This is an opinion editorial by Josef Tětek, a Bitcoin analyst at Trezor.
Self-custody is an absolute must for every bitcoiner. After the collapses of FTX, BlockFi, Celsius and many others, the merit of the “not your keys” mantra is beyond obvious. However, self-custody comes in many forms, and the security properties of a single-seed setup are not that great. That is why advanced bitcoiners should consider upgrading to a Shamir backup.
What is Shamir backup?
Shamir backup is a method for securely splitting a recovery seed while adding an element of redundancy. For example, with Shamir backup it is possible to have a 3-of-5 recovery seed, where the user writes down 5 lists of recovery words, and later needs only 3 of those lists to recover the wallet. Compared to a setup based on a single list, this brings some serious benefits.
Fail-safe setup
An ordinary single-list seed is susceptible to a catastrophic loss in case a user loses the list or when a malicious actor discovers it. Mitigating both of these risks simultaneously is impossible in the single-seed scenario: the risk of loss can be decreased by creating multiple copies, but that increases a risk of theft; the risk of theft can be decreased by having a single copy, but that increases a risk of loss. Shamir backup addresses both of these risks, as there are multiple lists (decreasing the risk of loss), while a predefined amount of lists is required to recover the wallet (decreasing the risk of theft).
Setup | Numbers of Lists | Lists Necessary to Recover | Lists That Can Be Lost |
Single-list Seed | 1 | 1 | 0 |
Shamir 2-of-3 | 3 | 2 | 1 |
Shamir 3-of-5 | 5 | 3 | 2 |
Geographical distribution
For Shamir to truly improve the security properties of a seed setup, the individual lists must be kept separate in different locations. This provides an additional benefit: elimination of a risk of relying on a single location. In case of securing higher amounts of bitcoin, this is something to consider, as you don’t want to be reliant on a single physical location that might become suddenly inaccessible. While such risk might seem far-fetched at a first glance, the recent experience of a Russian invasion of Ukraine proves that such risk may indeed materialize. With a sufficient geographical distribution involving locations in multiple countries, Shamir backup brings peace of mind coming from the knowledge that whatever happens, a user will be able to recover their funds.
Distributed recovery
Shamir backup allows for a distributed recovery - a wallet can be recovered without combining the individual lists in one place. The way to do that would be to successively visit all the locations with a Trezor Model T device. The device in a recovery mode remembers the progress of the recovery, so that the user can plug it in (e.g. to a power bank), enter the Shamir list, unplug it, and proceed to another location. This eliminates the risk of someone observing the full recovery seed during the recovery process - at most, they would only observe one Shamir list, which is useless by itself.
Inheritance planning
Every responsible Bitcoiner should have a plan in place to make sure that their loved ones will be able to access family bitcoin savings in case something happens. On the other hand, no bitcoiner is comfortable with the knowledge that their bitcoin is accessible by others while they are still alive and in control of their faculties. With a single-list seed, inheritance planning is tricky. Yet again, Shamir comes to a rescue.
The way to tackle the problem of inheritance planning with a Shamir backup is to distribute the lists (among family members, safe deposit boxes, an attorney, etc.), and write down a will pointing to a separate document detailing the location of the lists and the process to recover the wallet. I have described this method in greater detail in a feature article on Bitcoin Magazine. The advantage of using Shamir for inheritance planning is that you can make sure that nobody will be able to recover your wallet while you’re alive and well.
Full privacy and user sovereignty
Shamir backup, when done correctly such as with Trezor Model T device, allows for full user control and privacy. The keys never leave the offline environment and no company or other third parties know about the user's setup. Other seemingly similar solutions such as Ledger Recover or certain assisted multisig plans require full user identification, introducing a risk of sensitive data leak, which might in turn have serious consequences for users of such services.
How to upgrade to a Shamir backup?
Switching to a Shamir backup entails creating a fresh new wallet where the funds need to be transferred to through an on-chain transaction. As with all operations involving private keys, it’s advisable to use a hardware wallet. Shamir backups were standardized for the hardware wallet use in 2017 by SatoshiLabs’ SLIP39 standard, and later implemented in Trezor Model T, as well as several other wallets. When setting up a new wallet with Trezor Model T, just choose the “Shamir Share Backup” option when prompted for the backup type, and proceed to choose a specific setup (e.g. 2-of-3, 3-of-5, 4-of-6, etc.) and carefully write down the individual lists on paper, or preferably use a more durable materials such as numerous steel backup solutions.
Editors Note: Trezor devices implement a version of Shamir secret sharing standardized by Trezor. It is not currently implemented by other devices.
This is a guest post by Josef Tetek. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.