responsibility is protecting the backup.

FAQ

Is my 12-word Trezor backup secure enough?

Yes. Twelve words represents 128 bits of entropy, which means 2^128 possible combinations. Brute-forcing that would take longer than the age of the universe at one trillion guesses per second.

Can I choose my own wallet backup instead of letting Trezor generate it?

Technically yes, through restoring a wallet, but we strongly discourage this, as the wallet will not be secure and you could lose your funds.

Letting Trezor generate your wallet backup is safer. The device uses multiple hardware entropy sources specifically designed for generating cryptographic keys.

How do I know Trezor's entropy isn't backdoored?

Trezor is open-source. The firmware, hardware design, and bootloader are publicly available for anyone to audit. Independent security researchers regularly examine these components and publish their findings.

Trezor combines randomness from your device's hardware and your computer or phone’s operating system. To predict your keys, an attacker would need to compromise all sources at the same time.

What happens if one of Trezor's entropy sources fails?

Trezor combines multiple independent entropy sources when generating your wallet. If one has a flaw, the others still provide strong randomness.

This redundancy is why multi-source design matters. A single point of failure cannot compromise your wallet's entropy.