Conversation
Replying to
Trezor Model T has open source firmware, passphrase protection based on a passphrase entered on the device and supports U2F, SSH and GPG in addition to being a Bitcoin wallet. Passphrases are dynamically mixed with the main seed protected by the hardware so there's deniability.
3
1
1
I wrote a thread reviewing it and explaining how the security model works here:
twitter.com/DanielMicay/st
It doesn't store keys at all, but rather derives them dynamically from the stored high entropy seed (which has a great recovery mechanism), the passphrase and the identity.
Quote Tweet
Trezor Model T is a great product. I bought it for hardware-based Bitcoin wallets but it's working well for SSH via trezor-agent (ed25519) and U2F. It has per-identity keys for SSH and requires auth to use U2F or an SSH identity via the touchscreen just like Bitcoin payments.
Show this thread
To recover on a new device, you enter the recovery phrase that was written down to restore the same seed and then entering the proper passphrase and requesting the same identity will produce the same key as before. There's never a need to expose it on a general purpose computer.
1
1