Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Hardware wallets
Merits 1 from 1 user
Re: Bitcoin Threat Model - State Actors and HW Security - Chip Supply Chain Attacks
by
Meuserna
on 12/02/2025, 20:01:37 UTC
⭐ Merited by JayJuanGee (1)
Quote from: Pmalek on Today at 04:31:03 PM
What do you suggest that we as end-users and Bitcoin enthusiasts do about it? Or anyone else for that matter. Is the solution to create and run our own companies to build chips and components that go into hardware wallets?

This is why I use a security model that does NOT include keeping my seed / keys / wallet on a hardware device.

It's actually easy, and it's very safe.

I use Krux to turn my seed phrase into an encrypted QR.  Here's an encrypted QR I made for a test seed:

https://i.imgur.com/c2qtcS0.jpeg

(Gah.  "Embedding imgur links is not supported in new posts"?  There's the link instead)

If you'd like to try to crack it, I'll make it easy for you.  The decryption key is only 4 words, all from the BIP39 wordlist, all typed in lowercase with a space between each word.  For a seed phrase I actually use, I use a much stronger passphrase as a decryption key (not to be confused with a BIP39 passphrase.  I'm just talking about the passphrase to decrypt the encrypted seed QR).

I love using Krux, as I mentioned in a comment above, because it lets me have a hardware wallet that is:

Airgapped - hackers can't reach it over the internet, or even via a hacked computer or phone.

Stateless - my seed & wallet get wiped out every time the device shuts down or reboots.  If the device gets stolen, there's nothing on it.

Encrypted Seed QR - my seed QR is uncrackable, but it's quick & easy to load.  Scan the encrypted seed QR.  Scan the decryption key (or type it on the device).  Easy.

Passphrase QR - it's easy to have really strong passphrases since they're so easy to load.  Just scan a QR.

BIP85 - my seed isn't my wallet.  It's a parent seed.  If a thief found my metal backup, all they found is a wallet that's never been used, or a decoy (I haven't made mine a decoy yet.  I'm still debating that).

Free And Open Source - I'd never use a hardware wallet that isn't.

Etc etc etc.

Krux is really powerful, but it's also really easy to use.  It's a lot like SeedSigner, but it uses text menus and it has more advanced features.  Krux runs on K210 devices.  Right now, the best option for running Krux is the WonderMV, which has a metal enclosure, camera & 2 inch touchscreen, and costs around $55.

Pair it up with Sparrow Wallet for desktop or Nunckuk for mobile, both of which are free and open source (and in this case, used as watch only wallets with an airgapped signer).  That's rock solid.

I'm really surprised more folks here haven't started using Krux.  It's awesome.