[BIP Draft] Bitcoin Encrypted Backup

41 views
Skip to first unread message

pyth

unread,
Sep 4, 2025, 5:27:28 AM (2 days ago) Sep 4
to bitco...@googlegroups.com
Hi all,

At WizardSardine (where we’re building Liana wallet) we have been
discussing an encryption scheme for descriptors for at least two years.

A few months ago Salvatore Ingala published on delvingbitcoin a clear
scheme that matches our requirements.
I have been working on implementing this scheme over the past few weeks
and would like to share a draft implementations & BIP in order to
collect feedback, remarks, and reviews.

Draft BIP: https://github.com/bitcoin/bips/pull/1951
Rust implementation + CLI:
https://github.com/pythcoiner/encrypted_backup
A simple GUI using rust implem: https://github.com/pythcoiner/bed
Salvatore delving post:
https://delvingbitcoin.org/t/a-simple-backup-scheme-for-wallet-accounts

**Open questions**

- **Deterministic nonce:** Currently the nonce is generated randomly.
Is it safe to produce a deterministic nonce, e.g. `hash("NONCE" ||
plaintext || key_1 || … || key_n)`, or are there known security
concerns with this approach?
- **Cipher choice:** I arbitrarily chose AES‑GCM‑256. Is this the best
choice for this use case, or would another construction be preferable?
- **Byte order:** All fields are defined to be encoded in big‑endian.
Is there any reason to consider a different endianness?

Any thoughts, suggestions, or references are welcome.

Thanks,
pyth
Reply all
Reply to author
Forward
0 new messages