From 7c70b5e44dce18fc46c435be369d7e1dff904808 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:04:48 +0100
Subject: [PATCH 01/12] crypto: add NonceFromBytes/NonceToBytes helpers

Add helper methods to AEADChaCha20Poly1305 for converting between
the internal Nonce96 type ({uint32_t, uint64_t}) and a 12-byte
array representation (big-endian).

RFC8439 defines the nonce as 96 opaque bits, but our implementation
splits it. These helpers make it convenient to work with byte-based
nonce representations.
---
 src/crypto/chacha20poly1305.h | 37 +++++++++++++++++++++++++++++++++++
 src/test/crypto_tests.cpp     | 29 +++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/src/crypto/chacha20poly1305.h b/src/crypto/chacha20poly1305.h
index 9a863dda97b4..7b21aca54ed9 100644
--- a/src/crypto/chacha20poly1305.h
+++ b/src/crypto/chacha20poly1305.h
@@ -34,6 +34,43 @@ class AEADChaCha20Poly1305
     /** 96-bit nonce type. */
     using Nonce96 = ChaCha20::Nonce96;
 
+    /** Size of the nonce in bytes. */
+    static constexpr unsigned NONCE_SIZE = 12;
+
+    /** Convert a 12-byte array to a Nonce96.
+     *
+     * RFC8439 defines the nonce as 96 opaque bits. This helper converts
+     * a byte array (big-endian) to the internal {uint32_t, uint64_t} representation.
+     */
+    static Nonce96 NonceFromBytes(std::span<const std::byte, NONCE_SIZE> nonce_bytes) noexcept
+    {
+        return {
+            (uint32_t(uint8_t(nonce_bytes[0])) << 24) | (uint32_t(uint8_t(nonce_bytes[1])) << 16) |
+            (uint32_t(uint8_t(nonce_bytes[2])) << 8) | uint32_t(uint8_t(nonce_bytes[3])),
+            (uint64_t(uint8_t(nonce_bytes[4])) << 56) | (uint64_t(uint8_t(nonce_bytes[5])) << 48) |
+            (uint64_t(uint8_t(nonce_bytes[6])) << 40) | (uint64_t(uint8_t(nonce_bytes[7])) << 32) |
+            (uint64_t(uint8_t(nonce_bytes[8])) << 24) | (uint64_t(uint8_t(nonce_bytes[9])) << 16) |
+            (uint64_t(uint8_t(nonce_bytes[10])) << 8) | uint64_t(uint8_t(nonce_bytes[11]))
+        };
+    }
+
+    /** Convert a Nonce96 back to a 12-byte array (big-endian). */
+    static void NonceToBytes(Nonce96 nonce, std::span<std::byte, NONCE_SIZE> nonce_bytes) noexcept
+    {
+        nonce_bytes[0] = std::byte((nonce.first >> 24) & 0xFF);
+        nonce_bytes[1] = std::byte((nonce.first >> 16) & 0xFF);
+        nonce_bytes[2] = std::byte((nonce.first >> 8) & 0xFF);
+        nonce_bytes[3] = std::byte(nonce.first & 0xFF);
+        nonce_bytes[4] = std::byte((nonce.second >> 56) & 0xFF);
+        nonce_bytes[5] = std::byte((nonce.second >> 48) & 0xFF);
+        nonce_bytes[6] = std::byte((nonce.second >> 40) & 0xFF);
+        nonce_bytes[7] = std::byte((nonce.second >> 32) & 0xFF);
+        nonce_bytes[8] = std::byte((nonce.second >> 24) & 0xFF);
+        nonce_bytes[9] = std::byte((nonce.second >> 16) & 0xFF);
+        nonce_bytes[10] = std::byte((nonce.second >> 8) & 0xFF);
+        nonce_bytes[11] = std::byte(nonce.second & 0xFF);
+    }
+
     /** Encrypt a message with a specified 96-bit nonce and aad.
      *
      * Requires cipher.size() = plain.size() + EXPANSION.
diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp
index 5588d4cdbc66..bb984acb703a 100644
--- a/src/test/crypto_tests.cpp
+++ b/src/test/crypto_tests.cpp
@@ -22,6 +22,7 @@
 #include <util/strencodings.h>
 
 #include <algorithm>
+#include <ranges>
 #include <vector>
 
 #include <boost/test/unit_test.hpp>
@@ -1050,6 +1051,34 @@ BOOST_AUTO_TEST_CASE(chacha20poly1305_testvectors)
                            "14b94829deb27f0b1923a2af704ae5d6");
 }
 
+BOOST_AUTO_TEST_CASE(chacha20poly1305_nonce_conversion)
+{
+    // Test NonceFromBytes/NonceToBytes roundtrip
+    auto key = ParseHex<std::byte>("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f");
+    auto nonce_bytes = ParseHex<std::byte>("000000000001020304050607");
+
+    // Convert bytes to Nonce96
+    auto nonce = AEADChaCha20Poly1305::NonceFromBytes(std::span<const std::byte, 12>{nonce_bytes.data(), 12});
+    // Expected: first 4 bytes = 0x00000000, next 8 bytes = 0x0001020304050607
+    BOOST_CHECK_EQUAL(nonce.first, 0x00000000U);
+    BOOST_CHECK_EQUAL(nonce.second, 0x0001020304050607ULL);
+
+    // Convert back to bytes and check roundtrip
+    std::array<std::byte, 12> roundtrip_bytes;
+    AEADChaCha20Poly1305::NonceToBytes(nonce, roundtrip_bytes);
+    BOOST_CHECK(std::ranges::equal(nonce_bytes, roundtrip_bytes));
+
+    // Test with different values to ensure byte ordering is correct
+    auto nonce_bytes2 = ParseHex<std::byte>("aabbccdd11223344556677ff");
+    auto nonce2 = AEADChaCha20Poly1305::NonceFromBytes(std::span<const std::byte, 12>{nonce_bytes2.data(), 12});
+    BOOST_CHECK_EQUAL(nonce2.first, 0xaabbccddU);
+    BOOST_CHECK_EQUAL(nonce2.second, 0x11223344556677ffULL);
+
+    std::array<std::byte, 12> roundtrip_bytes2;
+    AEADChaCha20Poly1305::NonceToBytes(nonce2, roundtrip_bytes2);
+    BOOST_CHECK(std::ranges::equal(nonce_bytes2, roundtrip_bytes2));
+}
+
 BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests)
 {
     // Use rfc5869 test vectors but truncated to 32 bytes (our implementation only support length 32)

From 755289261773b93fc40ff4b8a05f4de89a75cfc6 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Thu, 15 Jan 2026 09:13:33 +0100
Subject: [PATCH 02/12] util: ParseHDKeypath allow h as hardened indicator

BIP-380 specifies that descriptors can use either ' or h as
the hardened indicator. ParseHDKeypath only supported the former.

This prepares for using ParseHDKeypath with paths extracted
from descriptors which typically use 'h' for shell-escaping convenience.
---
 src/util/bip32.cpp                    | 3 +++
 src/wallet/test/psbt_wallet_tests.cpp | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/util/bip32.cpp b/src/util/bip32.cpp
index db40bfb5b9e7..94b1fcc027cd 100644
--- a/src/util/bip32.cpp
+++ b/src/util/bip32.cpp
@@ -26,6 +26,9 @@ bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypa
         // Finds whether it is hardened
         uint32_t path = 0;
         size_t pos = item.find('\'');
+        if (pos == std::string::npos) {
+            pos = item.find('h');
+        }
         if (pos != std::string::npos) {
             // The hardened tick can only be in the last index of the string
             if (pos != item.size() - 1) {
diff --git a/src/wallet/test/psbt_wallet_tests.cpp b/src/wallet/test/psbt_wallet_tests.cpp
index 91b69b9d624b..5d8955e8c523 100644
--- a/src/wallet/test/psbt_wallet_tests.cpp
+++ b/src/wallet/test/psbt_wallet_tests.cpp
@@ -132,6 +132,9 @@ BOOST_AUTO_TEST_CASE(parse_hd_keypath)
     BOOST_CHECK(ParseHDKeypath("m/0'/0'", keypath));
     BOOST_CHECK(!ParseHDKeypath("m/'0/0'", keypath));
 
+    BOOST_CHECK(ParseHDKeypath("m/0h/0h", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/h0/0h", keypath));
+
     BOOST_CHECK(ParseHDKeypath("m/0/0", keypath));
     BOOST_CHECK(!ParseHDKeypath("n/0/0", keypath));
 

From 31ec8f203c77ff46c215edea0c74eda345935c89 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 15:09:32 +0100
Subject: [PATCH 03/12] wallet: add WalletDescriptorInfo helper for descriptor
 serialization

Introduces WalletDescriptorInfo struct and DescriptorInfoToUniValue() helper
to avoid code duplication when serializing descriptor metadata to UniValue.

Refactors listdescriptors RPC to use the new helper.
---
 src/wallet/rpc/backup.cpp | 30 +++---------------------------
 src/wallet/rpc/util.cpp   | 21 +++++++++++++++++++++
 src/wallet/rpc/util.h     | 21 +++++++++++++++++++++
 3 files changed, 45 insertions(+), 27 deletions(-)

diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index 6217358c870f..37a899ca8cbd 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -505,16 +505,7 @@ RPCHelpMan listdescriptors()
 
     const auto active_spk_mans = wallet->GetActiveScriptPubKeyMans();
 
-    struct WalletDescInfo {
-        std::string descriptor;
-        uint64_t creation_time;
-        bool active;
-        std::optional<bool> internal;
-        std::optional<std::pair<int64_t,int64_t>> range;
-        int64_t next_index;
-    };
-
-    std::vector<WalletDescInfo> wallet_descriptors;
+    std::vector<WalletDescriptorInfo> wallet_descriptors;
     for (const auto& spk_man : wallet->GetAllScriptPubKeyMans()) {
         const auto desc_spk_man = dynamic_cast<DescriptorScriptPubKeyMan*>(spk_man);
         if (!desc_spk_man) {
@@ -542,23 +533,8 @@ RPCHelpMan listdescriptors()
     });
 
     UniValue descriptors(UniValue::VARR);
-    for (const WalletDescInfo& info : wallet_descriptors) {
-        UniValue spk(UniValue::VOBJ);
-        spk.pushKV("desc", info.descriptor);
-        spk.pushKV("timestamp", info.creation_time);
-        spk.pushKV("active", info.active);
-        if (info.internal.has_value()) {
-            spk.pushKV("internal", info.internal.value());
-        }
-        if (info.range.has_value()) {
-            UniValue range(UniValue::VARR);
-            range.push_back(info.range->first);
-            range.push_back(info.range->second - 1);
-            spk.pushKV("range", std::move(range));
-            spk.pushKV("next", info.next_index);
-            spk.pushKV("next_index", info.next_index);
-        }
-        descriptors.push_back(std::move(spk));
+    for (const WalletDescriptorInfo& info : wallet_descriptors) {
+        descriptors.push_back(DescriptorInfoToUniValue(info));
     }
 
     UniValue response(UniValue::VOBJ);
diff --git a/src/wallet/rpc/util.cpp b/src/wallet/rpc/util.cpp
index d68e6c652694..6f1fc603ec59 100644
--- a/src/wallet/rpc/util.cpp
+++ b/src/wallet/rpc/util.cpp
@@ -161,4 +161,25 @@ void AppendLastProcessedBlock(UniValue& entry, const CWallet& wallet)
     entry.pushKV("lastprocessedblock", std::move(lastprocessedblock));
 }
 
+UniValue DescriptorInfoToUniValue(const WalletDescriptorInfo& info)
+{
+    UniValue obj(UniValue::VOBJ);
+    obj.pushKV("desc", info.descriptor);
+    obj.pushKV("timestamp", info.creation_time);
+    obj.pushKV("active", info.active);
+    if (info.internal.has_value()) {
+        obj.pushKV("internal", info.internal.value());
+    }
+    if (info.range.has_value()) {
+        UniValue range(UniValue::VARR);
+        range.push_back(info.range->first);
+        // range_end is exclusive internally, display as inclusive (hence -1)
+        range.push_back(info.range->second - 1);
+        obj.pushKV("range", std::move(range));
+        obj.pushKV("next", info.next_index);
+        obj.pushKV("next_index", info.next_index);
+    }
+    return obj;
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/util.h b/src/wallet/rpc/util.h
index d649721431a2..89fcb64a639f 100644
--- a/src/wallet/rpc/util.h
+++ b/src/wallet/rpc/util.h
@@ -56,6 +56,27 @@ void PushParentDescriptors(const CWallet& wallet, const CScript& script_pubkey,
 
 void HandleWalletError(const std::shared_ptr<CWallet> wallet, DatabaseStatus& status, bilingual_str& error);
 void AppendLastProcessedBlock(UniValue& entry, const CWallet& wallet) EXCLUSIVE_LOCKS_REQUIRED(wallet.cs_wallet);
+
+/**
+ * Information about a wallet descriptor, used for serialization to JSON.
+ * This struct captures all the metadata needed for listdescriptors output
+ * and importdescriptors input.
+ */
+struct WalletDescriptorInfo {
+    std::string descriptor;
+    uint64_t creation_time;
+    bool active;
+    std::optional<bool> internal;
+    std::optional<std::pair<int64_t, int64_t>> range;
+    int64_t next_index;
+};
+
+/**
+ * Convert a WalletDescriptorInfo to a UniValue object.
+ * The output format is compatible with both listdescriptors output and
+ * importdescriptors input.
+ */
+UniValue DescriptorInfoToUniValue(const WalletDescriptorInfo& info);
 } //  namespace wallet
 
 #endif // BITCOIN_WALLET_RPC_UTIL_H

From c679a83cae6f0d6630bbb630bc7a5d1dc8464aa2 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:24:06 +0100
Subject: [PATCH 04/12] wallet: BIP-xxxx key normalization primitives

Add functions for normalizing public keys to x-only format as specified
in BIP-xxxx (Bitcoin Encrypted Backup). These primitives form the foundation
for the encryption scheme.

Functions added:
- NormalizeToXOnly(): Convert CPubKey or CExtPubKey to 32-byte x-only format
- IsNUMSPoint(): Check if a key is the BIP341 unspendable NUMS point
- ExtractKeysFromDescriptor(): Extract and normalize all keys from a descriptor

Includes test vectors from the BIP specification.
---
 src/test/CMakeLists.txt                       |   1 +
 .../data/bip_encrypted_backup_keys_types.json |  27 +++++
 src/wallet/CMakeLists.txt                     |   1 +
 src/wallet/encryptedbackup.cpp                |  78 ++++++++++++
 src/wallet/encryptedbackup.h                  |  72 ++++++++++++
 src/wallet/test/CMakeLists.txt                |   1 +
 src/wallet/test/encrypted_backup_tests.cpp    | 111 ++++++++++++++++++
 7 files changed, 291 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_keys_types.json
 create mode 100644 src/wallet/encryptedbackup.cpp
 create mode 100644 src/wallet/encryptedbackup.h
 create mode 100644 src/wallet/test/encrypted_backup_tests.cpp

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index e70eaf5cf89a..9bdf043b73fc 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -138,6 +138,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
   data/key_io_valid.json
diff --git a/src/test/data/bip_encrypted_backup_keys_types.json b/src/test/data/bip_encrypted_backup_keys_types.json
new file mode 100644
index 000000000000..2f2d1f155590
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_keys_types.json
@@ -0,0 +1,27 @@
+[
+  {
+    "description": "Xpub with origin and multipath",
+    "key": "[58b7f8dc/48'/1'/0'/2']tpubDEPBvXvhta3pjVaKokqC3eeMQnszj9ehFaA2zD5nSdkaccwGAizu8jVB2NeSpvmP2P52MBoZvNCixqXRJnTyXx51FQzARR63tjxQSyP3Btw/<0;1>/*",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "Xpub with origin and w/o multipath",
+    "key": "[d4ab66f1/48'/1'/1'/2']tpubDFTxBKyUCgkwp5enwZh3t2FJ5AMJqmCWoh1NRT13qNYQb1iKTUrAG6u5gpsDYhG8cZGXouYWuQtzcuSVjPStTc4dwU6JqPMFtgaLGvSQXhi",
+    "expected": "8e886919a6b72579a28bd292505d2afd41c1b5012414c5e24d7b59f4abdfc0ce"
+  },
+  {
+    "description": "Compressed public key",
+    "key": "02ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "X only public key",
+    "key": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "Uncompressed public key",
+    "key": "04ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b517089e956909c4c07e8529f45f3ff8904d28df5a181619e21bdf748a896322530039",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  }
+]
diff --git a/src/wallet/CMakeLists.txt b/src/wallet/CMakeLists.txt
index 8ec381df5a8c..d16413d83e3d 100644
--- a/src/wallet/CMakeLists.txt
+++ b/src/wallet/CMakeLists.txt
@@ -10,6 +10,7 @@ add_library(bitcoin_wallet STATIC EXCLUDE_FROM_ALL
   crypter.cpp
   db.cpp
   dump.cpp
+  encryptedbackup.cpp
   external_signer_scriptpubkeyman.cpp
   feebumper.cpp
   fees.cpp
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
new file mode 100644
index 000000000000..3533e6644ddf
--- /dev/null
+++ b/src/wallet/encryptedbackup.cpp
@@ -0,0 +1,78 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <wallet/encryptedbackup.h>
+
+#include <cstring>
+
+#include <key_io.h>
+#include <script/descriptor.h>
+
+namespace wallet {
+
+uint256 NormalizeToXOnly(const CPubKey& pubkey)
+{
+    // CPubKey is either compressed (33 bytes) or uncompressed (65 bytes)
+    // In both cases, bytes 1-32 are the x-coordinate
+    uint256 result;
+    if (pubkey.size() >= 33) {
+        std::memcpy(result.data(), pubkey.data() + 1, 32);
+    }
+    return result;
+}
+
+uint256 NormalizeToXOnly(const CExtPubKey& xpub)
+{
+    return NormalizeToXOnly(xpub.pubkey);
+}
+
+bool IsNUMSPoint(const uint256& key)
+{
+    // BIP341 NUMS point: 50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0
+    // Compare against XOnlyPubKey::NUMS_H
+    XOnlyPubKey xonly{std::span<const unsigned char>{key.data(), 32}};
+    return xonly == XOnlyPubKey::NUMS_H;
+}
+
+util::Result<std::vector<uint256>> ExtractKeysFromDescriptor(const std::string& descriptor)
+{
+    FlatSigningProvider provider;
+    std::string error;
+    auto parsed = Parse(descriptor, provider, error, /*require_checksum=*/false);
+    if (parsed.empty()) {
+        return util::Error{Untranslated(strprintf("Failed to parse descriptor: %s", error))};
+    }
+
+    std::set<CPubKey> pubkeys;
+    std::set<CExtPubKey> xpubs;
+    for (const auto& desc : parsed) {
+        desc->GetPubKeys(pubkeys, xpubs);
+    }
+
+    // Normalize all keys to x-only format
+    std::set<uint256> normalized_keys;
+    for (const auto& pubkey : pubkeys) {
+        uint256 xonly = NormalizeToXOnly(pubkey);
+        // Skip NUMS point
+        if (!IsNUMSPoint(xonly)) {
+            normalized_keys.insert(xonly);
+        }
+    }
+    for (const auto& xpub : xpubs) {
+        uint256 xonly = NormalizeToXOnly(xpub);
+        // Skip NUMS point
+        if (!IsNUMSPoint(xonly)) {
+            normalized_keys.insert(xonly);
+        }
+    }
+
+    if (normalized_keys.empty()) {
+        return util::Error{Untranslated("No valid public keys found in descriptor")};
+    }
+
+    // Convert set to sorted vector (set is already sorted)
+    return std::vector<uint256>(normalized_keys.begin(), normalized_keys.end());
+}
+
+} // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
new file mode 100644
index 000000000000..b185a725b79d
--- /dev/null
+++ b/src/wallet/encryptedbackup.h
@@ -0,0 +1,72 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
+#define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+#include <pubkey.h>
+#include <uint256.h>
+#include <util/result.h>
+
+namespace wallet {
+
+/**
+ * Implements the encrypted backup scheme from BIP-XXXX (draft).
+ *
+ * This provides encryption for wallet descriptors, labels, and other metadata
+ * that can be safely stored in untrusted locations. The encryption key is derived
+ * from the public keys in the descriptor, allowing any keyholder to decrypt
+ * without additional secrets.
+ *
+ * IMPORTANT: This format intentionally does NOT backup private key material.
+ * Restoring from an encrypted backup creates a watch-only wallet.
+ */
+
+/**
+ * Normalize a public key to 32-byte x-only format.
+ *
+ * Handles:
+ * - Extended public keys (xpubs): extracts the pubkey and returns x-coordinate
+ * - Compressed public keys (33 bytes): strips the prefix byte
+ * - X-only public keys (32 bytes): returns as-is
+ * - Uncompressed public keys (65 bytes): extracts the x-coordinate
+ *
+ * @param[in] pubkey The public key to normalize
+ * @return The 32-byte x-only representation
+ */
+uint256 NormalizeToXOnly(const CPubKey& pubkey);
+
+/**
+ * Normalize an extended public key to 32-byte x-only format.
+ *
+ * @param[in] xpub The extended public key to normalize
+ * @return The 32-byte x-only representation of the root pubkey
+ */
+uint256 NormalizeToXOnly(const CExtPubKey& xpub);
+
+/**
+ * Check if an x-only key is the BIP341 NUMS point (unspendable).
+ *
+ * @param[in] key The x-only key to check
+ * @return true if this is the NUMS point
+ */
+bool IsNUMSPoint(const uint256& key);
+
+/**
+ * Extract and normalize all public keys from a descriptor string.
+ *
+ * Keys are sorted lexicographically and deduplicated. The NUMS point is excluded.
+ *
+ * @param[in] descriptor The descriptor string
+ * @return Vector of normalized x-only public keys, or error message
+ */
+util::Result<std::vector<uint256>> ExtractKeysFromDescriptor(const std::string& descriptor);
+
+} // namespace wallet
+
+#endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/CMakeLists.txt b/src/wallet/test/CMakeLists.txt
index 524c7218f4e6..1163fc21dc4d 100644
--- a/src/wallet/test/CMakeLists.txt
+++ b/src/wallet/test/CMakeLists.txt
@@ -11,6 +11,7 @@ target_sources(test_bitcoin
     db_tests.cpp
     coinselector_tests.cpp
     coinselection_tests.cpp
+    encrypted_backup_tests.cpp
     feebumper_tests.cpp
     group_outputs_tests.cpp
     init_tests.cpp
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
new file mode 100644
index 000000000000..45d548a56646
--- /dev/null
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -0,0 +1,111 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <wallet/encryptedbackup.h>
+
+#include <test/data/bip_encrypted_backup_keys_types.json.h>
+
+#include <base58.h>
+#include <key_io.h>
+#include <test/util/json.h>
+#include <test/util/setup_common.h>
+#include <util/strencodings.h>
+
+#include <boost/test/unit_test.hpp>
+#include <univalue.h>
+
+namespace wallet {
+
+// Use RegTest chain type so tpub keys (testnet prefixes) can be parsed
+struct EncryptedBackupTestingSetup : public BasicTestingSetup {
+    EncryptedBackupTestingSetup() : BasicTestingSetup(ChainType::REGTEST) {}
+};
+
+BOOST_FIXTURE_TEST_SUITE(encrypted_backup_tests, EncryptedBackupTestingSetup)
+
+BOOST_AUTO_TEST_CASE(key_normalization_test)
+{
+    // Test key normalization using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_keys_types);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        std::string key_str = vec["key"].get_str();
+        std::string expected_hex = vec["expected"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse the expected x-only key
+        auto expected_bytes = ParseHex(expected_hex);
+        BOOST_REQUIRE_EQUAL(expected_bytes.size(), 32u);
+        uint256 expected;
+        std::memcpy(expected.data(), expected_bytes.data(), 32);
+
+        // Determine key type and normalize
+        uint256 result;
+
+        if (key_str.size() == 64) {
+            // X-only public key (32 bytes hex = 64 chars)
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 32u);
+            std::memcpy(result.data(), key_bytes.data(), 32);
+        } else if (key_str.size() == 66 && (key_str[0] == '0' && (key_str[1] == '2' || key_str[1] == '3'))) {
+            // Compressed public key
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 33u);
+            CPubKey pubkey(key_bytes.begin(), key_bytes.end());
+            result = NormalizeToXOnly(pubkey);
+        } else if (key_str.size() == 130 && key_str.starts_with("04")) {
+            // Uncompressed public key
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 65u);
+            CPubKey pubkey(key_bytes.begin(), key_bytes.end());
+            result = NormalizeToXOnly(pubkey);
+        } else if (key_str.find("pub") != std::string::npos || key_str[0] == '[') {
+            // Extended public key (xpub/tpub) potentially with origin info
+            // For these test vectors, we're testing key extraction, not descriptor parsing.
+            // We strip the derivation path suffix and extract just the xpub/tpub key.
+            std::string xpub_only = key_str;
+
+            // Remove origin prefix if present: [fingerprint/path]
+            if (xpub_only[0] == '[') {
+                size_t close = xpub_only.find(']');
+                if (close != std::string::npos) {
+                    xpub_only = xpub_only.substr(close + 1);
+                }
+            }
+
+            // Remove derivation suffix if present: /<0;1>/* or /0/* etc
+            size_t slash = xpub_only.find('/');
+            if (slash != std::string::npos) {
+                xpub_only = xpub_only.substr(0, slash);
+            }
+
+            // Parse the extended public key (uses RegTest chain so tpub prefix works)
+            CExtPubKey ext_pubkey = DecodeExtPubKey(xpub_only);
+            if (ext_pubkey.pubkey.IsValid()) {
+                result = NormalizeToXOnly(ext_pubkey.pubkey);
+            } else {
+                // Fallback to raw base58 decoding for xpub (mainnet) keys
+                std::vector<unsigned char> decoded_data;
+                if (!DecodeBase58Check(xpub_only, decoded_data, 78)) {
+                    BOOST_FAIL("Failed to decode xpub base58: " + xpub_only);
+                }
+                BOOST_REQUIRE_EQUAL(decoded_data.size(), 78u);
+                CPubKey pubkey;
+                pubkey.Set(decoded_data.begin() + 45, decoded_data.end());
+                BOOST_REQUIRE_MESSAGE(pubkey.IsValid(), "Invalid pubkey in xpub");
+                result = NormalizeToXOnly(pubkey);
+            }
+        }
+
+        BOOST_CHECK_MESSAGE(result == expected,
+            description << ": expected " << expected_hex << " got " << HexStr(result));
+    }
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace wallet

From 77bec868f6d83a12d3292ccfd9bf0b1f8210a001 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:26:03 +0100
Subject: [PATCH 05/12] wallet: BIP-xxxx secret computation

Add functions to compute the decryption secret and individual secrets
as specified in BIP-xxxx. The decryption secret is derived from sorted
public keys, and individual secrets allow any keyholder to decrypt.

Functions added:
- ComputeDecryptionSecret(): Hash sorted keys to derive decryption secret
- ComputeIndividualSecret(): Hash a single key to derive its individual secret
- ComputeAllIndividualSecrets(): Compute XOR'd secrets for all keys

Includes test vectors from the BIP specification.
---
 src/test/CMakeLists.txt                       |  1 +
 ...ip_encrypted_backup_encryption_secret.json | 89 +++++++++++++++++++
 src/wallet/encryptedbackup.cpp                | 42 +++++++++
 src/wallet/encryptedbackup.h                  | 39 ++++++++
 src/wallet/test/encrypted_backup_tests.cpp    | 77 ++++++++++++++++
 5 files changed, 248 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_encryption_secret.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 9bdf043b73fc..66c3e3c3cb79 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -138,6 +138,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
diff --git a/src/test/data/bip_encrypted_backup_encryption_secret.json b/src/test/data/bip_encrypted_backup_encryption_secret.json
new file mode 100644
index 000000000000..ccee9b70d442
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_encryption_secret.json
@@ -0,0 +1,89 @@
+[
+  {
+    "description": "Single public key",
+    "keys": [
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD"
+    ]
+  },
+  {
+    "description": "Two public keys",
+    "keys": [
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "84526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD",
+      "TBD"
+    ]
+  },
+  {
+    "description": "Three public keys",
+    "keys": [
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "84526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD",
+      "TBD",
+      "TBD"
+    ]
+  },
+  {
+    "description": "Three public keys bis (different sorting)",
+    "keys": [
+      "c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5",
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "84526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD",
+      "TBD",
+      "TBD"
+    ]
+  },
+  {
+    "description": "Three public keys ter (different sorting)",
+    "keys": [
+      "84526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5",
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD",
+      "TBD",
+      "TBD"
+    ]
+  },
+  {
+    "description": "Keys processed in sorted order",
+    "keys": [
+      "84526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD",
+      "TBD"
+    ]
+  },
+  {
+    "description": "Duplicate keys should be handled",
+    "keys": [
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "TBD",
+    "individual_secrets": [
+      "TBD"
+    ]
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 3533e6644ddf..7583fcb0224f 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -6,6 +6,7 @@
 
 #include <cstring>
 
+#include <hash.h>
 #include <key_io.h>
 #include <script/descriptor.h>
 
@@ -75,4 +76,45 @@ util::Result<std::vector<uint256>> ExtractKeysFromDescriptor(const std::string&
     return std::vector<uint256>(normalized_keys.begin(), normalized_keys.end());
 }
 
+uint256 ComputeDecryptionSecret(const std::vector<uint256>& keys)
+{
+    // s = sha256("BIP_XXXX_DECRYPTION_SECRET" || p1 || p2 || ... || pn)
+    HashWriter hasher{};
+    hasher << std::span{reinterpret_cast<const uint8_t*>(BIP_DECRYPTION_SECRET_TAG.data()),
+                        BIP_DECRYPTION_SECRET_TAG.size()};
+    for (const auto& key : keys) {
+        hasher << std::span{key.data(), 32};
+    }
+    return hasher.GetSHA256();
+}
+
+uint256 ComputeIndividualSecret(const uint256& key)
+{
+    // si = sha256("BIP_XXXX_INDIVIDUAL_SECRET" || pi)
+    HashWriter hasher{};
+    hasher << std::span{reinterpret_cast<const uint8_t*>(BIP_INDIVIDUAL_SECRET_TAG.data()),
+                        BIP_INDIVIDUAL_SECRET_TAG.size()};
+    hasher << std::span{key.data(), 32};
+    return hasher.GetSHA256();
+}
+
+std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
+                                                  const std::vector<uint256>& keys)
+{
+    std::vector<uint256> result;
+    result.reserve(keys.size());
+
+    for (const auto& key : keys) {
+        // si = sha256("BIP_XXXX_INDIVIDUAL_SECRET" || pi)
+        uint256 si = ComputeIndividualSecret(key);
+        // ci = s XOR si
+        uint256 ci;
+        for (size_t i = 0; i < 32; ++i) {
+            ci.data()[i] = decryption_secret.data()[i] ^ si.data()[i];
+        }
+        result.push_back(ci);
+    }
+    return result;
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index b185a725b79d..294459c656ce 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -27,6 +27,12 @@ namespace wallet {
  * Restoring from an encrypted backup creates a watch-only wallet.
  */
 
+/** Prefix for deriving the decryption secret */
+static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIP_XXXX_DECRYPTION_SECRET";
+
+/** Prefix for deriving individual secrets */
+static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIP_XXXX_INDIVIDUAL_SECRET";
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -67,6 +73,39 @@ bool IsNUMSPoint(const uint256& key);
  */
 util::Result<std::vector<uint256>> ExtractKeysFromDescriptor(const std::string& descriptor);
 
+/**
+ * Compute the decryption secret from a set of public keys.
+ *
+ * s = sha256("BIP_XXXX_DECRYPTION_SECRET" || p1 || p2 || ... || pn)
+ * where p1...pn are sorted lexicographically.
+ *
+ * @param[in] keys The normalized x-only public keys (must be sorted)
+ * @return The 32-byte decryption secret
+ */
+uint256 ComputeDecryptionSecret(const std::vector<uint256>& keys);
+
+/**
+ * Compute an individual secret for a specific public key.
+ *
+ * si = sha256("BIP_XXXX_INDIVIDUAL_SECRET" || pi)
+ *
+ * @param[in] key The normalized x-only public key
+ * @return The 32-byte individual secret
+ */
+uint256 ComputeIndividualSecret(const uint256& key);
+
+/**
+ * Compute all individual secrets from the decryption secret and keys.
+ *
+ * ci = s XOR si
+ *
+ * @param[in] decryption_secret The decryption secret
+ * @param[in] keys The normalized x-only public keys
+ * @return Vector of individual secrets (ci values)
+ */
+std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
+                                                  const std::vector<uint256>& keys);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 45d548a56646..2a88893f158f 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,10 +4,12 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
 #include <base58.h>
 #include <key_io.h>
+#include <random.h>
 #include <test/util/json.h>
 #include <test/util/setup_common.h>
 #include <util/strencodings.h>
@@ -106,6 +108,81 @@ BOOST_AUTO_TEST_CASE(key_normalization_test)
     }
 }
 
+BOOST_AUTO_TEST_CASE(secret_derivation_test)
+{
+    // Test secret derivation using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_encryption_secret);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        const UniValue& keys_arr = vec["keys"];
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse keys
+        std::vector<uint256> keys;
+        for (size_t j = 0; j < keys_arr.size(); ++j) {
+            auto key_bytes = ParseHex(keys_arr[j].get_str());
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 32u);
+            uint256 key;
+            std::memcpy(key.data(), key_bytes.data(), 32);
+            keys.push_back(key);
+        }
+
+        // Compute secrets
+        std::vector<uint256> sorted_keys = keys;
+        std::sort(sorted_keys.begin(), sorted_keys.end());
+        // Remove duplicates
+        sorted_keys.erase(std::unique(sorted_keys.begin(), sorted_keys.end()), sorted_keys.end());
+
+        uint256 decryption_secret = ComputeDecryptionSecret(sorted_keys);
+        BOOST_CHECK(!decryption_secret.IsNull());
+
+        auto individual_secrets = ComputeAllIndividualSecrets(decryption_secret, sorted_keys);
+        BOOST_CHECK_EQUAL(individual_secrets.size(), sorted_keys.size());
+
+        // TODO: When BIP test vectors are updated with actual expected values,
+        // compare decryption_secret and individual_secrets against them.
+        // Currently the BIP has "TBD" placeholders.
+        std::string expected_secret = vec["decryption_secret"].get_str();
+        if (expected_secret != "TBD") {
+            auto expected_bytes = ParseHex(expected_secret);
+            BOOST_REQUIRE_EQUAL(expected_bytes.size(), 32u);
+            uint256 expected;
+            std::memcpy(expected.data(), expected_bytes.data(), 32);
+            BOOST_CHECK_MESSAGE(decryption_secret == expected,
+                description << ": decryption_secret mismatch");
+        }
+
+        // Verify XOR property: for each key, ci XOR si = s
+        for (size_t j = 0; j < sorted_keys.size(); ++j) {
+            uint256 si = ComputeIndividualSecret(sorted_keys[j]);
+            uint256 reconstructed;
+            for (size_t k = 0; k < 32; ++k) {
+                reconstructed.data()[k] = individual_secrets[j].data()[k] ^ si.data()[k];
+            }
+            BOOST_CHECK_MESSAGE(reconstructed == decryption_secret,
+                description << ": XOR reconstruction failed for key " << j);
+        }
+    }
+}
+
+BOOST_AUTO_TEST_CASE(nums_point_test)
+{
+    // Verify NUMS point detection
+    auto nums_bytes = ParseHex("50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0");
+    uint256 nums_key;
+    std::memcpy(nums_key.data(), nums_bytes.data(), 32);
+
+    BOOST_CHECK(IsNUMSPoint(nums_key));
+
+    // Random key should not be NUMS
+    uint256 random_key;
+    GetStrongRandBytes(random_key);
+    BOOST_CHECK(!IsNUMSPoint(random_key));
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From ab7041b687a884f91d1232267355d2a7f678f988 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:30:00 +0100
Subject: [PATCH 06/12] wallet: BIP-xxxx derivation path encoding

Add functions for encoding/decoding derivation paths as specified in BIP-xxxx:
- ParseDerivationPath: parse m/44'/0'/0' style strings
- EncodeDerivationPaths: encode to binary format (count + path lengths + BE child indices)
- DecodeDerivationPaths: decode from binary format

Includes test vectors from the BIP specification.
---
 src/test/CMakeLists.txt                       |   1 +
 .../bip_encrypted_backup_derivation_path.json | 141 ++++++++++++++++++
 src/wallet/encryptedbackup.cpp                |  79 ++++++++++
 src/wallet/encryptedbackup.h                  |  31 ++++
 src/wallet/test/encrypted_backup_tests.cpp    |  53 +++++++
 5 files changed, 305 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_derivation_path.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 66c3e3c3cb79..5288395c9e23 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -138,6 +138,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
diff --git a/src/test/data/bip_encrypted_backup_derivation_path.json b/src/test/data/bip_encrypted_backup_derivation_path.json
new file mode 100644
index 000000000000..2ce20db446c1
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_derivation_path.json
@@ -0,0 +1,141 @@
+[
+  {
+    "description": "Empty derivation paths",
+    "paths": [],
+    "expected": "00"
+  },
+  {
+    "description": "Single path with one child: m/0",
+    "paths": ["m/0"],
+    "expected": "010100000000"
+  },
+  {
+    "description": "Single path with hardened child: m/44'",
+    "paths": ["m/44'"],
+    "expected": "01018000002c"
+  },
+  {
+    "description": "Standard BIP-84 path: m/84'/0'/0'",
+    "paths": ["m/84'/0'/0'"],
+    "expected": "0103800000548000000080000000"
+  },
+  {
+    "description": "Mixed hardened and normal: m/0/1'/2/3'",
+    "paths": ["m/0/1'/2/3'"],
+    "expected": "010400000000800000010000000280000003"
+  },
+  {
+    "description": "Multiple paths: m/0/1'/2/3' and m/84'/0'/0'/2'",
+    "paths": ["m/0/1'/2/3'", "m/84'/0'/0'/2'"],
+    "expected": "0204000000008000000100000002800000030480000054800000008000000080000002"
+  },
+  {
+    "description": "Path with large indices: m/2147483647'/2147483646",
+    "paths": ["m/2147483647'/2147483646"],
+    "expected": "0102ffffffff7ffffffe"
+  },
+  {
+    "description": "Single child path: m/1",
+    "paths": ["m/1"],
+    "expected": "010100000001"
+  },
+  {
+    "description": "Path with max normal index: m/2147483647",
+    "paths": ["m/2147483647"],
+    "expected": "01017fffffff"
+  },
+  {
+    "description": "Path with multiple normal indices: m/0/1/2/3/4",
+    "paths": ["m/0/1/2/3/4"],
+    "expected": "01050000000000000001000000020000000300000004"
+  },
+  {
+    "description": "Path with all hardened: m/0'/1'/2'",
+    "paths": ["m/0'/1'/2'"],
+    "expected": "0103800000008000000180000002"
+  },
+  {
+    "description": "Two different single-child paths: m/0 and m/1",
+    "paths": ["m/0", "m/1"],
+    "expected": "0201000000000100000001"
+  },
+  {
+    "description": "BIP-44 account 0: m/44'/0'/0'",
+    "paths": ["m/44'/0'/0'"],
+    "expected": "01038000002c8000000080000000"
+  },
+  {
+    "description": "BIP-49 account 0: m/49'/0'/0'",
+    "paths": ["m/49'/0'/0'"],
+    "expected": "0103800000318000000080000000"
+  },
+  {
+    "description": "256 paths should fail (exceeds u8::MAX)",
+    "paths": [
+      "m/0", "m/1", "m/2", "m/3", "m/4", "m/5", "m/6", "m/7", "m/8", "m/9",
+      "m/10", "m/11", "m/12", "m/13", "m/14", "m/15", "m/16", "m/17", "m/18", "m/19",
+      "m/20", "m/21", "m/22", "m/23", "m/24", "m/25", "m/26", "m/27", "m/28", "m/29",
+      "m/30", "m/31", "m/32", "m/33", "m/34", "m/35", "m/36", "m/37", "m/38", "m/39",
+      "m/40", "m/41", "m/42", "m/43", "m/44", "m/45", "m/46", "m/47", "m/48", "m/49",
+      "m/50", "m/51", "m/52", "m/53", "m/54", "m/55", "m/56", "m/57", "m/58", "m/59",
+      "m/60", "m/61", "m/62", "m/63", "m/64", "m/65", "m/66", "m/67", "m/68", "m/69",
+      "m/70", "m/71", "m/72", "m/73", "m/74", "m/75", "m/76", "m/77", "m/78", "m/79",
+      "m/80", "m/81", "m/82", "m/83", "m/84", "m/85", "m/86", "m/87", "m/88", "m/89",
+      "m/90", "m/91", "m/92", "m/93", "m/94", "m/95", "m/96", "m/97", "m/98", "m/99",
+      "m/100", "m/101", "m/102", "m/103", "m/104", "m/105", "m/106", "m/107", "m/108", "m/109",
+      "m/110", "m/111", "m/112", "m/113", "m/114", "m/115", "m/116", "m/117", "m/118", "m/119",
+      "m/120", "m/121", "m/122", "m/123", "m/124", "m/125", "m/126", "m/127", "m/128", "m/129",
+      "m/130", "m/131", "m/132", "m/133", "m/134", "m/135", "m/136", "m/137", "m/138", "m/139",
+      "m/140", "m/141", "m/142", "m/143", "m/144", "m/145", "m/146", "m/147", "m/148", "m/149",
+      "m/150", "m/151", "m/152", "m/153", "m/154", "m/155", "m/156", "m/157", "m/158", "m/159",
+      "m/160", "m/161", "m/162", "m/163", "m/164", "m/165", "m/166", "m/167", "m/168", "m/169",
+      "m/170", "m/171", "m/172", "m/173", "m/174", "m/175", "m/176", "m/177", "m/178", "m/179",
+      "m/180", "m/181", "m/182", "m/183", "m/184", "m/185", "m/186", "m/187", "m/188", "m/189",
+      "m/190", "m/191", "m/192", "m/193", "m/194", "m/195", "m/196", "m/197", "m/198", "m/199",
+      "m/200", "m/201", "m/202", "m/203", "m/204", "m/205", "m/206", "m/207", "m/208", "m/209",
+      "m/210", "m/211", "m/212", "m/213", "m/214", "m/215", "m/216", "m/217", "m/218", "m/219",
+      "m/220", "m/221", "m/222", "m/223", "m/224", "m/225", "m/226", "m/227", "m/228", "m/229",
+      "m/230", "m/231", "m/232", "m/233", "m/234", "m/235", "m/236", "m/237", "m/238", "m/239",
+      "m/240", "m/241", "m/242", "m/243", "m/244", "m/245", "m/246", "m/247", "m/248", "m/249",
+      "m/250", "m/251", "m/252", "m/253", "m/254", "m/255"
+    ],
+    "expected": null
+  },
+  {
+    "description": "Path with 256 children should fail (exceeds u8::MAX)",
+    "paths": ["m/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0"],
+    "expected": null
+  },
+  {
+    "description": "255 paths should succeed (maximum allowed)",
+    "paths": [
+      "m/0", "m/1", "m/2", "m/3", "m/4", "m/5", "m/6", "m/7", "m/8", "m/9",
+      "m/10", "m/11", "m/12", "m/13", "m/14", "m/15", "m/16", "m/17", "m/18", "m/19",
+      "m/20", "m/21", "m/22", "m/23", "m/24", "m/25", "m/26", "m/27", "m/28", "m/29",
+      "m/30", "m/31", "m/32", "m/33", "m/34", "m/35", "m/36", "m/37", "m/38", "m/39",
+      "m/40", "m/41", "m/42", "m/43", "m/44", "m/45", "m/46", "m/47", "m/48", "m/49",
+      "m/50", "m/51", "m/52", "m/53", "m/54", "m/55", "m/56", "m/57", "m/58", "m/59",
+      "m/60", "m/61", "m/62", "m/63", "m/64", "m/65", "m/66", "m/67", "m/68", "m/69",
+      "m/70", "m/71", "m/72", "m/73", "m/74", "m/75", "m/76", "m/77", "m/78", "m/79",
+      "m/80", "m/81", "m/82", "m/83", "m/84", "m/85", "m/86", "m/87", "m/88", "m/89",
+      "m/90", "m/91", "m/92", "m/93", "m/94", "m/95", "m/96", "m/97", "m/98", "m/99",
+      "m/100", "m/101", "m/102", "m/103", "m/104", "m/105", "m/106", "m/107", "m/108", "m/109",
+      "m/110", "m/111", "m/112", "m/113", "m/114", "m/115", "m/116", "m/117", "m/118", "m/119",
+      "m/120", "m/121", "m/122", "m/123", "m/124", "m/125", "m/126", "m/127", "m/128", "m/129",
+      "m/130", "m/131", "m/132", "m/133", "m/134", "m/135", "m/136", "m/137", "m/138", "m/139",
+      "m/140", "m/141", "m/142", "m/143", "m/144", "m/145", "m/146", "m/147", "m/148", "m/149",
+      "m/150", "m/151", "m/152", "m/153", "m/154", "m/155", "m/156", "m/157", "m/158", "m/159",
+      "m/160", "m/161", "m/162", "m/163", "m/164", "m/165", "m/166", "m/167", "m/168", "m/169",
+      "m/170", "m/171", "m/172", "m/173", "m/174", "m/175", "m/176", "m/177", "m/178", "m/179",
+      "m/180", "m/181", "m/182", "m/183", "m/184", "m/185", "m/186", "m/187", "m/188", "m/189",
+      "m/190", "m/191", "m/192", "m/193", "m/194", "m/195", "m/196", "m/197", "m/198", "m/199",
+      "m/200", "m/201", "m/202", "m/203", "m/204", "m/205", "m/206", "m/207", "m/208", "m/209",
+      "m/210", "m/211", "m/212", "m/213", "m/214", "m/215", "m/216", "m/217", "m/218", "m/219",
+      "m/220", "m/221", "m/222", "m/223", "m/224", "m/225", "m/226", "m/227", "m/228", "m/229",
+      "m/230", "m/231", "m/232", "m/233", "m/234", "m/235", "m/236", "m/237", "m/238", "m/239",
+      "m/240", "m/241", "m/242", "m/243", "m/244", "m/245", "m/246", "m/247", "m/248", "m/249",
+      "m/250", "m/251", "m/252", "m/253", "m/254"
+    ],
+    "expected": "ff0100000000010000000101000000020100000003010000000401000000050100000006010000000701000000080100000009010000000a010000000b010000000c010000000d010000000e010000000f0100000010010000001101000000120100000013010000001401000000150100000016010000001701000000180100000019010000001a010000001b010000001c010000001d010000001e010000001f0100000020010000002101000000220100000023010000002401000000250100000026010000002701000000280100000029010000002a010000002b010000002c010000002d010000002e010000002f0100000030010000003101000000320100000033010000003401000000350100000036010000003701000000380100000039010000003a010000003b010000003c010000003d010000003e010000003f0100000040010000004101000000420100000043010000004401000000450100000046010000004701000000480100000049010000004a010000004b010000004c010000004d010000004e010000004f0100000050010000005101000000520100000053010000005401000000550100000056010000005701000000580100000059010000005a010000005b010000005c010000005d010000005e010000005f0100000060010000006101000000620100000063010000006401000000650100000066010000006701000000680100000069010000006a010000006b010000006c010000006d010000006e010000006f0100000070010000007101000000720100000073010000007401000000750100000076010000007701000000780100000079010000007a010000007b010000007c010000007d010000007e010000007f0100000080010000008101000000820100000083010000008401000000850100000086010000008701000000880100000089010000008a010000008b010000008c010000008d010000008e010000008f0100000090010000009101000000920100000093010000009401000000950100000096010000009701000000980100000099010000009a010000009b010000009c010000009d010000009e010000009f01000000a001000000a101000000a201000000a301000000a401000000a501000000a601000000a701000000a801000000a901000000aa01000000ab01000000ac01000000ad01000000ae01000000af01000000b001000000b101000000b201000000b301000000b401000000b501000000b601000000b701000000b801000000b901000000ba01000000bb01000000bc01000000bd01000000be01000000bf01000000c001000000c101000000c201000000c301000000c401000000c501000000c601000000c701000000c801000000c901000000ca01000000cb01000000cc01000000cd01000000ce01000000cf01000000d001000000d101000000d201000000d301000000d401000000d501000000d601000000d701000000d801000000d901000000da01000000db01000000dc01000000dd01000000de01000000df01000000e001000000e101000000e201000000e301000000e401000000e501000000e601000000e701000000e801000000e901000000ea01000000eb01000000ec01000000ed01000000ee01000000ef01000000f001000000f101000000f201000000f301000000f401000000f501000000f601000000f701000000f801000000f901000000fa01000000fb01000000fc01000000fd01000000fe"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 7583fcb0224f..4c42070a56c4 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -9,6 +9,7 @@
 #include <hash.h>
 #include <key_io.h>
 #include <script/descriptor.h>
+#include <util/bip32.h>
 
 namespace wallet {
 
@@ -117,4 +118,82 @@ std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secre
     return result;
 }
 
+util::Result<DerivationPath> ParseDerivationPath(const std::string& path_str)
+{
+    // Require "m" prefix for BIP-xxxx paths
+    if (path_str.empty() || path_str[0] != 'm') {
+        return util::Error{Untranslated("Derivation path must start with 'm'")};
+    }
+
+    DerivationPath result;
+    if (!ParseHDKeypath(path_str, result)) {
+        return util::Error{Untranslated(strprintf("Invalid derivation path: %s", path_str))};
+    }
+    return result;
+}
+
+util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<DerivationPath>& paths)
+{
+    if (paths.size() > 255) {
+        return util::Error{Untranslated("Too many derivation paths (max 255)")};
+    }
+
+    std::vector<uint8_t> result;
+    result.push_back(static_cast<uint8_t>(paths.size()));
+
+    for (const auto& path : paths) {
+        if (path.size() > 255) {
+            return util::Error{Untranslated("Derivation path too long (max 255 components)")};
+        }
+        result.push_back(static_cast<uint8_t>(path.size()));
+        for (uint32_t child : path) {
+            // Big-endian encoding
+            result.push_back((child >> 24) & 0xFF);
+            result.push_back((child >> 16) & 0xFF);
+            result.push_back((child >> 8) & 0xFF);
+            result.push_back(child & 0xFF);
+        }
+    }
+
+    return result;
+}
+
+util::Result<std::vector<DerivationPath>> DecodeDerivationPaths(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty derivation paths data")};
+    }
+
+    std::vector<DerivationPath> result;
+    size_t pos = 0;
+
+    uint8_t count = data[pos++];
+    result.reserve(count);
+
+    for (uint8_t i = 0; i < count; ++i) {
+        if (pos >= data.size()) {
+            return util::Error{Untranslated("Truncated derivation path data")};
+        }
+
+        uint8_t child_count = data[pos++];
+        DerivationPath path;
+        path.reserve(child_count);
+
+        for (uint8_t j = 0; j < child_count; ++j) {
+            if (pos + 4 > data.size()) {
+                return util::Error{Untranslated("Truncated child index")};
+            }
+            uint32_t child = (static_cast<uint32_t>(data[pos]) << 24) |
+                            (static_cast<uint32_t>(data[pos + 1]) << 16) |
+                            (static_cast<uint32_t>(data[pos + 2]) << 8) |
+                            static_cast<uint32_t>(data[pos + 3]);
+            pos += 4;
+            path.push_back(child);
+        }
+        result.push_back(std::move(path));
+    }
+
+    return result;
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 294459c656ce..1858b723c34c 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -6,6 +6,7 @@
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
 #include <cstdint>
+#include <span>
 #include <string>
 #include <vector>
 
@@ -33,6 +34,12 @@ static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIP_XXXX_DECRYPTI
 /** Prefix for deriving individual secrets */
 static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIP_XXXX_INDIVIDUAL_SECRET";
 
+/**
+ * Represents a parsed derivation path (e.g., m/44'/0'/0').
+ * Each element is a 32-bit child index where hardened indices have the high bit set.
+ */
+using DerivationPath = std::vector<uint32_t>;
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -106,6 +113,30 @@ uint256 ComputeIndividualSecret(const uint256& key);
 std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
                                                   const std::vector<uint256>& keys);
 
+/**
+ * Parse a derivation path string (e.g., "m/44'/0'/0'") into a DerivationPath.
+ *
+ * @param[in] path_str The path string to parse
+ * @return The parsed path, or error message
+ */
+util::Result<DerivationPath> ParseDerivationPath(const std::string& path_str);
+
+/**
+ * Encode derivation paths according to the backup format.
+ *
+ * @param[in] paths Vector of derivation paths
+ * @return Encoded bytes, or error if too many paths
+ */
+util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<DerivationPath>& paths);
+
+/**
+ * Decode derivation paths from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Vector of derivation paths, or error message
+ */
+util::Result<std::vector<DerivationPath>> DecodeDerivationPaths(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 2a88893f158f..9e280d40392f 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,6 +4,7 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
@@ -183,6 +184,58 @@ BOOST_AUTO_TEST_CASE(nums_point_test)
     BOOST_CHECK(!IsNUMSPoint(random_key));
 }
 
+BOOST_AUTO_TEST_CASE(derivation_path_encoding_test)
+{
+    // Test derivation path encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_derivation_path);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        const UniValue& paths_arr = vec["paths"];
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse paths
+        std::vector<DerivationPath> paths;
+        bool parse_failed = false;
+        for (size_t j = 0; j < paths_arr.size(); ++j) {
+            auto path_result = ParseDerivationPath(paths_arr[j].get_str());
+            if (!path_result) {
+                parse_failed = true;
+                break;
+            }
+            paths.push_back(*path_result);
+        }
+
+        // Check if this test vector should fail
+        if (vec["expected"].isNull()) {
+            if (!parse_failed) {
+                auto encoded_result = EncodeDerivationPaths(paths);
+                BOOST_CHECK_MESSAGE(!encoded_result,
+                    description << ": expected failure but got success");
+            }
+            continue;
+        }
+
+        BOOST_REQUIRE_MESSAGE(!parse_failed, description << ": unexpected parse failure");
+        std::string expected_hex = vec["expected"].get_str();
+
+        // Encode
+        auto encoded_result = EncodeDerivationPaths(paths);
+        BOOST_REQUIRE_MESSAGE(encoded_result, util::ErrorString(encoded_result).original);
+
+        std::string result_hex = HexStr(*encoded_result);
+        BOOST_CHECK_MESSAGE(result_hex == expected_hex,
+            description << ": expected " << expected_hex << " got " << result_hex);
+
+        // Test round-trip decode
+        auto decoded_result = DecodeDerivationPaths(*encoded_result);
+        BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+        BOOST_CHECK_EQUAL(decoded_result->size(), paths.size());
+    }
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From 408e93c44427f5f96538550b01ba680aa1445907 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:31:41 +0100
Subject: [PATCH 07/12] wallet: BIP-xxxx individual secrets encoding

Add functions for encoding/decoding individual secrets as specified in BIP-xxxx:
- EncodeIndividualSecrets: encode sorted secrets to binary format
- DecodeIndividualSecrets: decode from binary format

Individual secrets allow any keyholder to derive the decryption secret using:
decryption_secret = ci XOR sha256("BIP_XXXX_INDIVIDUAL_SECRET" || pi)

Includes test vectors from the BIP specification.
---
 src/test/CMakeLists.txt                       |   1 +
 ...p_encrypted_backup_individual_secrets.json | 554 ++++++++++++++++++
 src/wallet/encryptedbackup.cpp                |  52 ++
 src/wallet/encryptedbackup.h                  |  16 +
 src/wallet/test/encrypted_backup_tests.cpp    |  50 ++
 5 files changed, 673 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_individual_secrets.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 5288395c9e23..5ddb30f82434 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -140,6 +140,7 @@ target_json_data_sources(test_bitcoin
   data/bip341_wallet_vectors.json
   data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
+  data/bip_encrypted_backup_individual_secrets.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
diff --git a/src/test/data/bip_encrypted_backup_individual_secrets.json b/src/test/data/bip_encrypted_backup_individual_secrets.json
new file mode 100644
index 000000000000..c1d1b6433a85
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_individual_secrets.json
@@ -0,0 +1,554 @@
+[
+  {
+    "description": "Single secret",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000"
+    ],
+    "expected": "010000000000000000000000000000000000000000000000000000000000000000"
+  },
+  {
+    "description": "Two different secrets",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0101010101010101010101010101010101010101010101010101010101010101"
+    ],
+    "expected": "0200000000000000000000000000000000000000000000000000000000000000000101010101010101010101010101010101010101010101010101010101010101"
+  },
+  {
+    "description": "Three secrets with different patterns",
+    "secrets": [
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    ],
+    "expected": "030000000000000000000000000000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+  },
+  {
+    "description": "Empty secrets should fail",
+    "secrets": [],
+    "expected": null
+  },
+  {
+    "description": "256 secrets should fail (exceeds u8::MAX)",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0000000000000000000000000000000000000000000000000000000000000001",
+      "0000000000000000000000000000000000000000000000000000000000000002",
+      "0000000000000000000000000000000000000000000000000000000000000003",
+      "0000000000000000000000000000000000000000000000000000000000000004",
+      "0000000000000000000000000000000000000000000000000000000000000005",
+      "0000000000000000000000000000000000000000000000000000000000000006",
+      "0000000000000000000000000000000000000000000000000000000000000007",
+      "0000000000000000000000000000000000000000000000000000000000000008",
+      "0000000000000000000000000000000000000000000000000000000000000009",
+      "000000000000000000000000000000000000000000000000000000000000000a",
+      "000000000000000000000000000000000000000000000000000000000000000b",
+      "000000000000000000000000000000000000000000000000000000000000000c",
+      "000000000000000000000000000000000000000000000000000000000000000d",
+      "000000000000000000000000000000000000000000000000000000000000000e",
+      "000000000000000000000000000000000000000000000000000000000000000f",
+      "0000000000000000000000000000000000000000000000000000000000000010",
+      "0000000000000000000000000000000000000000000000000000000000000011",
+      "0000000000000000000000000000000000000000000000000000000000000012",
+      "0000000000000000000000000000000000000000000000000000000000000013",
+      "0000000000000000000000000000000000000000000000000000000000000014",
+      "0000000000000000000000000000000000000000000000000000000000000015",
+      "0000000000000000000000000000000000000000000000000000000000000016",
+      "0000000000000000000000000000000000000000000000000000000000000017",
+      "0000000000000000000000000000000000000000000000000000000000000018",
+      "0000000000000000000000000000000000000000000000000000000000000019",
+      "000000000000000000000000000000000000000000000000000000000000001a",
+      "000000000000000000000000000000000000000000000000000000000000001b",
+      "000000000000000000000000000000000000000000000000000000000000001c",
+      "000000000000000000000000000000000000000000000000000000000000001d",
+      "000000000000000000000000000000000000000000000000000000000000001e",
+      "000000000000000000000000000000000000000000000000000000000000001f",
+      "0000000000000000000000000000000000000000000000000000000000000020",
+      "0000000000000000000000000000000000000000000000000000000000000021",
+      "0000000000000000000000000000000000000000000000000000000000000022",
+      "0000000000000000000000000000000000000000000000000000000000000023",
+      "0000000000000000000000000000000000000000000000000000000000000024",
+      "0000000000000000000000000000000000000000000000000000000000000025",
+      "0000000000000000000000000000000000000000000000000000000000000026",
+      "0000000000000000000000000000000000000000000000000000000000000027",
+      "0000000000000000000000000000000000000000000000000000000000000028",
+      "0000000000000000000000000000000000000000000000000000000000000029",
+      "000000000000000000000000000000000000000000000000000000000000002a",
+      "000000000000000000000000000000000000000000000000000000000000002b",
+      "000000000000000000000000000000000000000000000000000000000000002c",
+      "000000000000000000000000000000000000000000000000000000000000002d",
+      "000000000000000000000000000000000000000000000000000000000000002e",
+      "000000000000000000000000000000000000000000000000000000000000002f",
+      "0000000000000000000000000000000000000000000000000000000000000030",
+      "0000000000000000000000000000000000000000000000000000000000000031",
+      "0000000000000000000000000000000000000000000000000000000000000032",
+      "0000000000000000000000000000000000000000000000000000000000000033",
+      "0000000000000000000000000000000000000000000000000000000000000034",
+      "0000000000000000000000000000000000000000000000000000000000000035",
+      "0000000000000000000000000000000000000000000000000000000000000036",
+      "0000000000000000000000000000000000000000000000000000000000000037",
+      "0000000000000000000000000000000000000000000000000000000000000038",
+      "0000000000000000000000000000000000000000000000000000000000000039",
+      "000000000000000000000000000000000000000000000000000000000000003a",
+      "000000000000000000000000000000000000000000000000000000000000003b",
+      "000000000000000000000000000000000000000000000000000000000000003c",
+      "000000000000000000000000000000000000000000000000000000000000003d",
+      "000000000000000000000000000000000000000000000000000000000000003e",
+      "000000000000000000000000000000000000000000000000000000000000003f",
+      "0000000000000000000000000000000000000000000000000000000000000040",
+      "0000000000000000000000000000000000000000000000000000000000000041",
+      "0000000000000000000000000000000000000000000000000000000000000042",
+      "0000000000000000000000000000000000000000000000000000000000000043",
+      "0000000000000000000000000000000000000000000000000000000000000044",
+      "0000000000000000000000000000000000000000000000000000000000000045",
+      "0000000000000000000000000000000000000000000000000000000000000046",
+      "0000000000000000000000000000000000000000000000000000000000000047",
+      "0000000000000000000000000000000000000000000000000000000000000048",
+      "0000000000000000000000000000000000000000000000000000000000000049",
+      "000000000000000000000000000000000000000000000000000000000000004a",
+      "000000000000000000000000000000000000000000000000000000000000004b",
+      "000000000000000000000000000000000000000000000000000000000000004c",
+      "000000000000000000000000000000000000000000000000000000000000004d",
+      "000000000000000000000000000000000000000000000000000000000000004e",
+      "000000000000000000000000000000000000000000000000000000000000004f",
+      "0000000000000000000000000000000000000000000000000000000000000050",
+      "0000000000000000000000000000000000000000000000000000000000000051",
+      "0000000000000000000000000000000000000000000000000000000000000052",
+      "0000000000000000000000000000000000000000000000000000000000000053",
+      "0000000000000000000000000000000000000000000000000000000000000054",
+      "0000000000000000000000000000000000000000000000000000000000000055",
+      "0000000000000000000000000000000000000000000000000000000000000056",
+      "0000000000000000000000000000000000000000000000000000000000000057",
+      "0000000000000000000000000000000000000000000000000000000000000058",
+      "0000000000000000000000000000000000000000000000000000000000000059",
+      "000000000000000000000000000000000000000000000000000000000000005a",
+      "000000000000000000000000000000000000000000000000000000000000005b",
+      "000000000000000000000000000000000000000000000000000000000000005c",
+      "000000000000000000000000000000000000000000000000000000000000005d",
+      "000000000000000000000000000000000000000000000000000000000000005e",
+      "000000000000000000000000000000000000000000000000000000000000005f",
+      "0000000000000000000000000000000000000000000000000000000000000060",
+      "0000000000000000000000000000000000000000000000000000000000000061",
+      "0000000000000000000000000000000000000000000000000000000000000062",
+      "0000000000000000000000000000000000000000000000000000000000000063",
+      "0000000000000000000000000000000000000000000000000000000000000064",
+      "0000000000000000000000000000000000000000000000000000000000000065",
+      "0000000000000000000000000000000000000000000000000000000000000066",
+      "0000000000000000000000000000000000000000000000000000000000000067",
+      "0000000000000000000000000000000000000000000000000000000000000068",
+      "0000000000000000000000000000000000000000000000000000000000000069",
+      "000000000000000000000000000000000000000000000000000000000000006a",
+      "000000000000000000000000000000000000000000000000000000000000006b",
+      "000000000000000000000000000000000000000000000000000000000000006c",
+      "000000000000000000000000000000000000000000000000000000000000006d",
+      "000000000000000000000000000000000000000000000000000000000000006e",
+      "000000000000000000000000000000000000000000000000000000000000006f",
+      "0000000000000000000000000000000000000000000000000000000000000070",
+      "0000000000000000000000000000000000000000000000000000000000000071",
+      "0000000000000000000000000000000000000000000000000000000000000072",
+      "0000000000000000000000000000000000000000000000000000000000000073",
+      "0000000000000000000000000000000000000000000000000000000000000074",
+      "0000000000000000000000000000000000000000000000000000000000000075",
+      "0000000000000000000000000000000000000000000000000000000000000076",
+      "0000000000000000000000000000000000000000000000000000000000000077",
+      "0000000000000000000000000000000000000000000000000000000000000078",
+      "0000000000000000000000000000000000000000000000000000000000000079",
+      "000000000000000000000000000000000000000000000000000000000000007a",
+      "000000000000000000000000000000000000000000000000000000000000007b",
+      "000000000000000000000000000000000000000000000000000000000000007c",
+      "000000000000000000000000000000000000000000000000000000000000007d",
+      "000000000000000000000000000000000000000000000000000000000000007e",
+      "000000000000000000000000000000000000000000000000000000000000007f",
+      "0000000000000000000000000000000000000000000000000000000000000080",
+      "0000000000000000000000000000000000000000000000000000000000000081",
+      "0000000000000000000000000000000000000000000000000000000000000082",
+      "0000000000000000000000000000000000000000000000000000000000000083",
+      "0000000000000000000000000000000000000000000000000000000000000084",
+      "0000000000000000000000000000000000000000000000000000000000000085",
+      "0000000000000000000000000000000000000000000000000000000000000086",
+      "0000000000000000000000000000000000000000000000000000000000000087",
+      "0000000000000000000000000000000000000000000000000000000000000088",
+      "0000000000000000000000000000000000000000000000000000000000000089",
+      "000000000000000000000000000000000000000000000000000000000000008a",
+      "000000000000000000000000000000000000000000000000000000000000008b",
+      "000000000000000000000000000000000000000000000000000000000000008c",
+      "000000000000000000000000000000000000000000000000000000000000008d",
+      "000000000000000000000000000000000000000000000000000000000000008e",
+      "000000000000000000000000000000000000000000000000000000000000008f",
+      "0000000000000000000000000000000000000000000000000000000000000090",
+      "0000000000000000000000000000000000000000000000000000000000000091",
+      "0000000000000000000000000000000000000000000000000000000000000092",
+      "0000000000000000000000000000000000000000000000000000000000000093",
+      "0000000000000000000000000000000000000000000000000000000000000094",
+      "0000000000000000000000000000000000000000000000000000000000000095",
+      "0000000000000000000000000000000000000000000000000000000000000096",
+      "0000000000000000000000000000000000000000000000000000000000000097",
+      "0000000000000000000000000000000000000000000000000000000000000098",
+      "0000000000000000000000000000000000000000000000000000000000000099",
+      "000000000000000000000000000000000000000000000000000000000000009a",
+      "000000000000000000000000000000000000000000000000000000000000009b",
+      "000000000000000000000000000000000000000000000000000000000000009c",
+      "000000000000000000000000000000000000000000000000000000000000009d",
+      "000000000000000000000000000000000000000000000000000000000000009e",
+      "000000000000000000000000000000000000000000000000000000000000009f",
+      "00000000000000000000000000000000000000000000000000000000000000a0",
+      "00000000000000000000000000000000000000000000000000000000000000a1",
+      "00000000000000000000000000000000000000000000000000000000000000a2",
+      "00000000000000000000000000000000000000000000000000000000000000a3",
+      "00000000000000000000000000000000000000000000000000000000000000a4",
+      "00000000000000000000000000000000000000000000000000000000000000a5",
+      "00000000000000000000000000000000000000000000000000000000000000a6",
+      "00000000000000000000000000000000000000000000000000000000000000a7",
+      "00000000000000000000000000000000000000000000000000000000000000a8",
+      "00000000000000000000000000000000000000000000000000000000000000a9",
+      "00000000000000000000000000000000000000000000000000000000000000aa",
+      "00000000000000000000000000000000000000000000000000000000000000ab",
+      "00000000000000000000000000000000000000000000000000000000000000ac",
+      "00000000000000000000000000000000000000000000000000000000000000ad",
+      "00000000000000000000000000000000000000000000000000000000000000ae",
+      "00000000000000000000000000000000000000000000000000000000000000af",
+      "00000000000000000000000000000000000000000000000000000000000000b0",
+      "00000000000000000000000000000000000000000000000000000000000000b1",
+      "00000000000000000000000000000000000000000000000000000000000000b2",
+      "00000000000000000000000000000000000000000000000000000000000000b3",
+      "00000000000000000000000000000000000000000000000000000000000000b4",
+      "00000000000000000000000000000000000000000000000000000000000000b5",
+      "00000000000000000000000000000000000000000000000000000000000000b6",
+      "00000000000000000000000000000000000000000000000000000000000000b7",
+      "00000000000000000000000000000000000000000000000000000000000000b8",
+      "00000000000000000000000000000000000000000000000000000000000000b9",
+      "00000000000000000000000000000000000000000000000000000000000000ba",
+      "00000000000000000000000000000000000000000000000000000000000000bb",
+      "00000000000000000000000000000000000000000000000000000000000000bc",
+      "00000000000000000000000000000000000000000000000000000000000000bd",
+      "00000000000000000000000000000000000000000000000000000000000000be",
+      "00000000000000000000000000000000000000000000000000000000000000bf",
+      "00000000000000000000000000000000000000000000000000000000000000c0",
+      "00000000000000000000000000000000000000000000000000000000000000c1",
+      "00000000000000000000000000000000000000000000000000000000000000c2",
+      "00000000000000000000000000000000000000000000000000000000000000c3",
+      "00000000000000000000000000000000000000000000000000000000000000c4",
+      "00000000000000000000000000000000000000000000000000000000000000c5",
+      "00000000000000000000000000000000000000000000000000000000000000c6",
+      "00000000000000000000000000000000000000000000000000000000000000c7",
+      "00000000000000000000000000000000000000000000000000000000000000c8",
+      "00000000000000000000000000000000000000000000000000000000000000c9",
+      "00000000000000000000000000000000000000000000000000000000000000ca",
+      "00000000000000000000000000000000000000000000000000000000000000cb",
+      "00000000000000000000000000000000000000000000000000000000000000cc",
+      "00000000000000000000000000000000000000000000000000000000000000cd",
+      "00000000000000000000000000000000000000000000000000000000000000ce",
+      "00000000000000000000000000000000000000000000000000000000000000cf",
+      "00000000000000000000000000000000000000000000000000000000000000d0",
+      "00000000000000000000000000000000000000000000000000000000000000d1",
+      "00000000000000000000000000000000000000000000000000000000000000d2",
+      "00000000000000000000000000000000000000000000000000000000000000d3",
+      "00000000000000000000000000000000000000000000000000000000000000d4",
+      "00000000000000000000000000000000000000000000000000000000000000d5",
+      "00000000000000000000000000000000000000000000000000000000000000d6",
+      "00000000000000000000000000000000000000000000000000000000000000d7",
+      "00000000000000000000000000000000000000000000000000000000000000d8",
+      "00000000000000000000000000000000000000000000000000000000000000d9",
+      "00000000000000000000000000000000000000000000000000000000000000da",
+      "00000000000000000000000000000000000000000000000000000000000000db",
+      "00000000000000000000000000000000000000000000000000000000000000dc",
+      "00000000000000000000000000000000000000000000000000000000000000dd",
+      "00000000000000000000000000000000000000000000000000000000000000de",
+      "00000000000000000000000000000000000000000000000000000000000000df",
+      "00000000000000000000000000000000000000000000000000000000000000e0",
+      "00000000000000000000000000000000000000000000000000000000000000e1",
+      "00000000000000000000000000000000000000000000000000000000000000e2",
+      "00000000000000000000000000000000000000000000000000000000000000e3",
+      "00000000000000000000000000000000000000000000000000000000000000e4",
+      "00000000000000000000000000000000000000000000000000000000000000e5",
+      "00000000000000000000000000000000000000000000000000000000000000e6",
+      "00000000000000000000000000000000000000000000000000000000000000e7",
+      "00000000000000000000000000000000000000000000000000000000000000e8",
+      "00000000000000000000000000000000000000000000000000000000000000e9",
+      "00000000000000000000000000000000000000000000000000000000000000ea",
+      "00000000000000000000000000000000000000000000000000000000000000eb",
+      "00000000000000000000000000000000000000000000000000000000000000ec",
+      "00000000000000000000000000000000000000000000000000000000000000ed",
+      "00000000000000000000000000000000000000000000000000000000000000ee",
+      "00000000000000000000000000000000000000000000000000000000000000ef",
+      "00000000000000000000000000000000000000000000000000000000000000f0",
+      "00000000000000000000000000000000000000000000000000000000000000f1",
+      "00000000000000000000000000000000000000000000000000000000000000f2",
+      "00000000000000000000000000000000000000000000000000000000000000f3",
+      "00000000000000000000000000000000000000000000000000000000000000f4",
+      "00000000000000000000000000000000000000000000000000000000000000f5",
+      "00000000000000000000000000000000000000000000000000000000000000f6",
+      "00000000000000000000000000000000000000000000000000000000000000f7",
+      "00000000000000000000000000000000000000000000000000000000000000f8",
+      "00000000000000000000000000000000000000000000000000000000000000f9",
+      "00000000000000000000000000000000000000000000000000000000000000fa",
+      "00000000000000000000000000000000000000000000000000000000000000fb",
+      "00000000000000000000000000000000000000000000000000000000000000fc",
+      "00000000000000000000000000000000000000000000000000000000000000fd",
+      "00000000000000000000000000000000000000000000000000000000000000fe",
+      "00000000000000000000000000000000000000000000000000000000000000ff"
+    ],
+    "expected": null
+  },
+  {
+    "description": "255 secrets should pass",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0000000000000000000000000000000000000000000000000000000000000001",
+      "0000000000000000000000000000000000000000000000000000000000000002",
+      "0000000000000000000000000000000000000000000000000000000000000003",
+      "0000000000000000000000000000000000000000000000000000000000000004",
+      "0000000000000000000000000000000000000000000000000000000000000005",
+      "0000000000000000000000000000000000000000000000000000000000000006",
+      "0000000000000000000000000000000000000000000000000000000000000007",
+      "0000000000000000000000000000000000000000000000000000000000000008",
+      "0000000000000000000000000000000000000000000000000000000000000009",
+      "000000000000000000000000000000000000000000000000000000000000000a",
+      "000000000000000000000000000000000000000000000000000000000000000b",
+      "000000000000000000000000000000000000000000000000000000000000000c",
+      "000000000000000000000000000000000000000000000000000000000000000d",
+      "000000000000000000000000000000000000000000000000000000000000000e",
+      "000000000000000000000000000000000000000000000000000000000000000f",
+      "0000000000000000000000000000000000000000000000000000000000000010",
+      "0000000000000000000000000000000000000000000000000000000000000011",
+      "0000000000000000000000000000000000000000000000000000000000000012",
+      "0000000000000000000000000000000000000000000000000000000000000013",
+      "0000000000000000000000000000000000000000000000000000000000000014",
+      "0000000000000000000000000000000000000000000000000000000000000015",
+      "0000000000000000000000000000000000000000000000000000000000000016",
+      "0000000000000000000000000000000000000000000000000000000000000017",
+      "0000000000000000000000000000000000000000000000000000000000000018",
+      "0000000000000000000000000000000000000000000000000000000000000019",
+      "000000000000000000000000000000000000000000000000000000000000001a",
+      "000000000000000000000000000000000000000000000000000000000000001b",
+      "000000000000000000000000000000000000000000000000000000000000001c",
+      "000000000000000000000000000000000000000000000000000000000000001d",
+      "000000000000000000000000000000000000000000000000000000000000001e",
+      "000000000000000000000000000000000000000000000000000000000000001f",
+      "0000000000000000000000000000000000000000000000000000000000000020",
+      "0000000000000000000000000000000000000000000000000000000000000021",
+      "0000000000000000000000000000000000000000000000000000000000000022",
+      "0000000000000000000000000000000000000000000000000000000000000023",
+      "0000000000000000000000000000000000000000000000000000000000000024",
+      "0000000000000000000000000000000000000000000000000000000000000025",
+      "0000000000000000000000000000000000000000000000000000000000000026",
+      "0000000000000000000000000000000000000000000000000000000000000027",
+      "0000000000000000000000000000000000000000000000000000000000000028",
+      "0000000000000000000000000000000000000000000000000000000000000029",
+      "000000000000000000000000000000000000000000000000000000000000002a",
+      "000000000000000000000000000000000000000000000000000000000000002b",
+      "000000000000000000000000000000000000000000000000000000000000002c",
+      "000000000000000000000000000000000000000000000000000000000000002d",
+      "000000000000000000000000000000000000000000000000000000000000002e",
+      "000000000000000000000000000000000000000000000000000000000000002f",
+      "0000000000000000000000000000000000000000000000000000000000000030",
+      "0000000000000000000000000000000000000000000000000000000000000031",
+      "0000000000000000000000000000000000000000000000000000000000000032",
+      "0000000000000000000000000000000000000000000000000000000000000033",
+      "0000000000000000000000000000000000000000000000000000000000000034",
+      "0000000000000000000000000000000000000000000000000000000000000035",
+      "0000000000000000000000000000000000000000000000000000000000000036",
+      "0000000000000000000000000000000000000000000000000000000000000037",
+      "0000000000000000000000000000000000000000000000000000000000000038",
+      "0000000000000000000000000000000000000000000000000000000000000039",
+      "000000000000000000000000000000000000000000000000000000000000003a",
+      "000000000000000000000000000000000000000000000000000000000000003b",
+      "000000000000000000000000000000000000000000000000000000000000003c",
+      "000000000000000000000000000000000000000000000000000000000000003d",
+      "000000000000000000000000000000000000000000000000000000000000003e",
+      "000000000000000000000000000000000000000000000000000000000000003f",
+      "0000000000000000000000000000000000000000000000000000000000000040",
+      "0000000000000000000000000000000000000000000000000000000000000041",
+      "0000000000000000000000000000000000000000000000000000000000000042",
+      "0000000000000000000000000000000000000000000000000000000000000043",
+      "0000000000000000000000000000000000000000000000000000000000000044",
+      "0000000000000000000000000000000000000000000000000000000000000045",
+      "0000000000000000000000000000000000000000000000000000000000000046",
+      "0000000000000000000000000000000000000000000000000000000000000047",
+      "0000000000000000000000000000000000000000000000000000000000000048",
+      "0000000000000000000000000000000000000000000000000000000000000049",
+      "000000000000000000000000000000000000000000000000000000000000004a",
+      "000000000000000000000000000000000000000000000000000000000000004b",
+      "000000000000000000000000000000000000000000000000000000000000004c",
+      "000000000000000000000000000000000000000000000000000000000000004d",
+      "000000000000000000000000000000000000000000000000000000000000004e",
+      "000000000000000000000000000000000000000000000000000000000000004f",
+      "0000000000000000000000000000000000000000000000000000000000000050",
+      "0000000000000000000000000000000000000000000000000000000000000051",
+      "0000000000000000000000000000000000000000000000000000000000000052",
+      "0000000000000000000000000000000000000000000000000000000000000053",
+      "0000000000000000000000000000000000000000000000000000000000000054",
+      "0000000000000000000000000000000000000000000000000000000000000055",
+      "0000000000000000000000000000000000000000000000000000000000000056",
+      "0000000000000000000000000000000000000000000000000000000000000057",
+      "0000000000000000000000000000000000000000000000000000000000000058",
+      "0000000000000000000000000000000000000000000000000000000000000059",
+      "000000000000000000000000000000000000000000000000000000000000005a",
+      "000000000000000000000000000000000000000000000000000000000000005b",
+      "000000000000000000000000000000000000000000000000000000000000005c",
+      "000000000000000000000000000000000000000000000000000000000000005d",
+      "000000000000000000000000000000000000000000000000000000000000005e",
+      "000000000000000000000000000000000000000000000000000000000000005f",
+      "0000000000000000000000000000000000000000000000000000000000000060",
+      "0000000000000000000000000000000000000000000000000000000000000061",
+      "0000000000000000000000000000000000000000000000000000000000000062",
+      "0000000000000000000000000000000000000000000000000000000000000063",
+      "0000000000000000000000000000000000000000000000000000000000000064",
+      "0000000000000000000000000000000000000000000000000000000000000065",
+      "0000000000000000000000000000000000000000000000000000000000000066",
+      "0000000000000000000000000000000000000000000000000000000000000067",
+      "0000000000000000000000000000000000000000000000000000000000000068",
+      "0000000000000000000000000000000000000000000000000000000000000069",
+      "000000000000000000000000000000000000000000000000000000000000006a",
+      "000000000000000000000000000000000000000000000000000000000000006b",
+      "000000000000000000000000000000000000000000000000000000000000006c",
+      "000000000000000000000000000000000000000000000000000000000000006d",
+      "000000000000000000000000000000000000000000000000000000000000006e",
+      "000000000000000000000000000000000000000000000000000000000000006f",
+      "0000000000000000000000000000000000000000000000000000000000000070",
+      "0000000000000000000000000000000000000000000000000000000000000071",
+      "0000000000000000000000000000000000000000000000000000000000000072",
+      "0000000000000000000000000000000000000000000000000000000000000073",
+      "0000000000000000000000000000000000000000000000000000000000000074",
+      "0000000000000000000000000000000000000000000000000000000000000075",
+      "0000000000000000000000000000000000000000000000000000000000000076",
+      "0000000000000000000000000000000000000000000000000000000000000077",
+      "0000000000000000000000000000000000000000000000000000000000000078",
+      "0000000000000000000000000000000000000000000000000000000000000079",
+      "000000000000000000000000000000000000000000000000000000000000007a",
+      "000000000000000000000000000000000000000000000000000000000000007b",
+      "000000000000000000000000000000000000000000000000000000000000007c",
+      "000000000000000000000000000000000000000000000000000000000000007d",
+      "000000000000000000000000000000000000000000000000000000000000007e",
+      "000000000000000000000000000000000000000000000000000000000000007f",
+      "0000000000000000000000000000000000000000000000000000000000000080",
+      "0000000000000000000000000000000000000000000000000000000000000081",
+      "0000000000000000000000000000000000000000000000000000000000000082",
+      "0000000000000000000000000000000000000000000000000000000000000083",
+      "0000000000000000000000000000000000000000000000000000000000000084",
+      "0000000000000000000000000000000000000000000000000000000000000085",
+      "0000000000000000000000000000000000000000000000000000000000000086",
+      "0000000000000000000000000000000000000000000000000000000000000087",
+      "0000000000000000000000000000000000000000000000000000000000000088",
+      "0000000000000000000000000000000000000000000000000000000000000089",
+      "000000000000000000000000000000000000000000000000000000000000008a",
+      "000000000000000000000000000000000000000000000000000000000000008b",
+      "000000000000000000000000000000000000000000000000000000000000008c",
+      "000000000000000000000000000000000000000000000000000000000000008d",
+      "000000000000000000000000000000000000000000000000000000000000008e",
+      "000000000000000000000000000000000000000000000000000000000000008f",
+      "0000000000000000000000000000000000000000000000000000000000000090",
+      "0000000000000000000000000000000000000000000000000000000000000091",
+      "0000000000000000000000000000000000000000000000000000000000000092",
+      "0000000000000000000000000000000000000000000000000000000000000093",
+      "0000000000000000000000000000000000000000000000000000000000000094",
+      "0000000000000000000000000000000000000000000000000000000000000095",
+      "0000000000000000000000000000000000000000000000000000000000000096",
+      "0000000000000000000000000000000000000000000000000000000000000097",
+      "0000000000000000000000000000000000000000000000000000000000000098",
+      "0000000000000000000000000000000000000000000000000000000000000099",
+      "000000000000000000000000000000000000000000000000000000000000009a",
+      "000000000000000000000000000000000000000000000000000000000000009b",
+      "000000000000000000000000000000000000000000000000000000000000009c",
+      "000000000000000000000000000000000000000000000000000000000000009d",
+      "000000000000000000000000000000000000000000000000000000000000009e",
+      "000000000000000000000000000000000000000000000000000000000000009f",
+      "00000000000000000000000000000000000000000000000000000000000000a0",
+      "00000000000000000000000000000000000000000000000000000000000000a1",
+      "00000000000000000000000000000000000000000000000000000000000000a2",
+      "00000000000000000000000000000000000000000000000000000000000000a3",
+      "00000000000000000000000000000000000000000000000000000000000000a4",
+      "00000000000000000000000000000000000000000000000000000000000000a5",
+      "00000000000000000000000000000000000000000000000000000000000000a6",
+      "00000000000000000000000000000000000000000000000000000000000000a7",
+      "00000000000000000000000000000000000000000000000000000000000000a8",
+      "00000000000000000000000000000000000000000000000000000000000000a9",
+      "00000000000000000000000000000000000000000000000000000000000000aa",
+      "00000000000000000000000000000000000000000000000000000000000000ab",
+      "00000000000000000000000000000000000000000000000000000000000000ac",
+      "00000000000000000000000000000000000000000000000000000000000000ad",
+      "00000000000000000000000000000000000000000000000000000000000000ae",
+      "00000000000000000000000000000000000000000000000000000000000000af",
+      "00000000000000000000000000000000000000000000000000000000000000b0",
+      "00000000000000000000000000000000000000000000000000000000000000b1",
+      "00000000000000000000000000000000000000000000000000000000000000b2",
+      "00000000000000000000000000000000000000000000000000000000000000b3",
+      "00000000000000000000000000000000000000000000000000000000000000b4",
+      "00000000000000000000000000000000000000000000000000000000000000b5",
+      "00000000000000000000000000000000000000000000000000000000000000b6",
+      "00000000000000000000000000000000000000000000000000000000000000b7",
+      "00000000000000000000000000000000000000000000000000000000000000b8",
+      "00000000000000000000000000000000000000000000000000000000000000b9",
+      "00000000000000000000000000000000000000000000000000000000000000ba",
+      "00000000000000000000000000000000000000000000000000000000000000bb",
+      "00000000000000000000000000000000000000000000000000000000000000bc",
+      "00000000000000000000000000000000000000000000000000000000000000bd",
+      "00000000000000000000000000000000000000000000000000000000000000be",
+      "00000000000000000000000000000000000000000000000000000000000000bf",
+      "00000000000000000000000000000000000000000000000000000000000000c0",
+      "00000000000000000000000000000000000000000000000000000000000000c1",
+      "00000000000000000000000000000000000000000000000000000000000000c2",
+      "00000000000000000000000000000000000000000000000000000000000000c3",
+      "00000000000000000000000000000000000000000000000000000000000000c4",
+      "00000000000000000000000000000000000000000000000000000000000000c5",
+      "00000000000000000000000000000000000000000000000000000000000000c6",
+      "00000000000000000000000000000000000000000000000000000000000000c7",
+      "00000000000000000000000000000000000000000000000000000000000000c8",
+      "00000000000000000000000000000000000000000000000000000000000000c9",
+      "00000000000000000000000000000000000000000000000000000000000000ca",
+      "00000000000000000000000000000000000000000000000000000000000000cb",
+      "00000000000000000000000000000000000000000000000000000000000000cc",
+      "00000000000000000000000000000000000000000000000000000000000000cd",
+      "00000000000000000000000000000000000000000000000000000000000000ce",
+      "00000000000000000000000000000000000000000000000000000000000000cf",
+      "00000000000000000000000000000000000000000000000000000000000000d0",
+      "00000000000000000000000000000000000000000000000000000000000000d1",
+      "00000000000000000000000000000000000000000000000000000000000000d2",
+      "00000000000000000000000000000000000000000000000000000000000000d3",
+      "00000000000000000000000000000000000000000000000000000000000000d4",
+      "00000000000000000000000000000000000000000000000000000000000000d5",
+      "00000000000000000000000000000000000000000000000000000000000000d6",
+      "00000000000000000000000000000000000000000000000000000000000000d7",
+      "00000000000000000000000000000000000000000000000000000000000000d8",
+      "00000000000000000000000000000000000000000000000000000000000000d9",
+      "00000000000000000000000000000000000000000000000000000000000000da",
+      "00000000000000000000000000000000000000000000000000000000000000db",
+      "00000000000000000000000000000000000000000000000000000000000000dc",
+      "00000000000000000000000000000000000000000000000000000000000000dd",
+      "00000000000000000000000000000000000000000000000000000000000000de",
+      "00000000000000000000000000000000000000000000000000000000000000df",
+      "00000000000000000000000000000000000000000000000000000000000000e0",
+      "00000000000000000000000000000000000000000000000000000000000000e1",
+      "00000000000000000000000000000000000000000000000000000000000000e2",
+      "00000000000000000000000000000000000000000000000000000000000000e3",
+      "00000000000000000000000000000000000000000000000000000000000000e4",
+      "00000000000000000000000000000000000000000000000000000000000000e5",
+      "00000000000000000000000000000000000000000000000000000000000000e6",
+      "00000000000000000000000000000000000000000000000000000000000000e7",
+      "00000000000000000000000000000000000000000000000000000000000000e8",
+      "00000000000000000000000000000000000000000000000000000000000000e9",
+      "00000000000000000000000000000000000000000000000000000000000000ea",
+      "00000000000000000000000000000000000000000000000000000000000000eb",
+      "00000000000000000000000000000000000000000000000000000000000000ec",
+      "00000000000000000000000000000000000000000000000000000000000000ed",
+      "00000000000000000000000000000000000000000000000000000000000000ee",
+      "00000000000000000000000000000000000000000000000000000000000000ef",
+      "00000000000000000000000000000000000000000000000000000000000000f0",
+      "00000000000000000000000000000000000000000000000000000000000000f1",
+      "00000000000000000000000000000000000000000000000000000000000000f2",
+      "00000000000000000000000000000000000000000000000000000000000000f3",
+      "00000000000000000000000000000000000000000000000000000000000000f4",
+      "00000000000000000000000000000000000000000000000000000000000000f5",
+      "00000000000000000000000000000000000000000000000000000000000000f6",
+      "00000000000000000000000000000000000000000000000000000000000000f7",
+      "00000000000000000000000000000000000000000000000000000000000000f8",
+      "00000000000000000000000000000000000000000000000000000000000000f9",
+      "00000000000000000000000000000000000000000000000000000000000000fa",
+      "00000000000000000000000000000000000000000000000000000000000000fb",
+      "00000000000000000000000000000000000000000000000000000000000000fc",
+      "00000000000000000000000000000000000000000000000000000000000000fd",
+      "00000000000000000000000000000000000000000000000000000000000000fe"
+    ],
+    "expected": "ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000b000000000000000000000000000000000000000000000000000000000000000c000000000000000000000000000000000000000000000000000000000000000d000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000000f0000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001100000000000000000000000000000000000000000000000000000000000000120000000000000000000000000000000000000000000000000000000000000013000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000000000000000000000000000150000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000000000000000000000000000001700000000000000000000000000000000000000000000000000000000000000180000000000000000000000000000000000000000000000000000000000000019000000000000000000000000000000000000000000000000000000000000001a000000000000000000000000000000000000000000000000000000000000001b000000000000000000000000000000000000000000000000000000000000001c000000000000000000000000000000000000000000000000000000000000001d000000000000000000000000000000000000000000000000000000000000001e000000000000000000000000000000000000000000000000000000000000001f0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002100000000000000000000000000000000000000000000000000000000000000220000000000000000000000000000000000000000000000000000000000000023000000000000000000000000000000000000000000000000000000000000002400000000000000000000000000000000000000000000000000000000000000250000000000000000000000000000000000000000000000000000000000000026000000000000000000000000000000000000000000000000000000000000002700000000000000000000000000000000000000000000000000000000000000280000000000000000000000000000000000000000000000000000000000000029000000000000000000000000000000000000000000000000000000000000002a000000000000000000000000000000000000000000000000000000000000002b000000000000000000000000000000000000000000000000000000000000002c000000000000000000000000000000000000000000000000000000000000002d000000000000000000000000000000000000000000000000000000000000002e000000000000000000000000000000000000000000000000000000000000002f0000000000000000000000000000000000000000000000000000000000000030000000000000000000000000000000000000000000000000000000000000003100000000000000000000000000000000000000000000000000000000000000320000000000000000000000000000000000000000000000000000000000000033000000000000000000000000000000000000000000000000000000000000003400000000000000000000000000000000000000000000000000000000000000350000000000000000000000000000000000000000000000000000000000000036000000000000000000000000000000000000000000000000000000000000003700000000000000000000000000000000000000000000000000000000000000380000000000000000000000000000000000000000000000000000000000000039000000000000000000000000000000000000000000000000000000000000003a000000000000000000000000000000000000000000000000000000000000003b000000000000000000000000000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000000000000000003d000000000000000000000000000000000000000000000000000000000000003e000000000000000000000000000000000000000000000000000000000000003f0000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000004100000000000000000000000000000000000000000000000000000000000000420000000000000000000000000000000000000000000000000000000000000043000000000000000000000000000000000000000000000000000000000000004400000000000000000000000000000000000000000000000000000000000000450000000000000000000000000000000000000000000000000000000000000046000000000000000000000000000000000000000000000000000000000000004700000000000000000000000000000000000000000000000000000000000000480000000000000000000000000000000000000000000000000000000000000049000000000000000000000000000000000000000000000000000000000000004a000000000000000000000000000000000000000000000000000000000000004b000000000000000000000000000000000000000000000000000000000000004c000000000000000000000000000000000000000000000000000000000000004d000000000000000000000000000000000000000000000000000000000000004e000000000000000000000000000000000000000000000000000000000000004f0000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000005100000000000000000000000000000000000000000000000000000000000000520000000000000000000000000000000000000000000000000000000000000053000000000000000000000000000000000000000000000000000000000000005400000000000000000000000000000000000000000000000000000000000000550000000000000000000000000000000000000000000000000000000000000056000000000000000000000000000000000000000000000000000000000000005700000000000000000000000000000000000000000000000000000000000000580000000000000000000000000000000000000000000000000000000000000059000000000000000000000000000000000000000000000000000000000000005a000000000000000000000000000000000000000000000000000000000000005b000000000000000000000000000000000000000000000000000000000000005c000000000000000000000000000000000000000000000000000000000000005d000000000000000000000000000000000000000000000000000000000000005e000000000000000000000000000000000000000000000000000000000000005f0000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000006100000000000000000000000000000000000000000000000000000000000000620000000000000000000000000000000000000000000000000000000000000063000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000650000000000000000000000000000000000000000000000000000000000000066000000000000000000000000000000000000000000000000000000000000006700000000000000000000000000000000000000000000000000000000000000680000000000000000000000000000000000000000000000000000000000000069000000000000000000000000000000000000000000000000000000000000006a000000000000000000000000000000000000000000000000000000000000006b000000000000000000000000000000000000000000000000000000000000006c000000000000000000000000000000000000000000000000000000000000006d000000000000000000000000000000000000000000000000000000000000006e000000000000000000000000000000000000000000000000000000000000006f0000000000000000000000000000000000000000000000000000000000000070000000000000000000000000000000000000000000000000000000000000007100000000000000000000000000000000000000000000000000000000000000720000000000000000000000000000000000000000000000000000000000000073000000000000000000000000000000000000000000000000000000000000007400000000000000000000000000000000000000000000000000000000000000750000000000000000000000000000000000000000000000000000000000000076000000000000000000000000000000000000000000000000000000000000007700000000000000000000000000000000000000000000000000000000000000780000000000000000000000000000000000000000000000000000000000000079000000000000000000000000000000000000000000000000000000000000007a000000000000000000000000000000000000000000000000000000000000007b000000000000000000000000000000000000000000000000000000000000007c000000000000000000000000000000000000000000000000000000000000007d000000000000000000000000000000000000000000000000000000000000007e000000000000000000000000000000000000000000000000000000000000007f0000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000008100000000000000000000000000000000000000000000000000000000000000820000000000000000000000000000000000000000000000000000000000000083000000000000000000000000000000000000000000000000000000000000008400000000000000000000000000000000000000000000000000000000000000850000000000000000000000000000000000000000000000000000000000000086000000000000000000000000000000000000000000000000000000000000008700000000000000000000000000000000000000000000000000000000000000880000000000000000000000000000000000000000000000000000000000000089000000000000000000000000000000000000000000000000000000000000008a000000000000000000000000000000000000000000000000000000000000008b000000000000000000000000000000000000000000000000000000000000008c000000000000000000000000000000000000000000000000000000000000008d000000000000000000000000000000000000000000000000000000000000008e000000000000000000000000000000000000000000000000000000000000008f0000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000920000000000000000000000000000000000000000000000000000000000000093000000000000000000000000000000000000000000000000000000000000009400000000000000000000000000000000000000000000000000000000000000950000000000000000000000000000000000000000000000000000000000000096000000000000000000000000000000000000000000000000000000000000009700000000000000000000000000000000000000000000000000000000000000980000000000000000000000000000000000000000000000000000000000000099000000000000000000000000000000000000000000000000000000000000009a000000000000000000000000000000000000000000000000000000000000009b000000000000000000000000000000000000000000000000000000000000009c000000000000000000000000000000000000000000000000000000000000009d000000000000000000000000000000000000000000000000000000000000009e000000000000000000000000000000000000000000000000000000000000009f00000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000a100000000000000000000000000000000000000000000000000000000000000a200000000000000000000000000000000000000000000000000000000000000a300000000000000000000000000000000000000000000000000000000000000a400000000000000000000000000000000000000000000000000000000000000a500000000000000000000000000000000000000000000000000000000000000a600000000000000000000000000000000000000000000000000000000000000a700000000000000000000000000000000000000000000000000000000000000a800000000000000000000000000000000000000000000000000000000000000a900000000000000000000000000000000000000000000000000000000000000aa00000000000000000000000000000000000000000000000000000000000000ab00000000000000000000000000000000000000000000000000000000000000ac00000000000000000000000000000000000000000000000000000000000000ad00000000000000000000000000000000000000000000000000000000000000ae00000000000000000000000000000000000000000000000000000000000000af00000000000000000000000000000000000000000000000000000000000000b000000000000000000000000000000000000000000000000000000000000000b100000000000000000000000000000000000000000000000000000000000000b200000000000000000000000000000000000000000000000000000000000000b300000000000000000000000000000000000000000000000000000000000000b400000000000000000000000000000000000000000000000000000000000000b500000000000000000000000000000000000000000000000000000000000000b600000000000000000000000000000000000000000000000000000000000000b700000000000000000000000000000000000000000000000000000000000000b800000000000000000000000000000000000000000000000000000000000000b900000000000000000000000000000000000000000000000000000000000000ba00000000000000000000000000000000000000000000000000000000000000bb00000000000000000000000000000000000000000000000000000000000000bc00000000000000000000000000000000000000000000000000000000000000bd00000000000000000000000000000000000000000000000000000000000000be00000000000000000000000000000000000000000000000000000000000000bf00000000000000000000000000000000000000000000000000000000000000c000000000000000000000000000000000000000000000000000000000000000c100000000000000000000000000000000000000000000000000000000000000c200000000000000000000000000000000000000000000000000000000000000c300000000000000000000000000000000000000000000000000000000000000c400000000000000000000000000000000000000000000000000000000000000c500000000000000000000000000000000000000000000000000000000000000c600000000000000000000000000000000000000000000000000000000000000c700000000000000000000000000000000000000000000000000000000000000c800000000000000000000000000000000000000000000000000000000000000c900000000000000000000000000000000000000000000000000000000000000ca00000000000000000000000000000000000000000000000000000000000000cb00000000000000000000000000000000000000000000000000000000000000cc00000000000000000000000000000000000000000000000000000000000000cd00000000000000000000000000000000000000000000000000000000000000ce00000000000000000000000000000000000000000000000000000000000000cf00000000000000000000000000000000000000000000000000000000000000d000000000000000000000000000000000000000000000000000000000000000d100000000000000000000000000000000000000000000000000000000000000d200000000000000000000000000000000000000000000000000000000000000d300000000000000000000000000000000000000000000000000000000000000d400000000000000000000000000000000000000000000000000000000000000d500000000000000000000000000000000000000000000000000000000000000d600000000000000000000000000000000000000000000000000000000000000d700000000000000000000000000000000000000000000000000000000000000d800000000000000000000000000000000000000000000000000000000000000d900000000000000000000000000000000000000000000000000000000000000da00000000000000000000000000000000000000000000000000000000000000db00000000000000000000000000000000000000000000000000000000000000dc00000000000000000000000000000000000000000000000000000000000000dd00000000000000000000000000000000000000000000000000000000000000de00000000000000000000000000000000000000000000000000000000000000df00000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000000e100000000000000000000000000000000000000000000000000000000000000e200000000000000000000000000000000000000000000000000000000000000e300000000000000000000000000000000000000000000000000000000000000e400000000000000000000000000000000000000000000000000000000000000e500000000000000000000000000000000000000000000000000000000000000e600000000000000000000000000000000000000000000000000000000000000e700000000000000000000000000000000000000000000000000000000000000e800000000000000000000000000000000000000000000000000000000000000e900000000000000000000000000000000000000000000000000000000000000ea00000000000000000000000000000000000000000000000000000000000000eb00000000000000000000000000000000000000000000000000000000000000ec00000000000000000000000000000000000000000000000000000000000000ed00000000000000000000000000000000000000000000000000000000000000ee00000000000000000000000000000000000000000000000000000000000000ef00000000000000000000000000000000000000000000000000000000000000f000000000000000000000000000000000000000000000000000000000000000f100000000000000000000000000000000000000000000000000000000000000f200000000000000000000000000000000000000000000000000000000000000f300000000000000000000000000000000000000000000000000000000000000f400000000000000000000000000000000000000000000000000000000000000f500000000000000000000000000000000000000000000000000000000000000f600000000000000000000000000000000000000000000000000000000000000f700000000000000000000000000000000000000000000000000000000000000f800000000000000000000000000000000000000000000000000000000000000f900000000000000000000000000000000000000000000000000000000000000fa00000000000000000000000000000000000000000000000000000000000000fb00000000000000000000000000000000000000000000000000000000000000fc00000000000000000000000000000000000000000000000000000000000000fd00000000000000000000000000000000000000000000000000000000000000fe"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 4c42070a56c4..bf773d1936e5 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -196,4 +196,56 @@ util::Result<std::vector<DerivationPath>> DecodeDerivationPaths(std::span<const
     return result;
 }
 
+util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uint256>& secrets)
+{
+    if (secrets.empty()) {
+        return util::Error{Untranslated("At least one individual secret is required")};
+    }
+    if (secrets.size() > 255) {
+        return util::Error{Untranslated("Too many individual secrets (max 255)")};
+    }
+
+    // Sort secrets lexicographically for consistent encoding
+    std::vector<uint256> sorted_secrets = secrets;
+    std::sort(sorted_secrets.begin(), sorted_secrets.end());
+
+    std::vector<uint8_t> result;
+    result.reserve(1 + sorted_secrets.size() * 32);
+    result.push_back(static_cast<uint8_t>(sorted_secrets.size()));
+
+    for (const auto& secret : sorted_secrets) {
+        result.insert(result.end(), secret.begin(), secret.end());
+    }
+
+    return result;
+}
+
+util::Result<std::vector<uint256>> DecodeIndividualSecrets(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty individual secrets data")};
+    }
+
+    uint8_t count = data[0];
+    if (count == 0) {
+        return util::Error{Untranslated("At least one individual secret is required")};
+    }
+
+    size_t expected_size = 1 + count * 32;
+    if (data.size() < expected_size) {
+        return util::Error{Untranslated("Truncated individual secrets data")};
+    }
+
+    std::vector<uint256> result;
+    result.reserve(count);
+
+    for (size_t i = 0; i < count; ++i) {
+        uint256 secret;
+        std::memcpy(secret.data(), data.data() + 1 + i * 32, 32);
+        result.push_back(secret);
+    }
+
+    return result;
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 1858b723c34c..ab6043bc0d7b 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -137,6 +137,22 @@ util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<Deriv
  */
 util::Result<std::vector<DerivationPath>> DecodeDerivationPaths(std::span<const uint8_t> data);
 
+/**
+ * Encode individual secrets according to the backup format.
+ *
+ * @param[in] secrets Vector of individual secrets
+ * @return Encoded bytes, or error if empty or too many secrets
+ */
+util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uint256>& secrets);
+
+/**
+ * Decode individual secrets from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Vector of individual secrets, or error message
+ */
+util::Result<std::vector<uint256>> DecodeIndividualSecrets(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 9e280d40392f..b29b57efb680 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -6,6 +6,7 @@
 
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
+#include <test/data/bip_encrypted_backup_individual_secrets.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
 #include <base58.h>
@@ -236,6 +237,55 @@ BOOST_AUTO_TEST_CASE(derivation_path_encoding_test)
     }
 }
 
+BOOST_AUTO_TEST_CASE(individual_secrets_encoding_test)
+{
+    // Test individual secrets encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_individual_secrets);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        const UniValue& secrets_arr = vec["secrets"];
+
+        // Parse secrets
+        std::vector<uint256> secrets;
+        for (size_t j = 0; j < secrets_arr.size(); ++j) {
+            auto secret_bytes = ParseHex(secrets_arr[j].get_str());
+            if (secret_bytes.size() == 32) {
+                uint256 secret;
+                std::memcpy(secret.data(), secret_bytes.data(), 32);
+                secrets.push_back(secret);
+            }
+        }
+
+        // Check if this should fail
+        if (vec["expected"].isNull()) {
+            auto encoded_result = EncodeIndividualSecrets(secrets);
+            BOOST_CHECK_MESSAGE(!encoded_result,
+                description << ": expected failure but got success");
+            continue;
+        }
+
+        std::string expected_hex = vec["expected"].get_str();
+
+        // Encode
+        auto encoded_result = EncodeIndividualSecrets(secrets);
+        BOOST_REQUIRE_MESSAGE(encoded_result, util::ErrorString(encoded_result).original);
+
+        std::string result_hex = HexStr(*encoded_result);
+        BOOST_CHECK_MESSAGE(result_hex == expected_hex,
+            description << ": expected " << expected_hex << " got " << result_hex);
+
+        // Test round-trip decode
+        auto decoded_result = DecodeIndividualSecrets(*encoded_result);
+        BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+        BOOST_CHECK_EQUAL(decoded_result->size(), secrets.size());
+    }
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From ab66aa7fbc3ff8b68f774d4eb1585635c51a0fde Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:33:53 +0100
Subject: [PATCH 08/12] wallet: BIP-xxxx content type encoding

Add functions for encoding/decoding content type metadata as specified in BIP-xxxx:
- EncodeContent: encode BIP_NUMBER or VENDOR_SPECIFIC content types
- DecodeContent: decode content type from binary format

Content types define what kind of data is in the encrypted payload:
- BIP_NUMBER: references a BIP specification (e.g., 380 for descriptors)
- VENDOR_SPECIFIC: application-defined content with length prefix

Includes test vectors from the BIP specification.
---
 src/test/CMakeLists.txt                       |  1 +
 .../bip_encrypted_backup_content_type.json    | 77 +++++++++++++++++
 src/wallet/encryptedbackup.cpp                | 86 +++++++++++++++++++
 src/wallet/encryptedbackup.h                  | 38 ++++++++
 src/wallet/test/encrypted_backup_tests.cpp    | 39 +++++++++
 5 files changed, 241 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_content_type.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 5ddb30f82434..483daf247de2 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -138,6 +138,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_content_type.json
   data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_individual_secrets.json
diff --git a/src/test/data/bip_encrypted_backup_content_type.json b/src/test/data/bip_encrypted_backup_content_type.json
new file mode 100644
index 000000000000..deff5eb87df5
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_content_type.json
@@ -0,0 +1,77 @@
+[
+  {
+    "description": "TYPE 0x00 is reserved",
+    "valid": false,
+    "content": "00"
+  },
+  {
+    "description": "BIP 380",
+    "valid": true,
+    "content": "01017c"
+  },
+  {
+    "description": "BIP 388",
+    "valid": true,
+    "content": "010184"
+  },
+  {
+    "description": "BIP 329",
+    "valid": true,
+    "content": "010149"
+  },
+  {
+    "description": "BIP 999",
+    "valid": true,
+    "content": "0103e7"
+  },
+  {
+    "description": "BIP max (65535)",
+    "valid": true,
+    "content": "01ffff"
+  },
+  {
+    "description": "BIP min (0)",
+    "valid": true,
+    "content": "010000"
+  },
+  {
+    "description": "Vendor-specific 00010203",
+    "valid": true,
+    "content": "020400010203"
+  },
+  {
+    "description": "Vendor-specific empty",
+    "valid": true,
+    "content": "0200"
+  },
+  {
+    "description": "TYPE 0x01 incomplete (missing DATA)",
+    "valid": false,
+    "content": "01"
+  },
+  {
+    "description": "TYPE 0x01 incomplete (only 1 byte of DATA)",
+    "valid": false,
+    "content": "0100"
+  },
+  {
+    "description": "TYPE 0x02 LENGTH exceeds remaining bytes",
+    "valid": false,
+    "content": "0205aabbcc"
+  },
+  {
+    "description": "TYPE >= 0x80 stops parsing",
+    "valid": false,
+    "content": "80"
+  },
+  {
+    "description": "TYPE >= 0x80 stops parsing (0xff)",
+    "valid": false,
+    "content": "ff"
+  },
+  {
+    "description": "Unknown TYPE < 0x80 with valid LENGTH skipped",
+    "valid": true,
+    "content": "0302aabb"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index bf773d1936e5..f3405717cab0 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -9,6 +9,8 @@
 #include <hash.h>
 #include <key_io.h>
 #include <script/descriptor.h>
+#include <serialize.h>
+#include <streams.h>
 #include <util/bip32.h>
 
 namespace wallet {
@@ -248,4 +250,88 @@ util::Result<std::vector<uint256>> DecodeIndividualSecrets(std::span<const uint8
     return result;
 }
 
+util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& content)
+{
+    std::vector<uint8_t> result;
+
+    switch (content.type) {
+    case ContentType::RESERVED:
+        return util::Error{Untranslated("Reserved content type cannot be encoded")};
+
+    case ContentType::BIP_NUMBER:
+        result.push_back(static_cast<uint8_t>(ContentType::BIP_NUMBER));
+        // BIP number is big-endian uint16, no LENGTH field
+        result.push_back((content.bip_number >> 8) & 0xFF);
+        result.push_back(content.bip_number & 0xFF);
+        break;
+
+    case ContentType::VENDOR_SPECIFIC: {
+        result.push_back(static_cast<uint8_t>(ContentType::VENDOR_SPECIFIC));
+        // CompactSize encoding for length
+        DataStream ss;
+        WriteCompactSize(ss, content.vendor_data.size());
+        result.insert(result.end(), UCharCast(ss.data()), UCharCast(ss.data()) + ss.size());
+        result.insert(result.end(), content.vendor_data.begin(), content.vendor_data.end());
+        break;
+    }
+
+    default:
+        return util::Error{Untranslated("Unknown content type")};
+    }
+
+    return result;
+}
+
+util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty content data")};
+    }
+
+    EncryptedBackupContent content;
+    SpanReader reader{data};
+    size_t initial_size = reader.size();
+
+    try {
+        uint8_t type_byte;
+        reader >> type_byte;
+
+        if (type_byte == 0x00) {
+            return util::Error{Untranslated("Reserved content type 0x00")};
+        }
+
+        if (type_byte >= 0x80) {
+            return util::Error{Untranslated("Content type >= 0x80 stops parsing")};
+        }
+
+        if (type_byte == static_cast<uint8_t>(ContentType::BIP_NUMBER)) {
+            content.type = ContentType::BIP_NUMBER;
+            // BIP number is big-endian uint16, read manually
+            uint8_t hi, lo;
+            reader >> hi >> lo;
+            content.bip_number = (static_cast<uint16_t>(hi) << 8) | lo;
+        } else if (type_byte == static_cast<uint8_t>(ContentType::VENDOR_SPECIFIC)) {
+            content.type = ContentType::VENDOR_SPECIFIC;
+            uint64_t length = ReadCompactSize(reader);
+            if (length > reader.size()) {
+                return util::Error{Untranslated("Vendor data exceeds remaining bytes")};
+            }
+            content.vendor_data.resize(length);
+            reader.read(MakeWritableByteSpan(content.vendor_data));
+        } else {
+            // Unknown type < 0x80: skip by reading length
+            content.type = static_cast<ContentType>(type_byte);
+            uint64_t length = ReadCompactSize(reader);
+            if (length > reader.size()) {
+                return util::Error{Untranslated("Content data exceeds remaining bytes")};
+            }
+            reader.ignore(length);
+        }
+
+        return std::make_pair(content, initial_size - reader.size());
+    } catch (const std::ios_base::failure& e) {
+        return util::Error{Untranslated(strprintf("Failed to decode content: %s", e.what()))};
+    }
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index ab6043bc0d7b..7b7424f83aea 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -8,6 +8,7 @@
 #include <cstdint>
 #include <span>
 #include <string>
+#include <utility>
 #include <vector>
 
 #include <pubkey.h>
@@ -40,6 +41,27 @@ static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIP_XXXX_INDIVIDU
  */
 using DerivationPath = std::vector<uint32_t>;
 
+/** Content type identifiers */
+enum class ContentType : uint8_t {
+    RESERVED = 0x00,
+    BIP_NUMBER = 0x01,
+    VENDOR_SPECIFIC = 0x02,
+};
+
+/** Well-known BIP numbers for content types */
+static constexpr uint16_t BIP_DESCRIPTORS = 380;
+static constexpr uint16_t BIP_WALLET_POLICIES = 388;
+static constexpr uint16_t BIP_LABELS = 329;
+
+/**
+ * Represents the content metadata in an encrypted backup.
+ */
+struct EncryptedBackupContent {
+    ContentType type{ContentType::RESERVED};
+    uint16_t bip_number{0};                    // Used when type == BIP_NUMBER
+    std::vector<uint8_t> vendor_data;          // Used when type == VENDOR_SPECIFIC
+};
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -153,6 +175,22 @@ util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uin
  */
 util::Result<std::vector<uint256>> DecodeIndividualSecrets(std::span<const uint8_t> data);
 
+/**
+ * Encode content metadata according to the backup format.
+ *
+ * @param[in] content The content metadata
+ * @return Encoded bytes, or error message
+ */
+util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& content);
+
+/**
+ * Decode content metadata from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Content metadata and bytes consumed, or error message
+ */
+util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index b29b57efb680..122095a17127 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,6 +4,7 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_content_type.json.h>
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_individual_secrets.json.h>
@@ -286,6 +287,44 @@ BOOST_AUTO_TEST_CASE(individual_secrets_encoding_test)
     }
 }
 
+BOOST_AUTO_TEST_CASE(content_type_encoding_test)
+{
+    // Test content type encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_content_type);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        bool valid = vec["valid"].get_bool();
+        std::string content_hex = vec["content"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        auto content_bytes = ParseHex(content_hex);
+
+        // Try to decode
+        auto decoded_result = DecodeContent(content_bytes);
+
+        if (!valid) {
+            BOOST_CHECK_MESSAGE(!decoded_result,
+                description << ": expected decode failure but got success");
+        } else {
+            BOOST_REQUIRE_MESSAGE(decoded_result,
+                description << ": expected decode success but got: " <<
+                (decoded_result ? "" : util::ErrorString(decoded_result).original));
+
+            auto [content, bytes_consumed] = *decoded_result;
+
+            // Only test round-trip for known types
+            if (content.type == ContentType::BIP_NUMBER ||
+                content.type == ContentType::VENDOR_SPECIFIC) {
+                auto reencoded = EncodeContent(content);
+                BOOST_REQUIRE_MESSAGE(reencoded, util::ErrorString(reencoded).original);
+            }
+        }
+    }
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From a6895b7ddc46c987b9455d4b260c57c66cfe3045 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:36:59 +0100
Subject: [PATCH 09/12] wallet: BIP-xxxx full encrypted backup

Add the complete encryption and encoding layer for BIP-xxxx encrypted backups:

Encryption:
- EncryptChaCha20Poly1305: encrypt with ChaCha20-Poly1305 AEAD
- DecryptChaCha20Poly1305: decrypt and verify authentication tag

Backup creation and encoding:
- CreateEncryptedBackup: create backup from descriptor and plaintext
- EncodeEncryptedBackup: encode to binary format
- EncodeEncryptedBackupBase64: encode to base64 string
- DecodeEncryptedBackup: decode from binary format
- DecodeEncryptedBackupBase64: decode from base64 string

Decryption:
- DecryptBackupWithKey: attempt decryption using a single public key
- DecryptBackupWithDescriptor: try all keys from a descriptor

The format uses 6-byte magic "BIPXXX", version byte, derivation paths,
individual secrets (ci values for key recovery), and ChaCha20-Poly1305
encrypted payload containing content type metadata and user data.
---
 src/wallet/encryptedbackup.cpp             | 314 +++++++++++++++++++++
 src/wallet/encryptedbackup.h               | 131 +++++++++
 src/wallet/test/encrypted_backup_tests.cpp | 117 ++++++++
 3 files changed, 562 insertions(+)

diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index f3405717cab0..e724cc067f9c 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -6,12 +6,15 @@
 
 #include <cstring>
 
+#include <crypto/chacha20poly1305.h>
 #include <hash.h>
 #include <key_io.h>
+#include <random.h>
 #include <script/descriptor.h>
 #include <serialize.h>
 #include <streams.h>
 #include <util/bip32.h>
+#include <util/strencodings.h>
 
 namespace wallet {
 
@@ -334,4 +337,315 @@ util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<
     }
 }
 
+std::vector<uint8_t> EncryptChaCha20Poly1305(std::span<const uint8_t> plaintext,
+                                              const uint256& secret,
+                                              std::span<const uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce)
+{
+    // Convert secret to byte span
+    std::array<std::byte, 32> key_bytes;
+    std::memcpy(key_bytes.data(), secret.data(), 32);
+
+    // Initialize AEAD
+    AEADChaCha20Poly1305 aead{key_bytes};
+
+    // Prepare nonce (96-bit = 12 bytes)
+    std::array<std::byte, AEADChaCha20Poly1305::NONCE_SIZE> nonce_bytes;
+    std::memcpy(nonce_bytes.data(), nonce.data(), nonce.size());
+    auto nonce96 = AEADChaCha20Poly1305::NonceFromBytes(nonce_bytes);
+
+    // Convert plaintext to byte span
+    std::vector<std::byte> plain_bytes(plaintext.size());
+    std::memcpy(plain_bytes.data(), plaintext.data(), plaintext.size());
+
+    // Allocate output (plaintext + 16-byte tag)
+    std::vector<std::byte> cipher_bytes(plaintext.size() + AEADChaCha20Poly1305::EXPANSION);
+
+    // Encrypt with empty AAD
+    aead.Encrypt(plain_bytes, {}, nonce96, cipher_bytes);
+
+    // Convert back to uint8_t
+    std::vector<uint8_t> result(cipher_bytes.size());
+    std::memcpy(result.data(), cipher_bytes.data(), cipher_bytes.size());
+
+    return result;
+}
+
+std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint8_t> ciphertext,
+                                                             const uint256& secret,
+                                                             std::span<const uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce)
+{
+    if (ciphertext.size() < AEADChaCha20Poly1305::EXPANSION) {
+        return std::nullopt;
+    }
+
+    // Convert secret to byte span
+    std::array<std::byte, 32> key_bytes;
+    std::memcpy(key_bytes.data(), secret.data(), 32);
+
+    // Initialize AEAD
+    AEADChaCha20Poly1305 aead{key_bytes};
+
+    // Prepare nonce
+    std::array<std::byte, AEADChaCha20Poly1305::NONCE_SIZE> nonce_bytes;
+    std::memcpy(nonce_bytes.data(), nonce.data(), nonce.size());
+    auto nonce96 = AEADChaCha20Poly1305::NonceFromBytes(nonce_bytes);
+
+    // Convert ciphertext to byte span
+    std::vector<std::byte> cipher_bytes(ciphertext.size());
+    std::memcpy(cipher_bytes.data(), ciphertext.data(), ciphertext.size());
+
+    // Allocate output
+    std::vector<std::byte> plain_bytes(ciphertext.size() - AEADChaCha20Poly1305::EXPANSION);
+
+    // Decrypt with empty AAD
+    if (!aead.Decrypt(cipher_bytes, {}, nonce96, plain_bytes)) {
+        return std::nullopt;
+    }
+
+    // Convert back to uint8_t
+    std::vector<uint8_t> result(plain_bytes.size());
+    std::memcpy(result.data(), plain_bytes.data(), plain_bytes.size());
+
+    return result;
+}
+
+util::Result<EncryptedBackup> CreateEncryptedBackup(
+    const std::string& descriptor,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths)
+{
+    if (plaintext.empty()) {
+        return util::Error{Untranslated("Plaintext cannot be empty")};
+    }
+
+    // Extract keys from descriptor
+    auto keys_result = ExtractKeysFromDescriptor(descriptor);
+    if (!keys_result) {
+        return util::Error{util::ErrorString(keys_result)};
+    }
+    const std::vector<uint256>& keys = *keys_result;
+
+    // Compute secrets
+    uint256 decryption_secret = ComputeDecryptionSecret(keys);
+    std::vector<uint256> individual_secrets = ComputeAllIndividualSecrets(decryption_secret, keys);
+
+    // Encode content prefix
+    auto content_encoded = EncodeContent(content);
+    if (!content_encoded) {
+        return util::Error{util::ErrorString(content_encoded)};
+    }
+
+    // Build payload: CONTENT || PLAINTEXT
+    std::vector<uint8_t> payload;
+    payload.insert(payload.end(), content_encoded->begin(), content_encoded->end());
+    payload.insert(payload.end(), plaintext.begin(), plaintext.end());
+
+    // Generate random nonce
+    std::array<uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce;
+    GetStrongRandBytes(nonce);
+
+    // Encrypt
+    std::vector<uint8_t> ciphertext = EncryptChaCha20Poly1305(payload, decryption_secret, nonce);
+
+    // Build result
+    EncryptedBackup backup;
+    backup.version = ENCRYPTED_BACKUP_VERSION;
+    backup.derivation_paths = derivation_paths;
+    backup.individual_secrets = std::move(individual_secrets);
+    backup.encryption = EncryptionAlgorithm::CHACHA20_POLY1305;
+    backup.nonce = nonce;
+    backup.ciphertext = std::move(ciphertext);
+
+    return backup;
+}
+
+std::vector<uint8_t> EncodeEncryptedBackup(const EncryptedBackup& backup)
+{
+    std::vector<uint8_t> result;
+
+    // MAGIC (6 bytes)
+    result.insert(result.end(), ENCRYPTED_BACKUP_MAGIC.begin(), ENCRYPTED_BACKUP_MAGIC.end());
+
+    // VERSION (1 byte)
+    result.push_back(backup.version);
+
+    // DERIVATION_PATHS
+    auto paths_encoded = EncodeDerivationPaths(backup.derivation_paths);
+    if (paths_encoded) {
+        result.insert(result.end(), paths_encoded->begin(), paths_encoded->end());
+    } else {
+        // Empty paths on error
+        result.push_back(0);
+    }
+
+    // INDIVIDUAL_SECRETS
+    auto secrets_encoded = EncodeIndividualSecrets(backup.individual_secrets);
+    if (secrets_encoded) {
+        result.insert(result.end(), secrets_encoded->begin(), secrets_encoded->end());
+    }
+
+    // ENCRYPTION (1 byte)
+    result.push_back(static_cast<uint8_t>(backup.encryption));
+
+    // ENCRYPTED_PAYLOAD: NONCE || LENGTH || CIPHERTEXT
+    result.insert(result.end(), backup.nonce.begin(), backup.nonce.end());
+
+    // CompactSize encoding for ciphertext length
+    {
+        DataStream ss;
+        WriteCompactSize(ss, backup.ciphertext.size());
+        result.insert(result.end(), UCharCast(ss.data()), UCharCast(ss.data()) + ss.size());
+    }
+
+    result.insert(result.end(), backup.ciphertext.begin(), backup.ciphertext.end());
+
+    return result;
+}
+
+std::string EncodeEncryptedBackupBase64(const EncryptedBackup& backup)
+{
+    std::vector<uint8_t> binary = EncodeEncryptedBackup(backup);
+    return EncodeBase64(binary);
+}
+
+util::Result<EncryptedBackup> DecodeEncryptedBackup(std::span<const uint8_t> data)
+{
+    if (data.size() < 6 + 1 + 1 + 1 + 1 + 12 + 1) {
+        return util::Error{Untranslated("Data too short for encrypted backup")};
+    }
+
+    size_t pos = 0;
+    EncryptedBackup backup;
+
+    // Check MAGIC
+    if (!std::equal(ENCRYPTED_BACKUP_MAGIC.begin(), ENCRYPTED_BACKUP_MAGIC.end(), data.begin())) {
+        return util::Error{Untranslated("Invalid magic bytes")};
+    }
+    pos += 6;
+
+    // VERSION
+    backup.version = data[pos++];
+    if (backup.version != ENCRYPTED_BACKUP_VERSION) {
+        return util::Error{Untranslated(strprintf("Unsupported version: %d", backup.version))};
+    }
+
+    // DERIVATION_PATHS
+    auto paths_result = DecodeDerivationPaths(data.subspan(pos));
+    if (!paths_result) {
+        return util::Error{util::ErrorString(paths_result)};
+    }
+    backup.derivation_paths = *paths_result;
+
+    // Calculate consumed bytes for derivation paths
+    size_t paths_size = 1; // count byte
+    for (const auto& path : backup.derivation_paths) {
+        paths_size += 1 + path.size() * 4; // child_count + children
+    }
+    pos += paths_size;
+
+    // INDIVIDUAL_SECRETS
+    if (pos >= data.size()) {
+        return util::Error{Untranslated("Missing individual secrets")};
+    }
+    auto secrets_result = DecodeIndividualSecrets(data.subspan(pos));
+    if (!secrets_result) {
+        return util::Error{util::ErrorString(secrets_result)};
+    }
+    backup.individual_secrets = *secrets_result;
+    pos += 1 + backup.individual_secrets.size() * 32;
+
+    // ENCRYPTION
+    if (pos >= data.size()) {
+        return util::Error{Untranslated("Missing encryption algorithm")};
+    }
+    uint8_t enc_byte = data[pos++];
+    if (enc_byte != static_cast<uint8_t>(EncryptionAlgorithm::CHACHA20_POLY1305)) {
+        return util::Error{Untranslated("Unsupported encryption algorithm")};
+    }
+    backup.encryption = EncryptionAlgorithm::CHACHA20_POLY1305;
+
+    // NONCE
+    if (pos + ENCRYPTED_BACKUP_NONCE_SIZE > data.size()) {
+        return util::Error{Untranslated("Missing nonce")};
+    }
+    std::memcpy(backup.nonce.data(), data.data() + pos, ENCRYPTED_BACKUP_NONCE_SIZE);
+    pos += ENCRYPTED_BACKUP_NONCE_SIZE;
+
+    // LENGTH (CompactSize) and CIPHERTEXT
+    try {
+        SpanReader reader{data.subspan(pos)};
+        uint64_t cipher_len = ReadCompactSize(reader);
+        if (cipher_len > reader.size()) {
+            return util::Error{Untranslated("Truncated ciphertext")};
+        }
+        backup.ciphertext.resize(cipher_len);
+        reader.read(MakeWritableByteSpan(backup.ciphertext));
+    } catch (const std::ios_base::failure& e) {
+        return util::Error{Untranslated(strprintf("Invalid ciphertext length: %s", e.what()))};
+    }
+
+    return backup;
+}
+
+util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& base64_str)
+{
+    auto decoded = DecodeBase64(base64_str);
+    if (!decoded) {
+        return util::Error{Untranslated("Invalid base64 encoding")};
+    }
+    return DecodeEncryptedBackup(*decoded);
+}
+
+std::optional<std::vector<uint8_t>> DecryptBackupWithKey(const EncryptedBackup& backup,
+                                                          const uint256& key)
+{
+    // Compute individual secret for this key
+    uint256 si = ComputeIndividualSecret(key);
+
+    // Try each individual secret in the backup
+    for (const auto& ci : backup.individual_secrets) {
+        // Reconstruct decryption secret: s = ci XOR si
+        uint256 reconstructed_secret;
+        for (size_t i = 0; i < 32; ++i) {
+            reconstructed_secret.data()[i] = ci.data()[i] ^ si.data()[i];
+        }
+
+        // Try to decrypt
+        auto result = DecryptChaCha20Poly1305(backup.ciphertext, reconstructed_secret, backup.nonce);
+        if (result) {
+            // Decryption succeeded - strip the content prefix and return plaintext
+            auto content_result = DecodeContent(*result);
+            if (content_result) {
+                size_t content_size = content_result->second;
+                if (content_size <= result->size()) {
+                    return std::vector<uint8_t>(result->begin() + content_size, result->end());
+                }
+            }
+            // If content parsing fails, return full payload
+            return result;
+        }
+    }
+
+    return std::nullopt;
+}
+
+util::Result<std::vector<uint8_t>> DecryptBackupWithDescriptor(const EncryptedBackup& backup,
+                                                                const std::string& descriptor)
+{
+    auto keys_result = ExtractKeysFromDescriptor(descriptor);
+    if (!keys_result) {
+        return util::Error{util::ErrorString(keys_result)};
+    }
+
+    for (const auto& key : *keys_result) {
+        auto result = DecryptBackupWithKey(backup, key);
+        if (result) {
+            return *result;
+        }
+    }
+
+    return util::Error{Untranslated("No matching key found for decryption")};
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 7b7424f83aea..8f56c9d25580 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -5,7 +5,9 @@
 #ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
+#include <array>
 #include <cstdint>
+#include <optional>
 #include <span>
 #include <string>
 #include <utility>
@@ -29,6 +31,24 @@ namespace wallet {
  * Restoring from an encrypted backup creates a watch-only wallet.
  */
 
+/** Magic bytes for encrypted backup format */
+static constexpr std::array<uint8_t, 6> ENCRYPTED_BACKUP_MAGIC = {'B', 'I', 'P', 'X', 'X', 'X'};
+
+/** Current format version */
+static constexpr uint8_t ENCRYPTED_BACKUP_VERSION = 0x01;
+
+/** Encryption algorithm identifiers */
+enum class EncryptionAlgorithm : uint8_t {
+    RESERVED = 0x00,
+    CHACHA20_POLY1305 = 0x01,
+};
+
+/** Size of the nonce for ChaCha20-Poly1305 */
+static constexpr size_t ENCRYPTED_BACKUP_NONCE_SIZE = 12;
+
+/** Size of the authentication tag */
+static constexpr size_t ENCRYPTED_BACKUP_TAG_SIZE = 16;
+
 /** Prefix for deriving the decryption secret */
 static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIP_XXXX_DECRYPTION_SECRET";
 
@@ -62,6 +82,23 @@ struct EncryptedBackupContent {
     std::vector<uint8_t> vendor_data;          // Used when type == VENDOR_SPECIFIC
 };
 
+/**
+ * Represents a complete encrypted backup structure.
+ *
+ * This struct represents the parsed/encoded backup format. Note that the content
+ * type metadata is stored inside the encrypted payload, not in this struct.
+ * The content is passed separately to CreateEncryptedBackup() and decoded
+ * separately after decryption.
+ */
+struct EncryptedBackup {
+    uint8_t version{ENCRYPTED_BACKUP_VERSION};
+    std::vector<DerivationPath> derivation_paths;
+    std::vector<uint256> individual_secrets;
+    EncryptionAlgorithm encryption{EncryptionAlgorithm::CHACHA20_POLY1305};
+    std::array<uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce;
+    std::vector<uint8_t> ciphertext;  // Includes content prefix and authentication tag
+};
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -191,6 +228,100 @@ util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& c
  */
 util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data);
 
+/**
+ * Encrypt plaintext using ChaCha20-Poly1305.
+ *
+ * @param[in] plaintext The data to encrypt
+ * @param[in] secret The 32-byte encryption secret
+ * @param[in] nonce The 12-byte nonce
+ * @return Ciphertext with authentication tag appended
+ */
+std::vector<uint8_t> EncryptChaCha20Poly1305(std::span<const uint8_t> plaintext,
+                                              const uint256& secret,
+                                              std::span<const uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce);
+
+/**
+ * Decrypt ciphertext using ChaCha20-Poly1305.
+ *
+ * @param[in] ciphertext The encrypted data with authentication tag
+ * @param[in] secret The 32-byte decryption secret
+ * @param[in] nonce The 12-byte nonce
+ * @return Plaintext, or nullopt if authentication fails
+ */
+std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint8_t> ciphertext,
+                                                             const uint256& secret,
+                                                             std::span<const uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce);
+
+/**
+ * Create an encrypted backup from a descriptor and plaintext payload.
+ *
+ * @param[in] descriptor The wallet descriptor (used to derive encryption key)
+ * @param[in] plaintext The data to encrypt (typically the descriptor itself or labels)
+ * @param[in] content Content type metadata
+ * @param[in] derivation_paths Optional derivation paths to include
+ * @return The encrypted backup structure, or error message
+ */
+util::Result<EncryptedBackup> CreateEncryptedBackup(
+    const std::string& descriptor,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths = {});
+
+/**
+ * Encode an encrypted backup to binary format.
+ *
+ * @param[in] backup The backup structure to encode
+ * @return Encoded binary data
+ */
+std::vector<uint8_t> EncodeEncryptedBackup(const EncryptedBackup& backup);
+
+/**
+ * Encode an encrypted backup to base64 string.
+ *
+ * @param[in] backup The backup structure to encode
+ * @return Base64-encoded string
+ */
+std::string EncodeEncryptedBackupBase64(const EncryptedBackup& backup);
+
+/**
+ * Decode an encrypted backup from binary format.
+ *
+ * @param[in] data The encoded binary data
+ * @return The backup structure, or error message
+ */
+util::Result<EncryptedBackup> DecodeEncryptedBackup(std::span<const uint8_t> data);
+
+/**
+ * Decode an encrypted backup from base64 string.
+ *
+ * @param[in] base64_str The base64-encoded string
+ * @return The backup structure, or error message
+ */
+util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& base64_str);
+
+/**
+ * Attempt to decrypt an encrypted backup using a single public key.
+ *
+ * Tries to reconstruct the decryption secret using the individual secrets
+ * in the backup and the provided key.
+ *
+ * @param[in] backup The encrypted backup
+ * @param[in] key The normalized x-only public key to try
+ * @return Decrypted plaintext, or nullopt if key doesn't match or decryption fails
+ */
+std::optional<std::vector<uint8_t>> DecryptBackupWithKey(const EncryptedBackup& backup,
+                                                          const uint256& key);
+
+/**
+ * Attempt to decrypt an encrypted backup using any matching key from a descriptor.
+ *
+ * @param[in] backup The encrypted backup
+ * @param[in] descriptor A descriptor containing potential decryption keys
+ * @return Decrypted plaintext, or error message
+ */
+util::Result<std::vector<uint8_t>> DecryptBackupWithDescriptor(const EncryptedBackup& backup,
+                                                                const std::string& descriptor);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 122095a17127..689d4b2bfd5f 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -325,6 +325,123 @@ BOOST_AUTO_TEST_CASE(content_type_encoding_test)
     }
 }
 
+BOOST_AUTO_TEST_CASE(chacha20poly1305_roundtrip_test)
+{
+    // Test basic encryption/decryption roundtrip
+    std::vector<uint8_t> plaintext = {'H', 'e', 'l', 'l', 'o', ' ', 'W', 'o', 'r', 'l', 'd'};
+    uint256 secret;
+    GetStrongRandBytes(secret);
+
+    std::array<uint8_t, ENCRYPTED_BACKUP_NONCE_SIZE> nonce;
+    GetStrongRandBytes(nonce);
+
+    // Encrypt
+    auto ciphertext = EncryptChaCha20Poly1305(plaintext, secret, nonce);
+    BOOST_CHECK_EQUAL(ciphertext.size(), plaintext.size() + ENCRYPTED_BACKUP_TAG_SIZE);
+
+    // Decrypt with correct key
+    auto decrypted = DecryptChaCha20Poly1305(ciphertext, secret, nonce);
+    BOOST_REQUIRE(decrypted.has_value());
+    BOOST_CHECK(decrypted.value() == plaintext);
+
+    // Decrypt with wrong key should fail
+    uint256 wrong_secret;
+    GetStrongRandBytes(wrong_secret);
+    auto decrypted_wrong = DecryptChaCha20Poly1305(ciphertext, wrong_secret, nonce);
+    BOOST_CHECK(!decrypted_wrong.has_value());
+}
+
+BOOST_AUTO_TEST_CASE(full_backup_roundtrip_test)
+{
+    // Test full backup creation and decryption with a real descriptor
+    // Use testnet tpub since we're running on RegTest
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+
+    // Create backup
+    EncryptedBackupContent content;
+    content.type = ContentType::BIP_NUMBER;
+    content.bip_number = BIP_DESCRIPTORS;
+
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+    auto backup_result = CreateEncryptedBackup(descriptor, plaintext, content, {});
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Encode to binary
+    auto encoded = EncodeEncryptedBackup(*backup_result);
+    BOOST_CHECK(!encoded.empty());
+
+    // Check magic bytes
+    BOOST_CHECK_EQUAL(encoded[0], 'B');
+    BOOST_CHECK_EQUAL(encoded[1], 'I');
+    BOOST_CHECK_EQUAL(encoded[2], 'P');
+
+    // Decode back
+    auto decoded_result = DecodeEncryptedBackup(encoded);
+    BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+
+    // Decrypt using the same descriptor
+    auto decrypted = DecryptBackupWithDescriptor(*decoded_result, descriptor);
+    BOOST_REQUIRE_MESSAGE(decrypted, util::ErrorString(decrypted).original);
+
+    // Verify plaintext matches
+    std::string decrypted_str(decrypted->begin(), decrypted->end());
+    BOOST_CHECK_EQUAL(decrypted_str, descriptor);
+}
+
+BOOST_AUTO_TEST_CASE(base64_encoding_test)
+{
+    // Test base64 encoding roundtrip
+    // Use testnet tpub since we're running on RegTest
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+
+    EncryptedBackupContent content;
+    content.type = ContentType::BIP_NUMBER;
+    content.bip_number = BIP_DESCRIPTORS;
+
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+    auto backup_result = CreateEncryptedBackup(descriptor, plaintext, content, {});
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Encode to base64
+    std::string base64_str = EncodeEncryptedBackupBase64(*backup_result);
+    BOOST_CHECK(!base64_str.empty());
+
+    // Decode from base64
+    auto decoded_result = DecodeEncryptedBackupBase64(base64_str);
+    BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+
+    // Decrypt
+    auto decrypted = DecryptBackupWithDescriptor(*decoded_result, descriptor);
+    BOOST_REQUIRE_MESSAGE(decrypted, util::ErrorString(decrypted).original);
+
+    std::string decrypted_str(decrypted->begin(), decrypted->end());
+    BOOST_CHECK_EQUAL(decrypted_str, descriptor);
+}
+
+BOOST_AUTO_TEST_CASE(wrong_key_decryption_test)
+{
+    // Test that decryption fails with wrong key
+    // Use testnet tpub keys since we're running on RegTest
+    std::string descriptor1 = "wpkh([11111111/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    std::string descriptor2 = "wpkh([22222222/84h/1h/0h]tpubDCBEcmVKbfC9KfdydyLbJ2gfNL88grZu1XcWSW9ytTM6fitvaRmVyr8Ddf7SjZ2ZfMx9RicjYAXhuh3fmLiVLPodPEqnQQURUfrBKiiVZc8/0/*)";
+
+    EncryptedBackupContent content;
+    content.type = ContentType::BIP_NUMBER;
+    content.bip_number = BIP_DESCRIPTORS;
+
+    std::vector<uint8_t> plaintext(descriptor1.begin(), descriptor1.end());
+
+    // Create backup with descriptor1
+    auto backup_result = CreateEncryptedBackup(descriptor1, plaintext, content, {});
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Try to decrypt with descriptor2 - should fail
+    auto decrypted = DecryptBackupWithDescriptor(*backup_result, descriptor2);
+    BOOST_CHECK_MESSAGE(!decrypted, "Decryption should fail with wrong key");
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From 1a9787806a6c104d4b0710ea289d73669630ea6a Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 15:09:59 +0100
Subject: [PATCH 10/12] wallet-tool: add encryptbackup and decryptbackup
 commands

Adds two new commands to bitcoin-wallet tool:

encryptbackup:
  Creates an encrypted backup of all wallet descriptors.
  Outputs base64-encoded backup to stdout.
  Requires: -wallet=<name>

decryptbackup:
  Decrypts a backup using a provided extended public key (xpub/tpub).
  Reads base64 backup from stdin, outputs JSON to stdout.
  Requires: -pubkey=<xpub>
  The output is compatible with the importdescriptors RPC.

The decryption only requires an xpub that was used in the original
wallet. In a recovery scenario, the user derives this from their
seed phrase at a known derivation path (e.g., m/84'/0'/0').

Includes functional test demonstrating the full roundtrip.
---
 src/CMakeLists.txt             |   1 +
 src/bitcoin-wallet.cpp         |   3 +
 src/wallet/wallettool.cpp      | 138 +++++++++++++++++++++++++++++++++
 test/functional/tool_wallet.py | 115 +++++++++++++++++++++++++++
 4 files changed, 257 insertions(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a1e0c5f131a5..cbca58f1a9df 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -167,6 +167,7 @@ if(ENABLE_WALLET)
       bitcoin_wallet
       bitcoin_common
       bitcoin_util
+      univalue
       Boost::headers
     )
     install_binary_component(bitcoin-wallet HAS_MANPAGE)
diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index 6811f8c5ea19..2bfb75defbec 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -39,11 +39,14 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-dumpfile=<file name>", "When used with 'dump', writes out the records to this file. When used with 'createfromdump', loads the records into a new wallet.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
     argsman.AddArg("-debug=<category>", "Output debugging information (default: 0).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
+    argsman.AddArg("-pubkey=<key>", "Extended public key (xpub/tpub) for decrypting a backup", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
     argsman.AddCommand("create", "Create a new descriptor wallet file");
     argsman.AddCommand("dump", "Print out all of the wallet key-value records");
     argsman.AddCommand("createfromdump", "Create new wallet file from dumped records");
+    argsman.AddCommand("encryptbackup", "Create an encrypted backup of wallet descriptors (outputs base64)");
+    argsman.AddCommand("decryptbackup", "Decrypt an encrypted backup (reads base64 from stdin, requires -pubkey)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index 3e335bc36bdb..f51e8660c5f6 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -6,11 +6,17 @@
 
 #include <wallet/wallettool.h>
 
+#include <algorithm>
 #include <common/args.h>
+#include <key_io.h>
+#include <script/descriptor.h>
+#include <univalue.h>
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/translation.h>
 #include <wallet/dump.h>
+#include <wallet/encryptedbackup.h>
+#include <wallet/rpc/util.h>
 #include <wallet/wallet.h>
 #include <wallet/walletutil.h>
 
@@ -173,6 +179,138 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
             tfm::format(std::cerr, "%s\n", error.original);
         }
         return ret;
+    } else if (command == "encryptbackup") {
+        // Encrypt wallet descriptors using BIP-XXXX encrypted backup format
+        if (!args.IsArgSet("-wallet")) {
+            tfm::format(std::cerr, "Wallet name must be provided for encryptbackup.\n");
+            return false;
+        }
+
+        DatabaseOptions options;
+        ReadDatabaseArgs(args, options);
+        options.require_existing = true;
+        const std::shared_ptr<CWallet> wallet_instance = MakeWallet(name, path, options);
+        if (!wallet_instance) return false;
+
+        LOCK(wallet_instance->cs_wallet);
+
+        // Collect all descriptors from the wallet in listdescriptors format
+        // This format preserves origin info and can be used with importdescriptors
+        std::vector<std::pair<std::string, WalletDescriptorInfo>> all_descriptors;
+
+        const auto active_spk_mans = wallet_instance->GetActiveScriptPubKeyMans();
+
+        for (const auto& spk_man : wallet_instance->GetAllScriptPubKeyMans()) {
+            auto desc_spk_man = dynamic_cast<DescriptorScriptPubKeyMan*>(spk_man);
+            if (desc_spk_man) {
+                LOCK(desc_spk_man->cs_desc_man);
+                std::string desc_str;
+                // Use GetDescriptorString to preserve origin info
+                if (!desc_spk_man->GetDescriptorString(desc_str, /*priv=*/false)) {
+                    tfm::format(std::cerr, "Failed to get descriptor string.\n");
+                    wallet_instance->Close();
+                    return false;
+                }
+
+                const auto& wallet_desc = desc_spk_man->GetWalletDescriptor();
+                const bool is_range = wallet_desc.descriptor->IsRange();
+
+                // Build descriptor info
+                WalletDescriptorInfo info{
+                    desc_str,
+                    wallet_desc.creation_time,
+                    active_spk_mans.contains(desc_spk_man),
+                    wallet_instance->IsInternalScriptPubKeyMan(desc_spk_man),
+                    is_range ? std::optional(std::make_pair(wallet_desc.range_start, wallet_desc.range_end)) : std::nullopt,
+                    wallet_desc.next_index
+                };
+                all_descriptors.emplace_back(desc_str, std::move(info));
+            }
+        }
+
+        if (all_descriptors.empty()) {
+            tfm::format(std::cerr, "No descriptors found in wallet.\n");
+            wallet_instance->Close();
+            return false;
+        }
+
+        // Sort by descriptor string for deterministic ordering
+        std::sort(all_descriptors.begin(), all_descriptors.end(),
+                  [](const auto& a, const auto& b) { return a.first < b.first; });
+
+        // Build the output array and select primary descriptor (first when sorted)
+        UniValue descriptors_arr(UniValue::VARR);
+        std::string primary_descriptor = all_descriptors[0].first;
+        for (const auto& [desc_str, info] : all_descriptors) {
+            descriptors_arr.push_back(DescriptorInfoToUniValue(info));
+        }
+
+        // Build plaintext as JSON array (importdescriptors format)
+        std::string plaintext_str = descriptors_arr.write();
+        std::vector<uint8_t> plaintext(plaintext_str.begin(), plaintext_str.end());
+
+        // Create backup content metadata
+        EncryptedBackupContent content;
+        content.type = ContentType::BIP_NUMBER;
+        content.bip_number = BIP_DESCRIPTORS;
+
+        // Create the encrypted backup
+        auto backup_result = CreateEncryptedBackup(primary_descriptor, plaintext, content, {});
+        if (!backup_result) {
+            tfm::format(std::cerr, "Failed to create encrypted backup: %s\n",
+                        util::ErrorString(backup_result).original);
+            wallet_instance->Close();
+            return false;
+        }
+
+        // Output as base64
+        std::string base64_backup = EncodeEncryptedBackupBase64(*backup_result);
+        tfm::format(std::cout, "%s\n", base64_backup);
+
+        wallet_instance->Close();
+    } else if (command == "decryptbackup") {
+        // Decrypt an encrypted backup using a provided extended public key
+        if (!args.IsArgSet("-pubkey")) {
+            tfm::format(std::cerr, "Extended public key must be provided via -pubkey for decryptbackup.\n");
+            return false;
+        }
+
+        std::string pubkey_str = args.GetArg("-pubkey", "");
+        CExtPubKey ext_pubkey = DecodeExtPubKey(pubkey_str);
+        if (!ext_pubkey.pubkey.IsValid()) {
+            tfm::format(std::cerr, "Invalid extended public key: %s\n", pubkey_str);
+            return false;
+        }
+
+        // Read base64 backup from stdin
+        std::string base64_input;
+        std::getline(std::cin, base64_input);
+        if (base64_input.empty()) {
+            tfm::format(std::cerr, "No backup data provided on stdin.\n");
+            return false;
+        }
+
+        // Decode the backup
+        auto backup_result = DecodeEncryptedBackupBase64(base64_input);
+        if (!backup_result) {
+            tfm::format(std::cerr, "Failed to decode backup: %s\n",
+                        util::ErrorString(backup_result).original);
+            return false;
+        }
+
+        // Normalize xpub to x-only pubkey for decryption
+        uint256 xonly_key = NormalizeToXOnly(ext_pubkey);
+
+        // Try to decrypt using this key
+        auto decrypted = DecryptBackupWithKey(*backup_result, xonly_key);
+        if (!decrypted) {
+            tfm::format(std::cerr, "Failed to decrypt backup: provided key does not match any recipient.\n");
+            return false;
+        }
+
+        // Output the decrypted content as JSON (importdescriptors-compatible format)
+        std::string plaintext(decrypted->begin(), decrypted->end());
+        tfm::format(std::cout, "%s\n", plaintext);
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index 44ac1da96fa9..be716e41c875 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -427,6 +427,120 @@ def test_no_create_legacy(self):
         self.assert_raises_tool_error("Invalid parameter -descriptors", "-wallet=legacy", "-descriptors=false", "create")
         assert not (self.nodes[0].wallets_path / "legacy").exists()
 
+    def test_encrypted_backup(self):
+        """Test encryptbackup and decryptbackup commands."""
+        self.log.info("Test encrypted backup roundtrip")
+
+        # Create a test wallet
+        self.start_node(0)
+        wallet_name = "backup_test_wallet"
+        self.nodes[0].createwallet(wallet_name)
+        wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+
+        # Get the descriptors for comparison later (from listdescriptors RPC)
+        original_descriptors = wallet.listdescriptors()["descriptors"]
+        # Sort by descriptor string for consistent comparison
+        original_descriptors = sorted(original_descriptors, key=lambda d: d["desc"])
+        original_desc_strs = [d["desc"] for d in original_descriptors]
+
+        self.nodes[0].unloadwallet(wallet_name)
+        self.stop_node(0)
+
+        # Create encrypted backup
+        self.log.info("Creating encrypted backup...")
+        p = self.bitcoin_wallet_process(f"-wallet={wallet_name}", "encryptbackup")
+        backup_output, stderr = p.communicate()
+        if p.poll() != 0:
+            self.log.error(f"encryptbackup failed with exit code {p.poll()}")
+            self.log.error(f"stderr: {stderr}")
+            self.log.error(f"stdout: {backup_output}")
+        assert_equal(p.poll(), 0)
+        assert_equal(stderr, "")
+        backup_base64 = backup_output.strip()
+
+        # Verify it's base64 and starts with expected magic when decoded
+        import base64
+        backup_bytes = base64.b64decode(backup_base64)
+        # Magic bytes are "BIPXXX" (BIP number is still TBD)
+        assert backup_bytes[:3] == b"BIP", f"Expected magic 'BIP', got: {backup_bytes[:3]}"
+
+        # Extract an xpub from the original descriptors to use for decryption
+        # In a real recovery scenario, the user would derive this from their seed
+        import re
+        xpub_match = re.search(r'tpub[A-Za-z0-9]+', original_desc_strs[0])
+        assert xpub_match, "Could not find tpub in descriptor"
+        xpub_for_decrypt = xpub_match.group(0)
+        self.log.info(f"Using xpub for decryption: {xpub_for_decrypt[:20]}...")
+
+        # Decrypt the backup using just the xpub (no wallet needed)
+        self.log.info("Decrypting backup using xpub...")
+        p = self.bitcoin_wallet_process(f"-pubkey={xpub_for_decrypt}", "decryptbackup")
+        decrypted_output, stderr = p.communicate(input=backup_base64)
+        if p.poll() != 0:
+            self.log.error(f"decryptbackup failed with exit code {p.poll()}")
+            self.log.error(f"stderr: {stderr}")
+            self.log.error(f"stdout: {decrypted_output}")
+        assert_equal(p.poll(), 0)
+
+        # Parse decrypted JSON (importdescriptors format)
+        import json
+        self.log.info("Verifying decrypted descriptors match originals...")
+
+        # The first line of output is the JSON, stderr has the import message
+        decrypted_content = decrypted_output.strip()
+        decrypted_descriptors = json.loads(decrypted_content)
+
+        # Sort by descriptor string for consistent comparison
+        decrypted_descriptors = sorted(decrypted_descriptors, key=lambda d: d["desc"])
+        decrypted_desc_strs = [d["desc"] for d in decrypted_descriptors]
+
+        # Debug output: one descriptor per line for easy visual comparison
+        self.log.debug("Original descriptors:")
+        for desc in original_desc_strs:
+            self.log.debug(f"  {desc}")
+        self.log.debug("Decrypted descriptors:")
+        for desc in decrypted_desc_strs:
+            self.log.debug(f"  {desc}")
+
+        # Compare each descriptor individually for clear error messages
+        assert_equal(len(original_desc_strs), len(decrypted_desc_strs))
+        for i, (orig, decrypted) in enumerate(zip(original_desc_strs, decrypted_desc_strs)):
+            assert_equal(orig, decrypted)
+
+        # Verify the decrypted format is compatible with importdescriptors
+        # by actually importing into a blank watch-only wallet
+        self.log.info("Creating blank watch-only wallet for import test...")
+        self.start_node(0)
+        import_wallet_name = "imported_backup_wallet"
+        self.nodes[0].createwallet(import_wallet_name, disable_private_keys=True, blank=True)
+        imported_wallet = self.nodes[0].get_wallet_rpc(import_wallet_name)
+
+        self.log.info("Importing decrypted descriptors into blank watch-only wallet...")
+        # Import the descriptors (set timestamp to now to avoid rescan)
+        for desc_obj in decrypted_descriptors:
+            desc_obj["timestamp"] = "now"
+        result = imported_wallet.importdescriptors(decrypted_descriptors)
+        for r in result:
+            assert r["success"], f"Import failed: {r}"
+
+        # Verify the imported wallet has the same descriptors
+        imported_descriptors = imported_wallet.listdescriptors()["descriptors"]
+        imported_descriptors = sorted(imported_descriptors, key=lambda d: d["desc"])
+        imported_desc_strs = [d["desc"] for d in imported_descriptors]
+
+        self.log.debug("Imported wallet descriptors:")
+        for desc in imported_desc_strs:
+            self.log.debug(f"  {desc}")
+
+        assert_equal(len(original_desc_strs), len(imported_desc_strs))
+        for i, (orig, imported) in enumerate(zip(original_desc_strs, imported_desc_strs)):
+            assert_equal(orig, imported)
+
+        self.nodes[0].unloadwallet(import_wallet_name)
+        self.stop_node(0)
+
+        self.log.info("Encrypted backup roundtrip test passed!")
+
     def run_test(self):
         self.wallet_path = self.nodes[0].wallets_path / self.default_wallet_name / self.wallet_data_filename
         self.test_invalid_tool_commands_and_args()
@@ -439,6 +553,7 @@ def run_test(self):
         self.test_chainless_conflicts()
         self.test_dump_very_large_records()
         self.test_no_create_legacy()
+        self.test_encrypted_backup()
 
 
 if __name__ == '__main__':

From 5cdd12a0f05f19d65592f2edc289aff326350d5f Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 15:36:16 +0100
Subject: [PATCH 11/12] wallet-tool: add inspectbackup command

Display unencrypted metadata from a BIP-xxxx encrypted backup:
- Format version
- Number of recipients
- Encryption algorithm
- Derivation paths (if present)
---
 src/bitcoin-wallet.cpp         |  1 +
 src/wallet/wallettool.cpp      | 42 ++++++++++++++++++++++++++++++++++
 test/functional/tool_wallet.py | 13 +++++++++++
 3 files changed, 56 insertions(+)

diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index 2bfb75defbec..10ccf35acc16 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -47,6 +47,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddCommand("createfromdump", "Create new wallet file from dumped records");
     argsman.AddCommand("encryptbackup", "Create an encrypted backup of wallet descriptors (outputs base64)");
     argsman.AddCommand("decryptbackup", "Decrypt an encrypted backup (reads base64 from stdin, requires -pubkey)");
+    argsman.AddCommand("inspectbackup", "Show unencrypted metadata from a backup (reads base64 from stdin)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index f51e8660c5f6..1f1b477bbd94 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -11,6 +11,7 @@
 #include <key_io.h>
 #include <script/descriptor.h>
 #include <univalue.h>
+#include <util/bip32.h>
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/translation.h>
@@ -311,6 +312,47 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         // Output the decrypted content as JSON (importdescriptors-compatible format)
         std::string plaintext(decrypted->begin(), decrypted->end());
         tfm::format(std::cout, "%s\n", plaintext);
+    } else if (command == "inspectbackup") {
+        // Show unencrypted metadata from a backup
+        // Read base64 backup from stdin
+        std::string base64_input;
+        std::getline(std::cin, base64_input);
+        if (base64_input.empty()) {
+            tfm::format(std::cerr, "No backup data provided on stdin.\n");
+            return false;
+        }
+
+        // Decode the backup
+        auto backup_result = DecodeEncryptedBackupBase64(base64_input);
+        if (!backup_result) {
+            tfm::format(std::cerr, "Failed to decode backup: %s\n",
+                        util::ErrorString(backup_result).original);
+            return false;
+        }
+
+        const EncryptedBackup& backup = *backup_result;
+
+        // Output metadata as JSON (only unencrypted header fields)
+        UniValue result(UniValue::VOBJ);
+        result.pushKV("version", backup.version);
+        result.pushKV("recipients", static_cast<int>(backup.individual_secrets.size()));
+
+        // Encryption algorithm
+        std::string enc_str;
+        switch (backup.encryption) {
+            case EncryptionAlgorithm::CHACHA20_POLY1305: enc_str = "ChaCha20-Poly1305"; break;
+            default: enc_str = "unknown"; break;
+        }
+        result.pushKV("encryption", enc_str);
+
+        // Derivation paths
+        UniValue paths_arr(UniValue::VARR);
+        for (const auto& path : backup.derivation_paths) {
+            paths_arr.push_back(WriteHDKeypath(path, /*apostrophe=*/true));
+        }
+        result.pushKV("derivation_paths", paths_arr);
+
+        tfm::format(std::cout, "%s\n", result.write(2));
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index be716e41c875..9cae4b6a0e03 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -472,6 +472,19 @@ def test_encrypted_backup(self):
         xpub_for_decrypt = xpub_match.group(0)
         self.log.info(f"Using xpub for decryption: {xpub_for_decrypt[:20]}...")
 
+        # Test inspectbackup command to view unencrypted metadata
+        self.log.info("Testing inspectbackup command...")
+        p = self.bitcoin_wallet_process("inspectbackup")
+        inspect_output, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 0)
+        import json
+        metadata = json.loads(inspect_output)
+        assert_equal(metadata["version"], 1)
+        assert_equal(metadata["encryption"], "ChaCha20-Poly1305")
+        assert metadata["recipients"] >= 1
+        # Content type is encrypted, not visible in header
+        self.log.debug(f"Backup metadata: {json.dumps(metadata, indent=2)}")
+
         # Decrypt the backup using just the xpub (no wallet needed)
         self.log.info("Decrypting backup using xpub...")
         p = self.bitcoin_wallet_process(f"-pubkey={xpub_for_decrypt}", "decryptbackup")

From 90fe3c7c7954a3d36d552b1de0b74c0d3dba31ff Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 15:37:16 +0100
Subject: [PATCH 12/12] add -xpub option to encryptbackup

To include derivation path in backup header.
---
 src/bitcoin-wallet.cpp         |  1 +
 src/wallet/wallettool.cpp      | 57 +++++++++++++++++++++++++++++++++-
 test/functional/tool_wallet.py | 28 ++++++++++++++++-
 3 files changed, 84 insertions(+), 2 deletions(-)

diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index 10ccf35acc16..40a76790ce4e 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -40,6 +40,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-debug=<category>", "Output debugging information (default: 0).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-pubkey=<key>", "Extended public key (xpub/tpub) for decrypting a backup", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
+    argsman.AddArg("-xpub=<key>", "Extended public key (xpub/tpub) whose derivation path to include in backup header", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
     argsman.AddCommand("create", "Create a new descriptor wallet file");
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index 1f1b477bbd94..e64e83bf563b 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -195,9 +195,24 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
 
         LOCK(wallet_instance->cs_wallet);
 
+        // If -xpub is provided, validate it
+        std::optional<std::string> target_xpub;
+        if (args.IsArgSet("-xpub")) {
+            std::string xpub_str = args.GetArg("-xpub", "");
+            CExtPubKey ext_pubkey = DecodeExtPubKey(xpub_str);
+            if (!ext_pubkey.pubkey.IsValid()) {
+                tfm::format(std::cerr, "Invalid extended public key: %s\n", xpub_str);
+                wallet_instance->Close();
+                return false;
+            }
+            target_xpub = xpub_str;
+        }
+
         // Collect all descriptors from the wallet in listdescriptors format
         // This format preserves origin info and can be used with importdescriptors
         std::vector<std::pair<std::string, WalletDescriptorInfo>> all_descriptors;
+        std::vector<DerivationPath> derivation_paths;
+        bool found_target_xpub = false;
 
         const auto active_spk_mans = wallet_instance->GetActiveScriptPubKeyMans();
 
@@ -226,6 +241,34 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
                     wallet_desc.next_index
                 };
                 all_descriptors.emplace_back(desc_str, std::move(info));
+
+                // Check if this descriptor contains the target xpub (if specified)
+                // and extract its derivation path from the origin info
+                if (target_xpub) {
+                    // Look for the xpub in the descriptor string and check for origin info
+                    // Format: [fingerprint/path]xpub...
+                    size_t xpub_pos = desc_str.find(*target_xpub);
+                    if (xpub_pos != std::string::npos) {
+                        found_target_xpub = true;
+                        // Look for origin info before the xpub: [fingerprint/path]
+                        if (xpub_pos > 0 && desc_str[xpub_pos - 1] == ']') {
+                            size_t bracket_start = desc_str.rfind('[', xpub_pos - 1);
+                            if (bracket_start != std::string::npos) {
+                                std::string origin = desc_str.substr(bracket_start + 1, xpub_pos - bracket_start - 2);
+                                // origin is "fingerprint/path" - find the first /
+                                size_t slash_pos = origin.find('/');
+                                if (slash_pos != std::string::npos) {
+                                    std::string path_str = "m" + origin.substr(slash_pos);
+
+                                    auto parsed_path = ParseDerivationPath(path_str);
+                                    if (parsed_path && derivation_paths.empty()) {
+                                        derivation_paths.push_back(*parsed_path);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
             }
         }
 
@@ -235,6 +278,18 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
             return false;
         }
 
+        if (target_xpub && !found_target_xpub) {
+            tfm::format(std::cerr, "Specified xpub not found in any wallet descriptor: %s\n", *target_xpub);
+            wallet_instance->Close();
+            return false;
+        }
+
+        if (target_xpub && derivation_paths.empty()) {
+            tfm::format(std::cerr, "Specified xpub has no origin info (derivation path) in descriptor.\n");
+            wallet_instance->Close();
+            return false;
+        }
+
         // Sort by descriptor string for deterministic ordering
         std::sort(all_descriptors.begin(), all_descriptors.end(),
                   [](const auto& a, const auto& b) { return a.first < b.first; });
@@ -256,7 +311,7 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         content.bip_number = BIP_DESCRIPTORS;
 
         // Create the encrypted backup
-        auto backup_result = CreateEncryptedBackup(primary_descriptor, plaintext, content, {});
+        auto backup_result = CreateEncryptedBackup(primary_descriptor, plaintext, content, derivation_paths);
         if (!backup_result) {
             tfm::format(std::cerr, "Failed to create encrypted backup: %s\n",
                         util::ErrorString(backup_result).original);
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index 9cae4b6a0e03..dbf8487d6957 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -482,9 +482,35 @@ def test_encrypted_backup(self):
         assert_equal(metadata["version"], 1)
         assert_equal(metadata["encryption"], "ChaCha20-Poly1305")
         assert metadata["recipients"] >= 1
-        # Content type is encrypted, not visible in header
+        # Without -xpub, there should be no derivation paths
+        assert_equal(metadata["derivation_paths"], [])
         self.log.debug(f"Backup metadata: {json.dumps(metadata, indent=2)}")
 
+        # Test that -xpub with an xpub not in the wallet gets rejected
+        self.log.info("Testing that unknown xpub is rejected...")
+        # Use a valid but unrelated testnet xpub
+        unknown_xpub = "tpubD6NzVbkrYhZ4XgiXtGrdW5XDAPFCL9h7we1vwNCpn8tGbBcgfVYjXyhWo4E1xkh56hjod1RhGjxbaTLV3X4FyWuejifB9jusQ46QzG87VKp"
+        p = self.bitcoin_wallet_process(f"-wallet={wallet_name}", f"-xpub={unknown_xpub}", "encryptbackup")
+        backup_output, stderr = p.communicate()
+        assert_equal(p.poll(), 1)
+        assert "not found in any wallet descriptor" in stderr
+
+        # Test encryptbackup with -xpub to include derivation path
+        self.log.info("Creating encrypted backup with -xpub for derivation path...")
+        p = self.bitcoin_wallet_process(f"-wallet={wallet_name}", f"-xpub={xpub_for_decrypt}", "encryptbackup")
+        backup_with_path_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        backup_with_path_base64 = backup_with_path_output.strip()
+
+        # Inspect the backup with derivation path
+        p = self.bitcoin_wallet_process("inspectbackup")
+        inspect_output, stderr = p.communicate(input=backup_with_path_base64)
+        assert_equal(p.poll(), 0)
+        metadata_with_path = json.loads(inspect_output)
+        # BIP44 testnet path: m/44'/1'/0'
+        assert_equal(metadata_with_path["derivation_paths"], ["m/44'/1'/0'"])
+        self.log.info(f"Derivation paths in backup: {metadata_with_path['derivation_paths']}")
+
         # Decrypt the backup using just the xpub (no wallet needed)
         self.log.info("Decrypting backup using xpub...")
         p = self.bitcoin_wallet_process(f"-pubkey={xpub_for_decrypt}", "decryptbackup")