How to send and receive Grin with Ledger Live Desktop

There’s always some trust involved when using Ledger hardware wallets since their firmware is closed source, their hardware is closed source, the secure elements they use are closed source, etc.

Ledger’s new recovery service, Ledger Recover, involves exporting the seed from a hardware wallet and storing it in an encrypted, sharded form at several custodial companies. Ledger if facing criticism for this since they’ve previously stated that a firmware update couldn’t allow the seed to be exported from a hardware wallet.

I personally don’t recommend anyone use Ledger’s recovery service since it appears to use the same key to decrypt everyone’s seeds based on this comment.

It baffles me that a company like Ledger rolls out such a feature without even answering basic questions such as:

1. are the decryption keys unique to your ledger device? (I’ve seen reports elsewhere that the seed could be restored to another Ledger device, which has completely different security implications).
2. are the decryption keys in my device known to Ledger?
3. can any firmware update leak those decryption keys (some reports suggest that the decryption keys are in the firmware update itself, which is the worst of all possible worlds) ?

I want to trust them, but they make it so hard…

If it is a firm, subject to legal laws. Answer is simple. Always.

FwkbdPgXoAEg1lj1146×847 136 KB

Well there you have it @tromp . Shamir shares are not encrypted. An organization which can access the shares can access your funds.

Trying not to put on my tin foil hat, but the whole ledger thing feels like a law enforcement op to at best catch tax evaders or criminals.

How do you know they’re not encrypted?

If they were encrypted, then the funds would not be accessible if the shares were revealed, e.g. in subpoena. The Ledger cofounder cited above says that shares accessed via subpoena would allow access to the funds. This is only possible if the shares are not encrypted.

Are you sure they’re not encrypted by the ledger team and they would decrypt them if government demanded it?

That’s not what the Ledger founder said, but even so would that be any better? If your keys are stored on 3rd party servers and accessible by 3rd parties, the rest doesn’t really matter. At that point you’ve lost the whole reason of using a hardware wallet.

I’ve always said people were foolish for trusting Ledger (or other similar companies), but anyone that continues to use ledger now is just willfully ignorant. They’ve lost the plot.

The only solution here is to build our own HW from open components, I am personally waiting for powerful Arduino GIGA R1 (https://docs.arduino.cc/hardware/giga-r1-wifi) to start experimenting at this field.

It’s better, but yes it’s horrible. I agree that key extraction should be hardware limited otherwise you always need to trust each software update.

Every hardware has firmware still. Don’t trust → verify.

This. And only open source firmware can be verified. Thus, don’t use closed source wallets.