Bitcoiners are divided over what makes a good hardware wallet.
Some are in the radically open source camp.
Some are convinced that without a so called ""secure element"", key extraction is too easy. And as these SEs always require closed source, all-open-source hardware wallets are a lost cause.
But nostr:npub1jg552aulj07skd6e7y2hu0vl5g8nl5jvfw8jhn6jpjk0vjd0waksvl6n8n 's Jade, and nostr:npub1tg779rlap8t4qm8lpgn89k7mr7pkxpaulupp0nq5faywr8h28llsj3cxmt 's BitBox02 and probably soon SatoshiLabs' nostr:npub16lcw8ytugeh3ug3na93yl0tdf0gnjtduljhn2a852atf6jtvkucs7pruje 's Trezor are providing fixes for this.
The Jade is all open source but to my understanding it stores a key encryption key on a server (you can roll your own. It's also open source but nostr:npub1jg552aulj07skd6e7y2hu0vl5g8nl5jvfw8jhn6jpjk0vjd0waksvl6n8n provides one). And this server won't share the encryption key with the Jade unless provided with the correct pin. You really need the PIN to get to the Bitcoins unless you can both get the Jade and the server under your control. Against your average evil maid with a hacker friend this is certainly as good as if not better than a SE. In how far state actors could get the server to do what they need, might depend on your jurisdiction.
The BitBox02 has an SE and just like the Jade with the server, the SE never gets to see the Bitcoin masterseed. It only stores a key encryption key. Where Jade talks to a remote server that cannot be audited, the BitBox02 talks to a local chip that neither can be audited.
If you trust in the unhackability of SEs, BitBox's approach looks better as it doesn't rely on some server being online when you decide to spend your money. If you don't, the Jade approach looks more transparent about how secure it is.
And then there is Trezor. They are working on #TropicSquare, an open source SE which would allow to run open source wallet software with the protection of a ""secure element"".
As unhackability always will be a hard to proof property of a chip, I'm intrigued by Jade's approach but would worry about the continuity of the server.
Maybe some manufacturer will come out with a product that features SEs made in China, US and Iran to store shards of the KEK?
Or the next Jade stores Shamir's Secret shards in 5 jurisdictions where you would need 3 of, warning the user if ever less than 5 servers replied?
Your post has me concerned, are you talking about allowing your keys to leak onto the Internet? Read the https://seedsigner.com/seedsigner-independent-custody-guide/
Then think about: Have you looked at multi Sig, air-gap Hardware wallet.
Another good ref.
https://bitcoin.rocks Self custody
No. The masterseed never leaves the device. Not even encrypted.
The idea is you have a safe deposit box. You put your valuables into the safe deposit box and then give the keys to the box to some guardian who will only give it to people who guess the pin on the fifth attempt. The guardian doesn't know where exactly you keep the box and less what's in it.
Interesting. I like the strategy, currently I am simply migrating from a ledger that I no longer trust to a multi-sig air gap solution built from a raspberry pi zero. With open source Python code.
Multi-vendor-multi-sig is probably the most secure you can get but seedsigner being one of the signing devices is already a great choice I think. I saw they made advances with reproducibility but are not there yet. But even as a black box, it can do little evil due to the way it works.
As I recall that was mentioned in the seedsigner document.
But what are you referring to WRT reproducibility on the seedsigner side?
Thanks for the thread! I can assume you are the Giszmo in those posts. Nice to know I am talking to some knowledgeable folks!
