Keep you keys and seeds secure with OpenSSL

By iMil | iMil | 16 Oct 2019

So you received your brand new Ledger Nano X or just setup an Exodus wallet filled with the little money you could afford to lose©, and those two put a great responsibility in your hands: "be sure to save those seeds in a secure place!"

A secure place. What would be a secure place. A safe at the bank? The very system we swore to destroy? A piece of paper under my bed? written on a stone buried in some land? no... no, no I can see a scenario where all of these could fail.

Wait a second, we're smarted than this! What about using cryptography to handle our cryptocurrencies?

As we're dealing self to self data sharing, we can rely on a symmetric method, meaning no public / private key pairs will be involved. Instead, we will think strongly about a nice long passphrase you are certain to remember. I don't know... "My shoe size? it's 42. And I like it!"

I will assume here that everybody is capable of using command line tools, specially openssl which comes installed on every Linux distribution and also OSX. Sorry I don't know anything about Windows :/

Let's assume the following 12 words are your seeds:

ghost uncover version space mass admit picture current guard update comic divide

Write them to a file using a simple text editor (vim, emacs, atom, ...).

And now the magic, we will use openssl to encrypt this file with the passphrase you figured out earlier:

openssl enc -aes-256-cbc -a -pbkdf2 -in myseeds.txt -out my_encrypted_seeds.aes⏎

enter aes-256-cbc encryption password: [enter your strong passphrase]⏎

Much magic indeed. Let's see what's going on there:

  • openssl is the actual program to encrypt our data
  • enc specifies the encoding algorithm to use
  • -aes-256-cbc is the actual algorithm, and is one of the strongest one available as of today
  • -a means the encrypted output should be text, not binary form
  • -pbkdf2 to put it simple, this parameter adds difficulty to the encrypting result to be cracked
  • -in myseeds.txt specifies the original file to be encrypted
  • -out my_encrypted_seeds.aes is the resulting encrypted file

Now check the generated file, my_encrypted_seeds.aes, gives the same output as myseeds.txt when it's decrypted:

openssl enc -aes-256-cbc -d -a -pbkdf2 -in my_encrypted_seeds.aes⏎

enter aes-256-cbc decryption password: [enter your strong passphrase]⏎

ghost uncover version space mass admit picture current guard update comic divide

The decryption is specified by the -d parameter and we specify -in my_encrypted_seeds.aes as the input file.

There you go, you can now delete the original file myseeds.txt and save your newly generated encrypted seed words file everywhere without the fear of it being read by anyone but you! Send it to your gmail, save it on dropbox, push it to AWS S3, just do not forget your strong passphrase.

Even sexier, grab a qrcode generator for your platform (on Linux, qrencode works just fine) and create a qrcode from the generated encrypted file:

qrencode my_encrypted_seeds.aes -o my_encrypted_seeds.png⏎

Here's the resulting image:


How cool is that! print it a dozen times and store them everywhere ;)


And remember, dance like nobody's watching, encrypt like everybody does.

How do you rate this article?




Long time Open Source contributor and blockchain enthusiast, I like to share technical knowledge.


Blockchain views from a tech perspective. Long time Open Source contributor and system & network administrator, I really got myself into blockchain technologies and cryptocurrencies in general very late, nevertheless, my passion for this new world has only been growing since 2017 and I'd like to share my discoveries in here, a very adequate platform.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.