AES encrypted file
All data stored in eSignus Backup Center is encrypted with a 128 AES Key. This AES key is deterministically generated from the Recovery Seed.
AES (Advanced Encryption Standard) is a symmetric encryption standard approved by the NIST (National Institute of Standards and Technology). Attacks have been published that are computationally faster than a full brute-force attack, though none are computationally feasible.
Deterministic calculation
Any type of calculation which obtains the same result when using the same data.
Master Seed
It is the root seed of the deterministic wallet structure. From this seed and the passphrase, every wallet can be derived. This value and the card Id are the only values that need to be stored securely inside the Secure Element of an initialized HASHWallet Link card.
Recovery Key
The Recovery Key is calculated from two random values, the Master Seed and the Recovery Seed. This calculation only happens once, in the initialization process. During this initialization process, the HASWHallet Link card encrypts the Recovery Key and stores it in the eSignus Backup Center.
When a user needs to duplicate a HASHWallet Link card she will need a pre-initialized card (containing the Recovery Seed and the card id) and the Recovery Key (obtained from the eSignus account).
Recovery Seed
This is a random 256 bits number generated in the customizer HSM. This value and the card id are the only values included in a pre-initialized HASHWallet Link card.
When you buy a new card these values are random, but when you buy a duplicate one these values are recovered from the Key Management System. Remember these values have no relation with your wallets if the Recovery Key is not present.
Passphrase
What happens if you lose your HASWHallet Link card and someone finds it (or they stole it from you)? That card is useless without the passphrase.
Where is the passphrase? It is stored in the HASHWallet Manager app, never in the HASWHallet Link card.
Do I need to remember the passphrase? No, you do not even need to know the passphrase exists.
What happens if I spawn a new instance of the HASHWallet Manager app? The passphrase downloads from the eSignus Backup Center transparently (AES encrypted). It is decrypted within the secure element and passed to the HASHWallet Manager application.
Public encryption key
Every communication with the HASHWallet Link card is encrypted. Before this communication starts a handshake protocol starts and public keys are sent. Both sides of the communication encrypt with their private keys and the receiver decrypts it with the public key.