[BIP Draft] Bitcoin Encrypted Backup
203 views
Skip to first unread message
pyth
Sep 4, 2025, 5:27:28 AMSep 4
to bitco...@googlegroups.com
Hi all,
At WizardSardine (where we’re building Liana wallet) we have been
discussing an encryption scheme for descriptors for at least two years.
A few months ago Salvatore Ingala published on delvingbitcoin a clear
scheme that matches our requirements.
I have been working on implementing this scheme over the past few weeks
and would like to share a draft implementations & BIP in order to
collect feedback, remarks, and reviews.
Draft BIP: https://github.com/bitcoin/bips/pull/1951
Rust implementation + CLI:
https://github.com/pythcoiner/encrypted_backup
A simple GUI using rust implem: https://github.com/pythcoiner/bed
Salvatore delving post:
https://delvingbitcoin.org/t/a-simple-backup-scheme-for-wallet-accounts
**Open questions**
- **Deterministic nonce:** Currently the nonce is generated randomly.
Is it safe to produce a deterministic nonce, e.g. `hash("NONCE" ||
plaintext || key_1 || … || key_n)`, or are there known security
concerns with this approach?
- **Cipher choice:** I arbitrarily chose AES‑GCM‑256. Is this the best
choice for this use case, or would another construction be preferable?
- **Byte order:** All fields are defined to be encoded in big‑endian.
Is there any reason to consider a different endianness?
Any thoughts, suggestions, or references are welcome.
Thanks,
pyth
At WizardSardine (where we’re building Liana wallet) we have been
discussing an encryption scheme for descriptors for at least two years.
A few months ago Salvatore Ingala published on delvingbitcoin a clear
scheme that matches our requirements.
I have been working on implementing this scheme over the past few weeks
and would like to share a draft implementations & BIP in order to
collect feedback, remarks, and reviews.
Draft BIP: https://github.com/bitcoin/bips/pull/1951
Rust implementation + CLI:
https://github.com/pythcoiner/encrypted_backup
A simple GUI using rust implem: https://github.com/pythcoiner/bed
Salvatore delving post:
https://delvingbitcoin.org/t/a-simple-backup-scheme-for-wallet-accounts
**Open questions**
- **Deterministic nonce:** Currently the nonce is generated randomly.
Is it safe to produce a deterministic nonce, e.g. `hash("NONCE" ||
plaintext || key_1 || … || key_n)`, or are there known security
concerns with this approach?
- **Cipher choice:** I arbitrarily chose AES‑GCM‑256. Is this the best
choice for this use case, or would another construction be preferable?
- **Byte order:** All fields are defined to be encoded in big‑endian.
Is there any reason to consider a different endianness?
Any thoughts, suggestions, or references are welcome.
Thanks,
pyth
Reply all
Reply to author
Forward
0 new messages