How Tangem Hardware Wallet Backs Up Private Keys

Lose your crypto wallet, and you lose access to your cryptocurrency unless you have backed up your private key. People usually rely on a seed phrase for this, but seed phrases are extremely unsafe because anybody who gets their hands on one can use them.
 

Tangem Wallet solves this by securely cloning private keys. You can clone your key to one or two backup Tangem cards, so a lost or stolen card won't lock you out.

How safe is this method? Here is what happens inside the cards during a backup.

Creating a private key

Before activation, a Tangem Wallet holds no private key, the value labeled Kpriv in the diagrams. You receive the card unactivated and keyless, so no copy of your key exists anywhere in the world, and you cannot copy something that does not exist yet.
 

During activation, the Tangem chip generates a new private key from a number produced by a certified hardware random number generator (TRNG). For the full process, read our article How to create a private key for a crypto wallet with and without a seed phrase.

At this point, only one copy of the private key exists. To back it up, you then create one or two more copies, and that has to be done securely.

Preparing to create a backup

A backup has to move the private key to the other cards without letting anyone steal it. You also retain full control over how many copies exist.

So the backup has two jobs:

1. Get the key onto another Tangem card.
2. Protect it in transit by encrypting it, so that only the receiving card can decrypt it.

When the card is manufactured, the chip generates its own key pair: the Kcardpriv private key and the Kcardpub public key, both unique to each card and unconnected to the wallet its owner will use. Their only job is to prove the card is genuine and confirm to the app that Tangem made it.

Tangem signs this public key with its manufacturer's private key, KTangempriv. This produces the Cert_Card certificate, which is later used to confirm the card is real.

The manufacturer’s public key, KTangempub, is also written onto the chip. It is the same on every card and forms the starting point of a chain of trust between the source and destination card.

The first challenge: Mutual authentication

During a backup, each card has to confirm that the card on the other end is a genuine Tangem card. It does this by building a cryptographic chain of trust from the cards’ keys and signatures.

During activation, each card creates a single-use key pair for talking to the other cards: Klinkpub and Klinkpriv. It signs the public key from this pair with its Kcardpriv private key, creating the Sign_Attest signature.

The card then sends the Sign_Attest, Klinkpub, and Kcardpub information to the other card.

This process creates the following chain of trust: KTangempub → Kcardpub → Klinkpub.

The manufacturer’s public key, KTangempub, is known to every card, which uses it to check each Cert_Card certificate. If a certificate matches the other card’s Kcardpub, that key then verifies the card’s Sign_Attest signature. 

If the Sign_Attest checks out against the other card’s Klinkpub, the card on the other side was genuinely made by Tangem, and its Klinkpub has not been tampered with. That verified key is then used to derive the shared Ktrans backup key.

The second challenge: obtaining a shared encryption key

Now both cards need a shared symmetric key, Ktrans, that the source card will use to encrypt the user's private key, and the destination card will use to decrypt it. Because the connecting device is untrusted, a card cannot simply create Ktrans and send it across, which is the problem the Diffie–Hellman protocol solves.
 

The cards have just exchanged the verified and trusted Klinkpub keys, with each card using its own Klinkpriv and the other card’s Klinkpub to generate the symmetric Ktrans encryption key, which comes out identical on both cards. That is what Diffie–Hellman makes possible.
 

If an attacker takes over your phone and can eavesdrop on the card exchange, they only learn the Klinkpub and Kcardpub public keys, as these are the only things transmitted by the cards. The Klinkpriv keys never leave the cards, so the attacker cannot reproduce Ktrans.

Encrypted key exchange

With the Ktrans key, the first card encrypts a bundle holding the user’s private key, the access code, and the number of backups (2 or 3 cards). 
 

It sends the encrypted ENC message to the second card, which decrypts it with the same Ktrans. Anyone who intercepts ENC learns nothing, because without Ktrans the package cannot be opened.
 

The third card is backed up in exactly the same way. The one difference is that the cards generate fresh Klink pairs, so its Ktrans differs from the one used for the second card.


The chip firmware permits a backup only once. After a card has given or received a key, it will no longer start the backup procedure, and the key can never be extracted from it again.
 

If you run a factory reset on your Tangem wallet, the chip forgets the Kpriv key. You can then reactivate it, generate a new key, and run a fresh backup. The old key is destroyed in the reset and cannot be recovered.