Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/satsigner/satsigner/llms.txt

Use this file to discover all available pages before exploring further.

Overview

SatSigner implements a multi-layered backup strategy to protect against data loss while maintaining security. Understanding the difference between what can and cannot be recovered is critical to protecting your Bitcoin.

Critical: What Requires Backup

Mandatory Backups

These items MUST be backed up or your funds will be permanently lost:
  1. Seed Phrases (Mnemonics) - BIP39 word lists for each account
  2. Passphrases - Optional 25th word if used
  3. Multisig Configuration - Descriptor or xpub list for multisig wallets
  4. PIN - Required to access wallet (no recovery mechanism)

Optional Backups

These can be backed up for convenience but are not critical for fund recovery:
  • Transaction labels and notes
  • Account names and metadata
  • Ecash proofs (Cashu tokens)
  • Application settings

Seed Phrase Backup

Physical Backup Methods

Paper Backup

Materials:
  • Archival-quality paper (acid-free)
  • Permanent ink pen (archival quality)
  • Waterproof envelope or lamination
Process:
  1. Write all seed words in order (number each word)
  2. Include word count (12, 18, 24) at top
  3. Note creation date
  4. Add fingerprint for identification (optional)
  5. Store in secure location
Advantages:
  • Low cost
  • Easy to create
  • No technical requirements
Disadvantages:
  • Vulnerable to fire
  • Can be damaged by water
  • Ink may fade over time

Metal Backup

Materials:
  • Stainless steel plates
  • Metal stamping kit or engraving tool
  • Fire-proof safe or burial location
Process:
  1. Stamp or engrave seed words onto metal
  2. Use first 4 letters of each word (sufficient for BIP39)
  3. Number each word position
  4. Store in secure, fire-proof location
Advantages:
  • Fire resistant (up to 1400°C+)
  • Water resistant
  • Very durable
  • Corrosion resistant
Disadvantages:
  • Higher cost
  • More difficult to create
  • May draw attention if discovered
Never store seed phrases digitally:✗ No screenshots or photos ✗ No cloud storage (iCloud, Google Drive, Dropbox) ✗ No password managers ✗ No email or messaging apps ✗ No computer files (even encrypted) ✗ No USB drivesWhy: Digital storage is vulnerable to:
  • Hacking and remote theft
  • Cloud provider breaches
  • Malware and keyloggers
  • Unauthorized backup syncing
  • Forensic recovery after deletion

SeedQR Backup

SatSigner supports encoding seeds as QR codes for certain use cases:

When to Use SeedQR

Appropriate Uses:
  • Transfer between air-gapped devices
  • Import to hardware wallets
  • Temporary transport medium
Inappropriate Uses:
  • Long-term storage
  • Photos in camera roll
  • Printed QR on regular paper

SeedQR Formats

Standard Format (apps/mobile/utils/seedqr.ts:3-15): 
// Each word encoded as 4-digit index (0000-2047)
// 12 words = 48 digits
// 24 words = 96 digits
Compact Format (apps/mobile/utils/seedqr.ts:17-32): 
// Binary encoding (11 bits per word)
// More dense QR code
// Checksum bits removed for 12-word seeds

Passphrase Backup

If using BIP39 passphrase (25th word):
Critical: Seed + Passphrase both required for recovery. Losing either means losing funds.
Backup Strategy:
  1. Separate Storage
    • Never store passphrase with seed
    • Different physical location
    • Different security method
  2. Memorization
    • Consider memorizing passphrase
    • Use memorable but not guessable phrase
    • Regular mental verification
  3. Encrypted Storage
    • If must write down, encrypt with separate key
    • Consider Shamir Secret Sharing
    • Multi-location redundancy

Multisig Backup Requirements

Single-Signature Accounts

Required Backup:
  • Seed phrase (12-24 words)
  • Passphrase (if used)
Recoverable From Seed:
  • Private keys
  • Addresses
  • Transaction history (via blockchain scan)

Multi-Signature Accounts

Required Backup for Each Cosigner:
  • Seed phrase
  • Derivation path
  • Script type (P2WSH, P2SH-P2WSH)
Required Backup for Wallet:
  • Complete output descriptor OR
  • All cosigner xpubs + configuration

Descriptor Backup

Output descriptors contain all information needed to reconstruct multisig wallet: 
wsh(sortedmulti(2,[fingerprint1/path]xpub1...,[fingerprint2/path]xpub2...,[fingerprint3/path]xpub3...))
What Descriptor Contains:
  • Script type (WSH, SH-WSH)
  • Threshold (2-of-3, 3-of-5, etc.)
  • All cosigner extended public keys
  • Derivation paths
  • Key ordering
Descriptor Backup: Write down complete descriptor string. Without it, you need to know exact key order and configuration to recover multisig wallet.

Ecash Backup

Cashu (ecash) tokens require separate backup (apps/mobile/app/(authenticated)/(tabs)/(signer,explorer,converter)/signer/ecash/settings/backup.tsx):

What is Backed Up

Token Proofs:
  • Proof ID
  • Amount
  • Secret
  • Commitment (C)
Mint Information:
  • Mint URL
  • Mint name
  • Balance per mint
  • Keysets
Transaction History:
  • Transaction type
  • Amount
  • Memo
  • Timestamp

Backup Process

  1. Navigate to Ecash → Settings → Backup
  2. Select what to include:
    • ☑ Token proofs (funds)
    • ☑ Mint information
    • ☑ Transaction history
  3. Generate backup (JSON format)
  4. Copy to secure location
Ecash Tokens NOT Recovered from Seed: Unlike Bitcoin, ecash proofs are NOT derived from seed phrase. Must backup separately or lose tokens.

Restore Process

// Backup format:
{
  "version": "1.0",
  "timestamp": "2026-03-04T12:00:00.000Z",
  "proofs": [...],
  "mints": [...],
  "totalBalance": 100000
}
To restore:
  1. Navigate to Ecash → Settings → Restore
  2. Paste backup JSON
  3. Validate format
  4. Reconnect to mints
  5. Verify balances

Recovery Procedures

Full Wallet Recovery

Scenario: Lost device, new installation, or factory reset Requirements:
  • Seed phrase backup
  • Passphrase (if used)
  • Multisig descriptors (if applicable)
Process:
  1. Install SatSigner
    • Download from official source
    • Verify app authenticity
    • Complete initial setup
  2. Set New PIN
    • Choose new 4-digit PIN
    • Does not need to match old PIN
    • This PIN will encrypt recovered data
  3. Import Accounts
    • Select “Import Mnemonic”
    • Enter seed phrase word by word
    • Enter passphrase if applicable
    • Wait for validation
  4. Sync Blockchain
    • Connect to Electrum server
    • Sync account history
    • Verify balances
  5. Restore Multisig (if applicable)
    • Import using descriptor OR
    • Import all cosigner xpubs + configuration
    • Verify receiving addresses match
  6. Restore Ecash (if backed up)
    • Import ecash backup JSON
    • Reconnect to mints
    • Verify token balances

PIN Recovery (NOT POSSIBLE)

No PIN Recovery: There is NO way to recover or reset a forgotten PIN. Options:
  1. Within Attempt Limit: Keep trying if you remember possibilities
  2. Exceeded Attempts: Wallet data is deleted, must recover from seed
  3. Forgotten PIN + No Seed: Funds are permanently lost
Prevention:
  • Write PIN in secure location separate from seed
  • Use memorable PIN you won’t forget
  • Consider PIN manager for multiple wallets
  • Never rely solely on memory

Partial Data Recovery

Lost PIN, Have Seed

Result: Full recovery possible
  1. Let PIN attempts expire (triggers data deletion)
  2. Re-import seed phrases
  3. Set new PIN
  4. Resync blockchain data
  5. Transaction history recovered
  6. Labels/notes lost (unless separately backed up)

Lost Seed, Have PIN

Result: Temporary access only
  1. Access wallet with PIN
  2. IMMEDIATELY export seed phrase
  3. Write seed phrase securely
  4. Verify backup is correct
  5. Test recovery with small amount if possible
Temporary Access: If device fails before backing up seed, funds are permanently lost even with PIN access.

Lost Multisig Descriptor

Result: Depends on information retained Best Case (have all xpubs and configuration):
  1. Manually reconstruct descriptor
  2. Verify receive addresses match
  3. Import reconstructed descriptor
Worst Case (missing information):
  1. Contact other cosigners for their xpubs
  2. Trial-and-error key ordering if unknown
  3. May need professional recovery service

Testing Recovery

Before Storing Large Amounts:
  1. Create Test Wallet
    • Generate new seed
    • Send small test amount
    • Complete full backup
  2. Perform Test Recovery
    • Delete wallet
    • Recover from backup only
    • Verify balances correct
    • Verify addresses match
  3. Test Recovery Timing
    • Practice recovery process
    • Note any difficulties
    • Ensure backup is complete
  4. Verify After Changes
    • Test after app updates
    • Test after OS updates
    • Annual recovery test recommended

Backup Storage Strategies

Problems:
  • Single point of failure
  • Fire/flood destroys backup
  • Theft compromises security
  • No redundancy
Advantages:
  • Disaster resilience
  • Geographic redundancy
  • Reduced single-point risk
Implementation:
  1. Primary Location
    • Home safe or secure location
    • Easily accessible for verification
    • Fire and water resistant container
  2. Secondary Location
    • Different building/location
    • Bank safety deposit box
    • Trusted family member (sealed envelope)
  3. Tertiary Location (optional)
    • Geographic diversity
    • Different climate/disaster risk
    • Ultimate redundancy

Shamir Secret Sharing

For advanced users, consider splitting seed backup: Concept:
  • Split seed into multiple shares
  • Require threshold to reconstruct (e.g., 3-of-5)
  • No single share reveals seed
Use Cases:
  • High-value wallets
  • Inheritance planning
  • Corporate multisig
  • Distributed trust
Note: SatSigner does not natively support Shamir Secret Sharing (SLIP39). Use external tools for this advanced backup method.

Inheritance Planning

Preparation

Documentation Needed:
  • Seed phrase locations
  • Passphrase instructions
  • PIN information
  • Account structure (multisig config)
  • Recovery procedures
  • Contact information (if multisig cosigners)
Legal Considerations:
  • Will or trust provisions
  • Executor instructions
  • Trusted contact designation
  • Legal jurisdiction issues

Time-Lock Mechanisms

Options:
  1. Sealed Envelope
    • Instructions sealed
    • “Open only if…” conditions
    • Stored with attorney or bank
  2. Dead Man’s Switch
    • Third-party service
    • Requires periodic check-in
    • Releases information if check-in missed
  3. Multisig with Timelocks
    • Bitcoin script-level timelocks
    • Backup key becomes valid after time
    • Requires technical setup

Security vs. Redundancy Trade-off

Security Priority

When to Prioritize:
  • Highly adversarial environment
  • Risk of physical attacks
  • High-value holdings
  • Personal threat model requires secrecy
Implementation:
  • Minimal backup copies
  • Memorized passphrase
  • No written records
  • Duress PIN enabled
Risk: Loss due to forgotten passphrase or damaged single backup

Redundancy Priority

When to Prioritize:
  • Disaster-prone locations
  • Legacy planning important
  • Lower personal threat risk
  • Focus on preventing accidental loss
Implementation:
  • Multiple geographic locations
  • Redundant backup methods
  • Clear recovery documentation
  • Trusted person access
Risk: Increased attack surface from multiple backup locations Strategy:
  • 2-3 backup locations
  • Mix of backup media (paper + metal)
  • Passphrase stored separately
  • Clear but secure documentation
  • Regular verification schedule

Backup Verification Schedule

Quarterly Verification

Check:
  • Backups still readable
  • Storage location secure
  • No water/fire damage
  • No deterioration

Annual Full Test

Perform:
  • Test recovery from backup
  • Verify all words readable
  • Confirm balances after recovery
  • Update documentation if needed
  • Replace damaged backups

After Major Changes

Verify When:
  • Adding new accounts
  • Changing multisig configuration
  • Moving large funds
  • After natural disasters
  • After security incidents