Nunchuk Honey Badger security concern \ stacker news ~bitcoin

20 sats \ 9 comments \ @03365d6a53 20 Mar 2023 bitcoin

zaps forwarded to @k00b (100%)

Evaluating this top-tier inheritance plan: https://nunchuk.io/inheritance

All looks great except one thing. Seems that the (encrypted) inheritance key is stored on Nunchuk servers. The website doesn't say this, but it does say:

Currently, a TAPSIGNER must be used as the inheritance key. However, once set up, a Nunchuk inheritance plan does not rely on the TAPSIGNER's electronics working at all. All you need from the TAPSIGNER is the Backup Password that is printed on the back of the card. This password will be used later to recover the inheritance key during the claiming process. You can make as many copies of this password as you see fit.

So presumably you have to trust that Nunchuk does indeed encrypt the inheritance key and doesn't have a back door.

Or am I missing something?

view all related items

31 sats \ 1 reply \ @bataroot 20 Mar 2023

From https://tapsigner.com/faq:

The TAPSIGNER encrypts the XPRV with AES using a 16-byte key printed on the back of the card. The backup file plus the key lets you recover the XPRV.

I think Nunchuk only keeps a backup of the encrypted XPRV provided by the tapsigner at setup time... They have no idea what the decryption key is.

0 sats \ 0 replies \ @03365d6a53 OP 20 Mar 2023

this would start to make sense... thankyou for explaining (Nunchuk should do the same!)

5 sats \ 5 replies \ @hugomofn 25 Mar 2023

Hey @03365d6a53, I'm Hugo, Nunchuk founder. @bataroot is correct, the TAPSIGNER's backup is encrypted by default. In fact, the TAPSIGNER card would never give you the backup file in the unencrypted format. Apologies if our website description isn't clear enough.

Hope that answers your question.

0 sats \ 4 replies \ @hugomofn 25 Mar 2023

We've updated our Inheritance FAQ section to include this as well. https://nunchuk.io/inheritance

20 sats \ 3 replies \ @03365d6a53 OP 30 Mar 2023

amazing, thankyou! I read through the CoinKite docs and I get it now. Just waiting for the TapSigner to arrive :-)

0 sats \ 2 replies \ @hugomofn 3 Apr 2023

Sweet! Feel free to DM me if you have anymore questions!

0 sats \ 1 reply \ @03365d6a53 OP 7 Apr 2023

I don't think there is a DM option in SN.. ?

But I do have another question!

Do you have a list of supported hardware devices? Is it correct that Ledger is not supported?

0 sats \ 0 replies \ @hugomofn 20 Apr 2023

Sorry, I meant to DM me over Twitter (same handle).

You can find the list of supported hardware here (scroll down to Hardware requirements section): https://nunchuk.io/pricing

We do support Ledger/Trezor but it's desktop only at the moment, and certain hardware like the M1 might have issues. Hence we don't list them under the subscription plans yet.

0 sats \ 0 replies \ @franzap 20 Mar 2023

Good question. Why even require a Tapsigner then?

You'd also have to trust them with your privacy as you're sharing a multisig with them.