Split a Seed Phrase

Learning time: ~30 minutes              Execution time: ~60 minutes / 12 words

Introduction

Seed phrases are a convenient way to back up a wallet while maintaining complete ownership. However, they have significant disadvantages. If a seed phrase is lost or stolen, the funds can be irremediably compromised. Furthermore, planning for inheritance requires entrusting the phrase to a third party, which again places the funds at risk.

Penlock's secret-splitting generates 3 (encrypted) shares. Any two of these shares can be used to recover the original seed phrase, but a single compromised share reveals nothing about it. This 2-of-3 backup allows for off-site recovery, as well as trust-minimized inheritance.

Components

In addition to printing and assembling the components linked below, you will need a pencil, an eraser, a pen, scissors, and the seed phrase to split:

Worksheet-12.pdf, Worksheet-18.pdf, Worksheet-24.pdf (double-sided)

The worksheet is divided into 4 sections: one for the seed phrase, and three for the shares. Each section contains the same number of word, and words are composed of 6 characters: two with a gray background (for the Penlock checksum), and 4 with a white background (for the truncated words). An additional sheet is provided to produce copies of shares 2 and 3.

Wheel.pdf (single-sided; thick paper is better)

The wheel is the primary tool for splitting and recovering the seed phrase. To assemble it, proceed with the following steps:

  1. Print and carefully cut out both disks.
  2. On the colored disk, cut out the pointer window. The smaller numbered windows are not needed for this recovery process.
  3. Attach both disks together at their center using a snap button, a brass fastener, or a pin. Ensure the colored wheel is placed on top and can rotate freely.

The wheel has 4 distinct sections that will be referred to as follows: the pointer, the outer (character) ring, the inner (character) ring, and the numbered spiral.

Wordlist.pdf

This file contains the standard wordlist used by most wallets. Each word has been prefixed with a 2-character checksum (the grayed characters). It helps detect and correct mistakes that might occur during the splitting or recovery process.

Tiles.pdf (double-sided)

These tiles are used to generate random numbers. After printing and cutting, ensure the value on the tiles is identical on both sides. A detailed check of every tile is not required; if the document was misprinted, none of the tiles will be correct.

Designing a Backup Strategy

Before generating your shares, it is advised to create a clear plan for how they will be stored. A good backup strategy is one that suits your needs and technical ability. Moreover, the recovery process must be easy to remember, even after years, and — in the case of inheritance — achievable by your heirs. To help you design this strategy, we provide a generic framework that you can tailor to your needs.

Types of Storage

A suggested type of storage is written on each share. The general principle is to force an attacker to execute two different types of attacks to gain access to the seed phrase.

  • Share 1, Digital: Stored on an encrypted device, typically in a password manager. It can optionally be cloud-synced.
  • Share 2, Social: Give copies to 2 or 3 trusted people, and possibly keep one at home.
  • Share 3, Legal (Optional): This share is meant to be stored in a safe deposit box or included as part of a will. If this is not possible, we recommend not generating this share altogether.

For digital and legal shares, we generally recommend keeping it simple by opting for a service provider you already trust and use. If this is not an option, familiarize yourself with the new service first. Most crucially, always ensure the recovery path is properly configured and well understood ahead of time.

Off-site recovery

Off-site recovery is an important feature of any backup system. In practice, this requires the ability to access two different shares from outside your primary residence. The social and legal shares typically provide this capability. If you choose not to use a legal share, cloud-syncing the digital share is a viable alternative.

Trust-Minimized Inheritance

Trust-minimized inheritance is achieved by creating a path that lets your heir access a second, different share in addition to the social share they were already given. There are two ways to do this:

  • Legal Inheritance: A safe deposit box can typically be accessed by a chosen person upon the presentation of a death certificate. Alternatively, the legal share can be included as part of a will.
  • Digital Inheritance: Various online services, including some password managers, offer digital inheritance features. Typically, a chosen person can request access at any time. They will receive the data after a delay period of your choice, unless you personally cancel the request.

Procedure

Doing This Well

  • Prefer a private space where you won't be disturbed
  • Keep cameras and prying eyes away
  • Avoid pronouncing the results out loud

A. Write the Seed Phrase

If you generated your seed phrase with Penlock, directly on the worksheet, then you can skip this section.

Use the wordlist to find your words formatted the Penlock way, and copy the first 6 characters on the worksheet under the 'Seedphrase' section, respecting the gray & white backgrounds coding.

B. Generate the Shares

The shares are generated sequentially, one character at a time. The first character of each share is produced from the first character of the seed phrase, and so on. Use a pencil for now, as corrections might be needed if a mistake occurs:

  1. Move the wheel's pointer to the first character of the seed phrase.
  2. Shuffle the tiles thoroughly and pick one at random.
  3. On the wheel, find the window whose number matches the value on the tile.
  4. If the seed phrase character is '=':
    • On the worksheet, write the character from that window as the first character for all three shares (as indicated by the 'x3' mention).
  5. Otherwise:
    • On the worksheet, write the character from that window as the first character of 'Share 1'.
    • Write the character from the next window (in numbering order) as the first character of 'Share 2'. Note: The numbering loops; the window after 29 is window 1.
    • If you want a third share, write the character from the window after that as the first character of Share 3.
  6. Repeat steps 1 to 5 for each subsequent character until the shares are complete.

C. Verify the Shares

Before disposing of the cleartext seed phrase, it is of utmost importance to verify that all shares are correct. This is done by simulating the recovery process in a way that speeds up the verification. As before, we proceed sequentially, one character at a time:

  1. Move the wheel's pointer to the first character of the seed phrase.
  2. On the wheel's inner character ring, locate the first character of 'Share 1'.
  3. Verify that the character on the outer ring aligned with it is the first character of 'Share 2'.
  4. If they do not match, the characters of all shares for this position are erroneous and must be regenerated using the steps in Section B.
  5. If you produced three shares: locate the first character of 'Share 2' on the inner ring and verify that the character on the outer ring aligned with it is the first character of 'Share 3'.
  6. Once again, if they do not match, the characters of all shares for this position must be regenerated.
  7. Repeat steps 1 to 6 for each subsequent character until the shares are fully verified.

D. Finalize the Shares

Assuming that 'Share 1' is stored digitally, it requires no further processing. 'Share 2' and 'Share 3', however, need to be traced over in pen, cut out, and possibly copied, depending on your backup strategy. Use the worksheet's extra shares for this purpose, ensuring you copy the data accurately and respect the share numbering.

After cutting out these shares, fill out the back of each one by adding the date, the wallet brand and model, and the owner’s name or pseudonym. This prevents shares from different sets from being mixed up and simplifies the recovery process later.

Notes on Storing the Shares

We recommend storing physical shares in waterproof, sealed containers such as opaque poly mailers. When entrusting a share to another person, ensure clear identifying information is written on the container and explain proper storage practices (e.g., keeping it dry, safe, and confidential).

The legal share — if it is part of an inheritance plan — may be accompanied by the printed recovery guide and the required components, as detailed in that guide. This will simplify the recovery process for the beneficiary.

The digital share must be entered with care and stored with the same identifying information as the other shares. Note that no other shares should ever be digitized, as this would weaken the security of the 2-of-3 backup.