Encrypted Backups

Background

The Coldcard is unique in that we offer a backup feature to save your wallet seeds to MicroSD card. Settings and other meta is saved as well. The encrypted file can be treated as any other file because we use AES-256 encryption, with a strong pass phrase.

advanced menu

Even using this feature, you should still have a offline-only copy of your 24 seed words, ideally on a SEEDPLATE. Use the encrypted backup feature for convenience and extra duplication.

Creating a Backup

Pick "Backup System" from the menu. Coldcard will pick 12 words as a password. These words have nothing to do with your wallet seed and are chosen randomly.

You have to pass a quiz, proving you've written down the words, although we have made the quiz easier as it does not verify every word.

The new file is written the MicroSD card. If there was already a backup file, and number is appended to the filename. The most recent backup file should have the highest number.

Important

We strongly recommend using real Industrial Grade MicroSD cards for backups: At least 2 cards and write 3 times to each card to mitigate future issues.

You can find them at the Coinkite store.

True SLC design with wear-leveling & block management, and environmentaly tested for bend, torque, salt spray, solar radiation, and harsh temperatures: -40°C to +85°C.

Verify a Backup

This command does a quick CRC32 check over the file. It's useful to check the file was not truncated or damaged in transit. It is not cryptographically secure, meaning the file maybe artificially created or deliberately tampered with. However, it's still a useful feature when you are confident of the chain of custody of your file.

No password is required since the file is not decrypted in this process.

Restore Backup

To restore the backup, you must use a new Coldcard with no wallet defined, or wipe the seed from the Coldcard, which is naturally a dangerous operation.

Clone Coldcard

(new in v4.0.0)

You can copy the seed words and all settings from your Coldcard onto a blank Coldcard to make a "clone" (aka. warm backup). This process uses the same encrypted backup file format (AES-256 in 7z) but the encryption key is chosen automatically using Diffie-Hellman key exchange.

You'll need a blank Coldcard (PIN chosen, but no seed words) and a MicroSD card for the data transfer.

Steps:

  • on blank Coldcard, choose "Import Existing > Clone Coldcard"
  • a small file is written to the MicroSD. (It contains an ephemeral public key.)
  • while keeping power active to the blank Coldcard, take the MicroSD to another Coldcard
  • insert the card and choose "Advanced > Backups > Clone Coldcard"
  • a backup file is written to the card, remove and take card back to the blank Coldcard
  • insert card and press OK. You are done!

The key pairs used in this process are randomly picked at the time of use, and are not related to seed phrase or master secret. Files written to the MicroSD card are deleted as the process is completed. Only the two Coldcards involved can reconstruct the session key, so the complete back-and-forth process must be repeated to clone additional Coldcards.

About the Backup File Contents

The file we create is a standard 7z archive with AES-256 encryption, in CBC mode. The 256-bit key is a SHA256 hash of a passphrase, hashed in a particular way to support 7z compatibility. We know the passphrase has at least 128-bits of entropy because the Coldcard uses it's true random number generator (TRNG) to pick it.

Once decrypted, which is possible using any 7z archive tool, the contents are a simple text file with everything you could need to access your funds, in an emergency, using another wallet system.

Restoring the backup file onto a replacement Coldcard is a simple process that merely requires entering the 12 words.

Your BIP-39 passphrase, if defined, is not stored in the backup, and the backup file contents are not affected by the passphrase.

Is it secure?

We use AES-256 encryption, wrapped in a 7z archive. The passphrase is chosen at random, as 12 words from the BIP-39 word list. This gives effectively 132 bits of security without any key stretching. The 7z file format adds a 16-byte salt and random 16-byte IV (initialization vector), plus a few tens of thousands of rounds of key stretching. We are not relying on that however, because of the long key itself (128-bits).

Proving It Works

Because we are using a standard file format, you can verify the process and that the data is in fact encrypted. Any 7z tool that supports AES256-SHA256 encryption should be able to read the files we make. Take the 12 words and put them together with a single space between each word (all lowercase). The decoded archive will contain a single text file with a random file name, which is easy to read and understand.

Primary vs. Secondary

(Applies to Mk1 and Mk2 only)

The current wallet, along with data for the corresponding duress wallet is recorded during the backup. Details of the other wallet (secondary when using the primary, for example) are not saved. You should backup primary and secondary wallets individually, but they can be stored onto the same MicroSD card.

Limitations

  • The archive file names are not encrypted. You can see there is a single text file word(number).txt in the encrypted file without decrypting it.
  • The device PIN code is not preserved during backup.
  • We produce standards-compliant files, but do not support reading any file except the ones produced by Coldcard.
  • Do not attempt to edit the file and restore it onto a Coldcard.
  • You cannot construct a file for the Coldcard to read because we implement only enough to support reading files that we know that we've produced.
  • There is no plausible deniability here: the 7z file is clearly a Coldcard backup file. But with BIP-39 passphrases in play, even if forced to decrypt your backup, there is still one final secret protecting your wallets.
  • Learn more about backup files in our technical paper.