Entering a password on device (like you mention) is a big plus for Trezor though, as is their open CPU. (What smart card does nitrokey use?)
Conversation
I find the recovery model to be the biggest advantage of the approach based on deterministic wallet design. The hardware wallet generates a high entropy seed, displays it as a recovery phrase and you can write it down, store it and recover without exposing it to the computer.
1
1
1
I need backups for my keys. For a traditional HSM, that means I need to generate them on my computer, back them up onto cold storage and import them onto the HSM. If I ever need to do recovery, I need to expose them to a general purpose computer again too. That's problematic.
2
1
3
Entering a passphrase directly on the device is another nice property of the Trezor Model T, but a traditional HSM can support that for encrypting keys and still wouldn't have the solid approach to recovery or the deniability from all passphrases leading to valid wallets/keys.
1
1
I'd really like to see other implementations of the same model they've designed. There are many other cryptocurrency wallets doing it but it's just as applicable to U2F, SSH and GPG which are also provided by a Trezor. I'd like to see alternatives with compatible implementations.
1
1
Another advantage is that the Trezor Model T has you confirm actions on the device for U2F, SSH, GPG, etc. It doesn't just have that for sending a Bitcoin transaction or verifying a receive address by showing it as text / qr code on the device. It has you confirm U2F/SSH/GPG use.
1
2
2
The disadvantage of the deterministic wallet approach is you can't use it to important and secure existing keys, so you need a mechanism for key rotation. Similarly, if you decide to change the passphrase, that involves key rotation since keys are derived from seed + passphrase.
2
1
Changing passphrase without rekeying is a major risk anyway. Most ppl should not do it.
1
1
I've always done this b/c OCD, but didn't know it was an actual security risk. Could you explain this for me?
1
It's definitely much better to rotate keys, in which case this isn't important and neither is importing keys. It can be painful to rotate some keys though, or impossible in some cases like early boot firmware signing keys where the public key fingerprint was burned into fuses.
Right. But unless you're sure the original encrypted private key was never copied by anyone, changing the passphrase does not preclude the possibility of using the old passphrase to access the key. Rather, in a sense, now it just has two passphrases that can access it.
1