Plausible deniability on Ledger wallet

A step-by-step guide to enjoy plausible deniability on your Ledger device

Jules Br0gn4
8 min readDec 8, 2020
Featured image

What if someone points a gun to your head and forces you to reveal your Ledger wallet’s seed?!

One term in your mind: plausible deniability

The security topic in the management of crypto is an extremely delicate matter.

It is well known that the protection of crypto-assets is totally referred to the user’s skills. Should some problems arise, you can’t contact a customer service.

On the other hand, people often completely rely on having control of their cryptographic keys. In order to avoid misunderstandings, let me explain this more in-depth.

Encryption protects you from the interference of third parties. This means that cryptocurrencies cannot be moved without your consent, which is always manifested by signing a transaction which is then broadcasted to the network.

But what if that consent is extorted? In other terms, you would be forced to disclose your seed, or to hand over your device along with its unlock pin.

Example of crypto extortion
$5 wrench attack

Extortion can consist of several kind of violence or threats. Anyway, the typical example is that of an attacker who points the gun to your head.

What would happen in such a sad circumstance? A sensible person would have no choice but to hand over the seed to the attacker, or the device along with its unlock pin.

However, even if you are under duress, you may have the opportunity to evade the attack, or at least to minimize the potential damage.

Have you ever heard of “plausible deniability”?

Plausible Deniability

Based on Wikipedia:

“Plausible deniability is the ability of people, typically senior officials in a formal or informal chain of command, to deny knowledge of or responsibility for any damnable actions committed by others in an organizational hierarchy because of a lack or absence of evidence that can confirm their participation, even if they were personally involved in or at least willfully ignorant of the actions…”

This term - plausible deniability - was devised to ensure that senior government officials, including the president of the United States, could assert in good faith to the public that they were not involved in acts committed by government officials, which could have seriously embarrassed the administration.

Later, plausible deniability has been introduced in other fields as well, including cryptography applied to cyber-security.

Cryptographic systems can be used to deny the existence of encrypted files or hidden messages, such that an attacker coming into possession of the archive’s password will be unable to prove the existence of files or messages (“deniable encryption”).

In order to protect cryptocurrencies, Ledger hardware wallets allow you to create “secret accounts”. These accounts cannot be accessed even by an attacker who managed to get hold of the seed.

This means that in the face of violence or a threat, if there is no other way, you could reveal the seed to the attacker, or hand him the device along with the unlock pin.

The attacker cannot have knowledge of the secret accounts.

In this scenario, to make this apparent situation more credible, you may be willing to sacrifice a small portion of your crypto.

Let’s take an example.

Let’s suppose you own 100 ether. You could deposit 99 ether in one or more hidden accounts, while keeping the remaining 1 ether in one of the visible accounts (called primary).

Should someone forces you to reveal the seed, or to give him the device along with the unlock pin, he would only have access to the account that contains 1 ether. He would not know of the existence of protected accounts.

By using that strategy, at the cost of losing a very small part of your assets, you would have managed to safeguard most of your crypto assets, in a state of constraint in which, otherwise, you would have lost everything.

Anyway, how to hide accounts on Ledger hardware wallets?

Create hidden accounts on Ledger hardware wallet

It should be noted first that the level of security depends on the concrete needs of each user. An extra layer of security may be detrimental, especially if you are unable to properly manage and store the required backups.

The instructions I am about to show are for expert users only, who are able to master the procedures described. Do nothing before reading the entire guide carefully.

When you set up your Ledger wallet for the first time, 24 words (seed) were generated. You carefully saved those words on the appropriate “recovery sheet” provided in the device package.

These 24 words are the backup of the private keys you use to access to your accounts.

You can add an extra layer of security by setting a “passphrase”. This passphrase is like a password for your seed, which allows you to have a new set of accounts.

Should your seed be compromised, the passphrase protects your funds: in order to access to the accounts protected by the passphrase, it will not be enough for an attacker to own the seed, but he will also need the passphrase.

Each passphrase unlocks a set of unique accounts based on your seed. You can use multiple passphrases, each associated with a set of accounts.

Set a passphrase

To set a passphrase, follow these instructions:

  • Turn on the Ledger device and unlock it as usual through its pin
  • Go to “Settings
  • Click on “Security
  • Go to “Passphrase”, then select “Attach to a PIN” or “Set temporary” (I’m going to explain the difference between the two options hereinafter)

Link the passphrase to a PIN - “Attach to a PIN”

If you select “Attach to a PIN”, it means that you want to create a new set of accounts based on the passphrase that you are about to set. You will be able to access to the accounts protected by the passphrase by entering the pin (called secondary) that you pick.

The passphrase will be stored on the device until you overwrite it with another one, or until you restore the Ledger device.

To set a passphrase attached to a pin, follow the instructions below:

  • In the “Passphrase” menu, select “Attach to a PIN
  • Create a “secondary PIN
  • Re-enter the “secondary PIN” to confirm it
  • Choose and confirm a secret “passphrase” (maximum 100 characters). WARNING! Before saving the passphrase, you must absolutely have a physical backup of that passphrase. Once you have set it up, the device will no longer be able to show it
  • Enter your “primary PIN” (the one that you set when you originally configured the Ledger device) to confirm

Once you set the passphrase attached to a pin, your device will continue to manage your set of primary accounts (the non-hidden ones). In order to access to the accounts protected by the passphrase, turn off the device, turn it back on and enter your “secondary PIN”.

So now you own two pins.

In the face of an extortion, you have to give to your attacker the primary pin (the one that you set when you originally configured the Ledger device). By using the primary pin, the attacker can access only to the (non-secret) accounts in which no crypto are stored (or only small amounts are stored).

Even if the attacker manages to get hold of the seed, he would not be able to access to the protected accounts. This is because he doesn’t own the required passphrase to unlock those accounts, and won’t even know they exist.

Temporary passphrase - “Set temporary”

In addition to setting a passphrase protected by a pin (as explained in the previous paragraph), it is possible to set a temporary passphrase.

A temporary passphrase gives you access to a new set of accounts, but only for the duration of the current session.

To set a temporary passphrase, follow these steps:

  • In the “Passphrase” menu, select “Set temporary
  • Choose and confirm a secret passphrase (maximum 100 characters). WARNING! Before saving the passphrase, you must absolutely have a physical backup of the passphrase. Once you have set it up, the device will no longer be able to show it
  • Enter your “primary PIN” (the one that you set when you originally configured the Ledger device) to confirm

From now on your device will manage the accounts protected by the passphrase until you restart it. Therefore, if you want to access to your primary accounts again (the non-hidden ones), you will need to restart the device.

When the session is over, if later you want to access again to the protected accounts, you will have to repeat the procedure for setting the passphrase, obviously reusing the same passphrase.

Setting a temporary passphrase is not mainly intended to protect you against extortion, but especially to safeguard a seed or a pin kept in unsafe places.

So that if someone sees the 24 words or manages to find the pin, he will still be unable to access your crypto due to lack of the passphrase.

Retrieve passphrase-protected accounts

In case of loss or reset of the Ledger device, you can still access again to the protected accounts as long as you own both the seed (the 24 words) and the passphrase.

Here are the step by step instructions to retrieve the protected accounts:

  • Get a new Ledger hardware wallet (in case of loss), or the same device (if you have only reset it)
  • Put the seed and the passphrase under your eyes
  • Through the configuration phase of your Ledger, pick to restore the device through your old seed (the 24 words)
  • Follow the instructions of the previous paragraphs, to set either a passphrase attached to a pin or a temporary passphrase

Safer does not mean suitable for everyone!

Setting a passphrase makes your Ledger device more secure.

As you have learned, you can create hidden accounts to be used for storing large amounts of crypto. By doing so, in the undesired hypothesis of extortion or theft of the seed , your attacker would not be able to access to the secret accounts.

However, adding extra security layers is not necessarily the ideal solution.

A user should opt for its own degree of protection, based on his specific needs, as well as on his skills and possibilities for managing the security tools involved.

Setting a passphrase can complicate the user experience, if you are struggling with the funds recovery (for instance due to loss of the Ledger wallet, or because of a reset - even involuntary - of the device).

Those who already own a Ledger device know that if they lose or forget the unlock pin, the funds can be retrieved through the seed (the 24 words generated during the device configuration phase).

However, if you have set a passphrase to protect the seed (according to the guidelines shown earlier), you will also need the passphrase to retrieve the funds, in addition to the seed.

It means that if you lose or forget your passphrase, you will no longer be able to access to the protected accounts.

There is no way to recover a lost passphrase!

Adding an additional layer of security can make harder the funds recovery procedure, if you are unable to properly manage the backup of your seed and that of your passphrase. Carefully consider what degree of protection you need, as well as the security settings that best suit your management skills.

Bear also in mind that the creation of hidden accounts is a useless expedient, if not accompanied by additional behavioral precautions.

If you tell people that you own crypto or, anyway, that you own a ton of crypto, you will not be credible when an attacker finds only small amounts on your device. Also, avoid divulging the crypto protection techniques you usually adopt.

Hopefully this article helps you figure out how to setup a Ledger wallet for plausible deniability. Should you have any doubts or questions, ask me in the comments below.

If you want to get a Ledger device, first read about the differences between Ledger Stax, Ledger Nano S Plus and Ledger Nano X.

--

--

Jules Br0gn4

Belgian researcher and consultant, crypto activist and DeFi expert.