Hi, I was bitcoin only for a while but am now dabbling in some eth and erc-20 coins. I was wondering do passphrases work with erc-20 as they do on bitcoin. So a new passphrase = a totally new wallet. Thanks!
You *can* use an open source tool here: github.com/darosior/ledger_installer if you really want to (but it's still in alpha), but for most folk the simplest option is to just use Ledger Live to install all of the apps (running on a phone or something, or another PC), then enable a passphrase and use it with third party software like Sparrow, etc.
That's the standard approach that most vendors have used and is probably the safest option for normal folk. (Who will generally only have one seed) The 1:1 relationship between seed and device has been fairly consistent up until fairly recently.
I wouldn't say it's completely trustless. You have to trust their closed source firmware which includes an API for key extraction over the internet. That requires a LOT of trust since you have to trust Ledger.
@@CryptoGuide I don't know. The device still has key extraction firmware and has to be connected to Ledger Live (which has tons of trackers) to be initially set up. Maybe that means Ledger only has one chance to identify you and snatch your keys, but that's one chance too many. I could never trust closed source firmware. And let's remember, Ledger lied to their users many times (they said "Your keys are always stored on your device and never leave it" while they were writing key extraction firmware). I'd love a fully open source device like this, but I could never trust this thing.
The point of applying a passphrase after you have done the initial setup in Ledger Live is that even if there was a way that they were accessing "undocumented features" in the firmware, they wouldn't have your actual keys. (There are also community written projects that replace the initial Ledger Live app install, but they are still in Alpha stage) To be fair, what Ledger marketing people were saying to their users would have been true when they wrote it. To be clear, I have a major issue with Ledger Recover generally and the fact that it was rolled out to existing hardware (rather than opt-in) but I think most of the drama was an over reaction. (Pushed by hardware manufacturers and influencers who made significant profits from it all) Having said all that, I still prefer Specter DIY overall ;)
@@CryptoGuide But the firmware isn't open, so how can you prove Ledger has no access to the passphrase or the keys for the passphrase wallet? Don't trust. Verify.
It's actually very similar to the way that the MCUs running in retail devices aren't open either, and that they may contain undocumented features which undermines the physical protection offered by the hardware platform. (Regardless of the firmware running on top) The thing is that even if such an exploit exists, you need companion software of the PC side to be able to make use of it and exfil the data. By only using Ledger Live for the initial setup and then adding a passphrase and never touching it again, you are are avoiding the mechanism that would need to be used to extract data from the device in the first place. (This is actually a more general principle that applies to all hardware, splitting up functionality like this is exactly how you remove trust and verify that each component is only doing what it should)
Yea it's certainly a major consideration at this price tier. (And also a great reminder on how good of a job that Keystone has done for hitting the price point that they managed)
If the firmware is not open source, the company deserves not to be in business (uhm… looking at you Ledger). You trust ledger? Ok, fine, but by re-introducing trust into the loop ,you brake the whole idea of your digital property to be trustless and for everything to be transparent and verifiable by anyone. Ledger can go pound tacos.
The thing is that you can actually use it trustlessly due to how they have designed their stack. (As opposed to something like Ellipal or Tangem) It's not for everyone, but there are plenty of non-open source companies (including coinkite) who make an important contribution to the space.
Any commercial vendor will ultimately comply with requests from law enforcement in their jurisdiction, is just what companies do, otherwise the cease to exist. That said, most vendors don't store partial private key material, so may only hand over things like your shipping/sales data and/or wallet information (if you use the vendor supplied wallet software and it logs stuff centrally)
Oh oh, just too much hustle. My Specter Shield Lite is a far better experience and security for a fraction of the price. Ledger Flex is only more beautiful device but it is not a beauty contest 😁
Is this the only ledger device that lets you see the receive address for multisig on the device? Nano S Plus/X don’t support this do they?
They actually all support it now, the Ledger Bitcoin app is very powerful
@ Oh, that’s great to hear! Thanks!
Sure is
Hi, I was bitcoin only for a while but am now dabbling in some eth and erc-20 coins. I was wondering do passphrases work with erc-20 as they do on bitcoin. So a new passphrase = a totally new wallet. Thanks!
Yep, the BIP39 passphrase is applied to all coins/chains/accounts, it's like using an entirely different seed.
Still need to use a passphrase to be 100% trustless? If you reset the seed it also remove all the app?(Like the nano)
You *can* use an open source tool here: github.com/darosior/ledger_installer if you really want to (but it's still in alpha), but for most folk the simplest option is to just use Ledger Live to install all of the apps (running on a phone or something, or another PC), then enable a passphrase and use it with third party software like Sparrow, etc.
@CryptoGuide seems odd you can not replace seed without reset the whole device. What do you think?
That's the standard approach that most vendors have used and is probably the safest option for normal folk. (Who will generally only have one seed) The 1:1 relationship between seed and device has been fairly consistent up until fairly recently.
Oh no. Pipedpiper is back with his flute
;)
13:38 wtf ledger demands your location?? Well…that’s safe…
The app needs it for Bluetooth device discovery :( (As do all which offer the same functionality on Android)
I wouldn't say it's completely trustless. You have to trust their closed source firmware which includes an API for key extraction over the internet. That requires a LOT of trust since you have to trust Ledger.
You actually don't need to trust their firmware not to leak stuff if you avoid running their software on your PC at all.
@@CryptoGuide I don't know. The device still has key extraction firmware and has to be connected to Ledger Live (which has tons of trackers) to be initially set up. Maybe that means Ledger only has one chance to identify you and snatch your keys, but that's one chance too many. I could never trust closed source firmware. And let's remember, Ledger lied to their users many times (they said "Your keys are always stored on your device and never leave it" while they were writing key extraction firmware). I'd love a fully open source device like this, but I could never trust this thing.
The point of applying a passphrase after you have done the initial setup in Ledger Live is that even if there was a way that they were accessing "undocumented features" in the firmware, they wouldn't have your actual keys. (There are also community written projects that replace the initial Ledger Live app install, but they are still in Alpha stage)
To be fair, what Ledger marketing people were saying to their users would have been true when they wrote it. To be clear, I have a major issue with Ledger Recover generally and the fact that it was rolled out to existing hardware (rather than opt-in) but I think most of the drama was an over reaction. (Pushed by hardware manufacturers and influencers who made significant profits from it all)
Having said all that, I still prefer Specter DIY overall ;)
@@CryptoGuide But the firmware isn't open, so how can you prove Ledger has no access to the passphrase or the keys for the passphrase wallet? Don't trust. Verify.
It's actually very similar to the way that the MCUs running in retail devices aren't open either, and that they may contain undocumented features which undermines the physical protection offered by the hardware platform. (Regardless of the firmware running on top)
The thing is that even if such an exploit exists, you need companion software of the PC side to be able to make use of it and exfil the data.
By only using Ledger Live for the initial setup and then adding a passphrase and never touching it again, you are are avoiding the mechanism that would need to be used to extract data from the device in the first place. (This is actually a more general principle that applies to all hardware, splitting up functionality like this is exactly how you remove trust and verify that each component is only doing what it should)
stax and flex can't be used in darkness because they have no laminating screen when in darkness
This is true
For that amount of money, I prefer to buy 2 keystone pro devices. Nice review.
Yea it's certainly a major consideration at this price tier. (And also a great reminder on how good of a job that Keystone has done for hitting the price point that they managed)
I would invest some coin
Well yea if price is the main concern then a $10 DIY Jade is the way to go
All ledger devices are compromised. investor lost huge cash in his ledger.
This stuff is always floating around for every vendor and it's always the user leaking their seed to signing a malicious smart contract.
If the firmware is not open source, the company deserves not to be in business (uhm… looking at you Ledger). You trust ledger? Ok, fine, but by re-introducing trust into the loop ,you brake the whole idea of your digital property to be trustless and for everything to be transparent and verifiable by anyone. Ledger can go pound tacos.
Sorry, capitalism doesn’t work like that
The thing is that you can actually use it trustlessly due to how they have designed their stack. (As opposed to something like Ellipal or Tangem)
It's not for everyone, but there are plenty of non-open source companies (including coinkite) who make an important contribution to the space.
There is a serious risk that ledger will hand over your keys to authorities on demand. I would never recomend ledger to anyone.
That's only really possible if you are using the Ledger Recover service.
Do other wallet vendors comply with that also?
Any commercial vendor will ultimately comply with requests from law enforcement in their jurisdiction, is just what companies do, otherwise the cease to exist.
That said, most vendors don't store partial private key material, so may only hand over things like your shipping/sales data and/or wallet information (if you use the vendor supplied wallet software and it logs stuff centrally)
Oh oh, just too much hustle. My Specter Shield Lite is a far better experience and security for a fraction of the price.
Ledger Flex is only more beautiful device but it is not a beauty contest 😁
Oh I totally agree, but I'm not really the target market for Ledger ;)