2
With no server and only in the browser I'm generating an a bip39 key and giving the user the mnemonic to store some place safe for restoring, I also want the user to be able to login with a password.
1) Could I encrypt the mnemonic with a password?
2) If I do encrypt the mnemonic, which algorithm should I use?
2
Bip39 has an optional "encryption" over PBKDF2 (passphrase-to-key) used as salt (this allows possible deniability). https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
The weakness there is that BIP39 uses only 2048 rounds during KDF. Which is easy to bruteforce.
If you store it in a cloud (or similar), I recommend to do a AES-256-CBC encryption of the mnemonic with a strong password and a strong KDF (maybe use PBKDF2 with at least 30'000 rounds).
Jonas, thank you for your reply. Please can you help me understand the benefits of AES-256-CBC over AES-256-GCM? Specifically in relation to encrypting a mnemonic in the browser – Will-In-China – 2017-04-10T11:55:33.667
1That's a difficult question with probably multiple answers. GCM has serval advantages (HMAC) and some disadvantages (small IV) over CBC. It depends on your use-case. For purely disk encryption, CBC seems to be the most common choice. – Jonas Schnelli – 2017-04-10T12:01:03.783