1.Ballet NEVER has the private key
Ballet’s manufacturing process has been carefully designed so that neither the company nor any employee is able to access the private key of a Ballet product. A private key is what allows the funds stored on a product to be spent. Actual private keys can only be generated by the end customer, who has physical possession of the product, by using the two private key components on the product itself.
It is important to point out that during the whole manufacturing process, the actual private key has never been created or generated. The end customer will become the first person to generate the actual private keys once he/she decodes the private key via BIP38 protocol.
2.Two-Factor Private Keys (2FPK)
Two-Factor Private Keys means the private key is actually made from two separate components. This technique is conceptually similar to a 2-of-2 multi-signature private key, where both private key (components) are needed.
The BIP38 two-factor private key can only be generated when two separate private key components - passphrase entropy and private key entropy - are combined through an open-source industry standard called BIP38. Ballet products implement BIP38 two-factor private keys in an innovative way that provides customers with an ideal balance of security, convenience, and quality.
4.Ballet uses both 2FPK and 2FKG
All Ballet products (except PRO Series) use 2FKG in the production process. During the production process of Ballet products, the private key has never been generated. The moment when the private key is created is when the customer combines the passphrase entropy and the private key entropy, a process which decrypts the private key for the first time ever.
Therefore, Ballet does not have access to the private keys; not during the manufacturing process, and not afterwards. To learn more details, please refer to “6. Ballet 2FKG process”.
6.Ballet 2FKG process
Although a Ballet cold storage itself is a simple product from the perspective of the customer, the manufacturing process is quite elaborate, all for the sake of private key security. Every aspect has been carefully designed and engineered to meet the most rigorous standards of security and quality.
1. A BIP38 passphrase, intermediate code, and Ballet product serial number are generated on an offline, air gapped computer at Ballet’s secure facility in the United States.
2. The cold storage serial number and BIP38 intermediate code are securely transmitted to Ballet’s secure facility in China.
3. At Ballet’s secure facility in China, the BIP38 intermediate code is used to randomly generate a BIP38 private key entropy, which can only be decrypted by the original BIP38 passphrase. These two private key components, though they have never met or come into contact with each other, are cryptographically related, yet neither can be used to deduce the other. With this, we can create a pre-configured cold storage for the customer, without ever decoding the actual private key, and without ever bringing together these critical two pieces of private key components. This is the genius of the BIP38 standard.
a. The EPK is randomly generated using a combination of physical and electronic entropy sources to ensure true, cryptographically-unbreakable randomness.
b. The corresponding public key, deposit address, and BIP38 confirmation code are cryptographically derived during the EPK generation process.
c. A single copy of the EPK data is temporarily stored on a secure hard drive.
4. In Ballet’s secure printing facility, a two-layer QR code sticker is printed with the EPK on the concealed bottom layer and the deposit address on the exposed top layer.
a. Digital EPK data is never exposed to any external computer, network, or the public Internet.
b. Private key entropy is physically transferred on secure hard disk drives.
c. Immediately after the process of printing the two-layer stickers, the private key entropy data is deleted, and the hard drive is overwritten with random data.
5. The two-layer QR code sticker is securely applied to the physical product; the concealed EPK on the bottom layer is never visually exposed during the production process.
6. After the stickers are applied, the partially-assembled products are physically shipped to the United States for the final stage of production.
7. The BIP38 confirmation codes are sent electronically to the United States. The confirmation code provides additional verification that the private key entropy, deposit address, and passphrase entropy match correctly.
8. At Ballet’s secure facility in the United States, the passphrase entropy and serial number are laser-etched onto the physical product.
a. The physical products and QR code stickers are double checked to ensure that all three serial numbers match correctly.
b. A strip of tamper-evident scratch-off material is then applied over the passphrase entropy to conceal it.
c. Immediately after the laser-etching process, the passphrase entropy data is deleted and the hard drive is overwritten with random data.