Introduction to SafeCards

GridPlus SafeCards were created as a portable and cryptographically secure backup solution for your blockchain wallet's seed - each SafeCard can hold one unique wallet with all its addresses and can be used with any Lattice1 device (and also a USB card reader). SafeCards are the exact same size as a credit card and use the same PUF chips, which have been proven to be a secure and robust solution for protecting private data for decades at this point.

When you buy a Lattice1, you will receive one SafeCard in a bundle with the device.

Why SafeCards

Wallet security

We believe you should take all precautions to protect your funds and prevent someone from getting their hands on your private keys - and one form of an attack that's not talked about often is what we call the "sock drawer" attack, i.e. when someone leaves their written seed phrase in the bottom of their sock drawer and someone else finds it. People inadvertently introduce risk with how they store their seed phrase - cloud storage is a big problem in this area.

This is why we decided to use the PIN protected SafeCards to store/backup your wallets - if someone finds your backup, they still can't use it without the PIN, which adds another layer of security on top of everything else.

The card PIN itself can't be brute-forced as you only have 3 attempts at unlocking the card before it permanently bricks itself and deletes all private data.

You can use SafeCards as your only backup method, but in this case make sure to have multiple copies of each wallet you wish to store this way, distributed across different locations, in case something happens to your cards. Read this if you'd like to learn more!

Managing multiple wallets

Another reason why SafeCards are extremely useful and unparalleled in the hardware wallet space is that they allow you to use an unlimited number of wallets with just one Lattice1 device - all you have to do in order to work with a wallet that's different from the wallet stored on the built-in Lattice wallet chip is inserting a SafeCard and unlocking it.

And thanks to the way our integration with apps such as MetaMask or Rabby is designed, you don't need to re-connect to the app every time you switch the wallet, you just connect your SafeCard wallet to the app once and then just insert/remove the cards when you wish to approve transactions from different wallets. So, how does this unlimited wallets magic work?

How SafeCards Work

SafeCard PIN safety

SafeCards are standard-size smart cards with a PIN-protected secure chip that holds your blockchain's wallet private info that allows you to sign transaction requests. This info cannot be exported out of the card in any way without unlocking the card with its PIN.

The cards are programmed to allow three PIN unlock attempts - after three consecutive incorrect PIN entries, the card will brick to prevent brute-force attacks and delete all info stored on it (the Lattice1 will show you how many attempts you have left on the screen). Once the card is bricked, it cannot be reinitiated in any way at all - funds are gonu.

The PIN entry counter is programmed directly into the SafeCard applet itself, so reinserting the card into the Lattice1 or a card reader will NOT have an impact on how many tries you have left - there's no way to reset the counter, so make sure you remember your PIN!

Never write the PIN down directly on your SafeCards - just like you wouldn't write down your credit card PIN on your credit card.

Signing transactions with SafeCards

When inserted into the Lattice1 and unlocked with its PIN, the SafeCard wallet becomes the active wallet on the device.

Note that this doesn't erase the wallet that's currently stored on Lattice device itself - this wallet is still there and still 100% safe.

But of course, this means that any signatures generated while the card is inserted are done so with the keys held in the SafeCard - because it is the active wallet at the time. When removed, the device’s built-in Lattice1 wallet (the chip of this wallet is exactly the same as a SafeCard chip) becomes the active wallet again and you can then sign transaction with its keys.

What's actually stored on the cards

The SafeCards essentially stores three things:

  • The GridPlus certificate - this lets the Lattice authenticate the validity of the SafeCard to prevent any possible attacks, more on this below

  • Your seed phrase - the 12/18/24 words that can grant access to your blockchain wallet (you can view this on the device, this feature is, of course, PIN-protected)

  • The seed hash - a hexadecimal string that's directly generated from your seed phrase, which is then used in deriving your wallet's addresses (and the corresponding private keys)

SafeCards purchased prior to 2023 can only store the seed hash, NOT the seed phrase.

Also, please note that if you use a passphrase when creating a wallet on your SafeCard, the seed hash will be different from the seed hash generated from the seed phrase that's also stored on the card - this is because the passphrase acts like a 25th word of the seed phrase.

The passphrase is NOT stored on the SafeCard and only has impact on the seed hash generated during wallet creation, which then IS stored on the card.

Card slot attack vector?

SafeCard security is ensured by an authenticity certificate that only GridPlus can provide - if the cert is not detected on an inserted card, the Lattice1 will simply refuse to communicate with the card and give you a bad read/unsupported card error (feel free to try it with your credit card).

The certificate is a combination of entropy from the card's PUF chip and GridPlus-held private keys, so it can only be created and flashed onto the cards in our factory.

And since only valid SafeCards with a GridPlus certificate can be used with the device, there is no way to attack the device through the card slot.

How to Take Care of Your SafeCards

Working conditions

The card chip should be able to work even when slightly scratched, but of course we recommend you focus on not scratching the card's chip when you have crypto stored on the card.

The chip's working temperature range is from -13°F to +185°F/-25°C to +85°C - don't microwave your SafeCards and you can learn to stop worrying and love the cards.

The card will last for around 2000 inserts - if you know you will be using your SafeCard more often, it's always good to have a backup one.

Storing SafeCards

The best way to store SafeCards is in a card case made to withstand extreme temperatures like a house fire as well as magnetic and RFID protection - these are quite expensive, so for most users, a standard card case or a card holder with RFID protection will most likely be enough.

Also, if you have multiple backups of the same wallet, consider storing some of the cards in a different location, or ideally locations. Distributed backups are a much more robust solution to seed phrase safety than keeping everything in one place. Read more here:

If you just received your Lattice1 and you're setting up your new SafeCard(s) for the first time, check out this article for more information ↓

Last updated