Blog

Encrypt Your Seed Phrase

We’re going to look at Encrypting your Wallet Seed Phrase (or anything else you might want) to produce a HARD COPY you can print. We’ll look at using an opensource application called “GPG” which conveniently comes stock on every Linux distribution.

So, what are we going to do? Well, we’re going to change a plain-text file to an encrypted file. We’ll go from the file on the left to the file on the right.

This is a very simple “How-to” guide and it assumes you will run all the commands from an OFFLINE computer. It further assumes that you are using a CLEAN computer where it is either a fresh install of a linux OS or you booted from off a live USB stick.

If you just want to try the process out on a non-secured computer, that’s no problem, just don’t use any real data when you try it out.

Overview

What I want to do is have a copy of my 21-word seed phrase kept in the physical world in a secure enough way where if someone stumbles upon it they won’t be able to use it. This is where some very simple encryption can be used. This encryption will be accomplished via a command-line utility called gpg.

The steps below create a “reasonable” amount of security around your seed phrase. If someone gets their hands on the encrypted data, and your password to decrypt the data is strong enough, it will be nearly impossible for them to find your seed phrase.

I’d say having your seed-phrase encrypted is much better than having it readable and useable by anyone who happens to stumble upon it.

We will take a simple text file and encrypt it using a password of your own choosing. After it has been encrypted you can easily print the encrypted file and store it where ever you deem secure.

The nice part about this solution is you no longer have to trust a third-party with your data. You could, for example, leave it at a bank deposit box, or with friends/family, knowing the data you are storing with them is useless unless they have your decryption password.

When choosing a password for your encryption choose something that is unique and memorable to you. The password should also be “strong”. A typical “strong” password is at least 12 letters (along with numbers and special characters).

Charles Hoskinson did a very good video overview of practical security. It is an hour long video, but well worth the watch if you’re interested.

The steps I put forward below are a little less intense but follow in the same mindset.

LET’S GET STARTED

How-To Steps

  1. Type out and save a text file with your seed phrase
  2. Run GPG to encode the saved text file
  3. Run GPG to do a test decryption
  4. Copy the encrypted text data off to another USB drive for printing

Step 0 – Boot into your Secured Offline Computer

Again, I will be assuming you are running from a Secured Computer that is OFFLINE. This is important as you’ll want to protect yourself from any possible virus or malware. Since you will be typing and saving sensitive files that contain your seed-phrase, it is important to keep everything you do as secure as possible.

If you don’t use Linux as a day-to-day operating system know that GPG can be downloaded for Windows and MacOS : https://gnupg.org/download/index.html

If you’re after an easy to run Linux distro have a look at raspberry-pi-desktop. They have many easy to use utilities that will get you up and running with a USB live boot rather quickly. Otherwise, any flavour of linux will do : https://www.raspberrypi.com/software/raspberry-pi-desktop/

Step 1 – Type out and save a text file

Use any application you’d like to save your seed phrase to a text file.

Below, I’ve done this with some dummy data and added a quick title to the top of the file (in case you decide to store more than one set of phrases).

Save this file out to a location you can find again (for simplicity, let’s save it to the desktop)

Step 2 – Run GPG to encode the saved text file

Load up a terminal and we’ll start working with GPG.

The “phrases.txt” file you created in Step 1 will be encoded using the “TWOFISH” cipher in this example. There are a few different standards with encryption. AES is the default standard, but you can make your own choices as to which algorithm you’d prefer using. I’m a fan of TWOFISH.

The command entered is as follows:

gpg --symmetric --armor --cipher-algo TWOFISH -o enc.txt phrases.txt

What the flags mean:

  • –symmetric – Create a Password Encrypted file
  • –armor – Create ASCII text instead of binary data
  • –cipher-algo – Choose our encryption cipher (TWOFISH)
  • –o – What OUTPUT file are we creating
  • The last item on the command-line is the non-encrypted source text file

Preforming this in a terminal will prompt you for your passphrase during the encryption process. Different linux installations may look different. The screen capture below is what happens with Raspberry Pi Desktop.

When the process is complete, the file “enc.txt” will be on the desktop.

gpg command-line
gpg – Input of your password (passphrase)

Step 3 – Run GPG to do a test Decryption

Let’s make sure we can decrypt the data.

The following command will do this:

gpg -o decoded.txt -d enc.txt

What the flags mean:

  • -o – Where to write the decoded data
  • -d – What is the source file with the encrypted data

You will be asked to enter your passphrase during this process

gpg – Decrypting the enc.txt file

Assuming all goes well, you’ll have a file named “decoded.txt” on your desktop.

It should match 1-to-1 with your original phrases.txt

Step 4 – Copy the Encrypted data to a USB

At this point, you should have a plan-text file and an encrypted file.

Go ahead and open up “enc.txt” to see what it looks like:

Encrypted Data

When you’re ready, save this to a USB drive. You can then head over to your primary computer printer and make a hard copy. Whenever you need to decrypt your data you can either use the copy from the USB drive OR type the print out into a text file.

Before you PRINT and STORE, I’d recommend you do a trial run decrypting the data from a new text file you create and save. You’ll need to make sure you know how to type everything in correctly. 

-----BEGIN PGP MESSAGE-----

jA0ECgMCq9CdHuGqaB330qwBAnsHg1G/g5nX9i9HTl8zyBl+qRt0oaDqHAzdcxIK
UL9BIvna5e9hNPF8y6NPAOfidPN8GaRoU8qZoUPvzpO6YYzivUE/JLKlJ45QiCTj
A4N3VENSLvDT3nbrbmCqUQiNSgVHWefO8r2Ymuhl7df1GUrOHFvbyLr95yCyXGZh
1bGPff+B4RMVW5TuDcjdtEcQIqe34HnJtAepMVNNfow4TlOjWZsBSo+5krra
=SZy2
-----END PGP MESSAGE-----

CONCLUSION

I hope you’ve found this tutorial useful. It should give you some more ideas on how to secure your seed phrase. Although the technique presented above is not fire proof (quiet literally) it should open up many more storage options for you.

I would much rather store an encrypted copy of my seed phrase than a plain-text copy that anyone can find and read.