trezor-model-t-tips.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Shamir Backup (SLIP-39) — How It Works

Luca Ortega Luca Ortega
Try Tangem secure wallet →

Shamir Backup (SLIP-39) — How It Works

What is Shamir backup (SLIP-39)?

Shamir backup refers to using Shamir Secret Sharing (an algorithm) to split a single recovery secret into multiple independent pieces, or "shares." SLIP-39 is the standard that applies that idea to hardware wallet recovery phrases so each share becomes a human-readable phrase. The idea is simple: you don’t keep one master key in one place. Instead, you split it into parts and require only a threshold of those parts to recover your private keys.

Why does this matter for cryptocurrency? Because crypto is non-custodial: if you lose your private keys, you lose access. Shamir backup reduces single points of failure while keeping you in self-custody. In my experience, it’s an elegant middle ground between a single seed phrase and a full multisig setup.

(Short and practical: Shamir is about distribution and resilience.)

How SLIP-39 actually works (plain language)

At a high level, SLIP-39 splits your wallet’s master secret into n shares with a threshold k. You choose both numbers. For example, you might create 5 shares and require any 3 to reconstruct the master secret. Each share is a recovery phrase in its own right and contains metadata to identify the share and the set.

Try Tangem secure wallet →

Think of it like a map that’s been cut into pieces. You don’t need every piece to find the treasure—just enough of them. But note this: each share must be stored securely and separately. If an attacker gets k shares, they can rebuild your private keys.

SLIP-39 also supports different groupings and advanced parameters in some implementations (so you can design redundancy across family members, lawyers, or geographically separate safes). What I’ve found is that the flexibility is powerful—but it adds human operational complexity.

Diagram of Shamir Secret Sharing and SLIP-39 shares

SLIP-39 vs BIP-39 — a quick comparison

Feature SLIP-39 (Shamir backup) BIP-39 (standard seed phrase)
Basic idea Split a master secret into n shares; k needed to recover A single mnemonic encodes the master seed
Compatibility Requires specific SLIP-39 support to restore Widely supported across wallets and tools
Single point of failure Reduced (if shares distributed properly) High (one phrase holds everything)
Complexity Higher — more decisions, more physical storage Lower — single backup to protect
Best for Users who want distributed redundancy without full multisig Users who prefer simplicity or broad compatibility

Which should you pick? It depends on your threat model. Want simplicity and maximum compatibility? BIP-39. Want redundancy without multisig complexity? SLIP-39 is worth evaluating.

Step by step: creating a Shamir backup on a hardware wallet that supports SLIP-39

Note: not every hardware wallet implements SLIP-39. If your device supports it, the flow usually looks like this:

  1. Verify firmware authenticity first (check signatures or compare hashes). See the firmware guide for how to verify on a given model.
  2. Initialize the wallet and choose the option to create a SLIP-39 / Shamir backup.
  3. Select total shares (n) and threshold (k). Example: 5 shares, threshold 3.
  4. The device will generate each share sequentially. Record each share exactly as shown—these are your recovery phrases.
  5. Confirm each recorded share on the device when prompted.
  6. Store shares separately (more on storage below). Test a recovery in a safe environment if possible.

Be careful during step 4. I believe that writing each share on a metal backup plate is worth the extra effort for long-term storage. And yes, write legibly.

Best practices for storing shares and recovery

  • Use metal backup plates or another fire- and water-resistant medium for long-term storage (paper will degrade).
  • Distribute shares geographically to reduce single-location risk. But don’t make them trivial for an attacker to find.
  • Avoid photographing shares or storing them in cloud services.
  • Label shares carefully (or don’t label at all; many prefer anonymous storage and a separate index kept in a different place).
  • Consider using a passphrase (the so-called 25th word) for an extra hidden wallet—only if you understand the risks (losing the passphrase = loss of funds).

What I’ve seen go wrong most often is over-engineering: people make shares too many and forget the threshold. Keep the math simple and document recovery procedures for trusted family or an executor (without exposing secrets).

Shamir backup vs multi-signature (multisig): when to use each

Shamir backup is a backup scheme for one private key. Multi-signature splits signing authority across multiple independent private keys and typically requires co-signers for transactions. Which is right?

  • Use SLIP-39 when you want to keep a single-key workflow but reduce single-point-of-failure risk.
  • Use multi-signature when you want to require multiple independent approvals to move funds (stronger protection against theft). Multisig usually increases cost and operational complexity.

They aren’t mutually exclusive. For instance, you can have multisig wallets where each signer uses Shamir backup for their private key. But that adds more moving parts. In my testing, multisig is the security-first choice; SLIP-39 is the convenience-first enhanced backup.

For a practical primer, see the multisig overview: multi-signature guide.

Common mistakes and recovery scenarios

  • Buying devices or accessories from unofficial sellers. Don’t. (This creates a supply-chain risk.)
  • Exposing shares when you carry them together. Distribute them.
  • Forgetting which shares belong to which set or the threshold number. Keep a secure, separate index if needed.
  • Mixing SLIP-39 shares with BIP-39 tools—remember shares usually need SLIP-39-aware recovery.

Can you recover if the device breaks? Yes, provided you have enough shares (or the original seed phrase if you used one). What if the company behind your wallet goes bankrupt? If you control your private keys (or shares) you still control your crypto—this is the point of self-custody.

If something goes wrong during setup, consult the recovery steps before trying risky workarounds. See the recovery guide here: device recovery.

FAQ

Q: Can SLIP-39 shares be stored together in one safe?
A: Technically yes, but that defeats the purpose. The point is distribution.

Q: Is the passphrase (25th word) required with SLIP-39?
A: No. It’s optional. But adding it increases security and also increases the chance of permanent loss if forgotten.

Q: Is Bluetooth safe for a hardware wallet when setting up SLIP-39?
A: Bluetooth adds attack surface. For backup generation or recovery, prefer a USB connection or a truly air-gapped setup.

Conclusion & next steps

Shamir backup (SLIP-39) is a practical, flexible way to protect a single private-key wallet by splitting the recovery secret into multiple shares. It removes a single point of failure but asks you to manage more physical pieces. In my experience, it’s best for users who want redundancy without moving to full multisig.

Want concrete setup steps or troubleshooting for your model? Read the backups guide and the setup walkthrough. If you’re focused on firmware safety and supply-chain checks, the firmware and security page is a smart next read.

If you’re unsure whether SLIP-39 is right for your situation, ask yourself: do I want convenience or resilience? The answer will point you to the right choice.

CTA: Explore the practical guides and recovery tutorials next: seed phrase basicsfirmware checklistbackup strategies.

Try Tangem secure wallet →