Research . Wallet forensics

Armory encryption & the ROMIX KDF

Armory was built for security-conscious Bitcoiners, and its deliberately slow, memory-hard key derivation is exactly why recovering an Armory password takes the right approach rather than raw brute force.

Actualizado en julio de 2026 · KeychainX — Recuperación de carteras desde 2017

Armory was one of the most respected early Bitcoin wallets, favoured for cold storage. Part of that reputation came from its encryption: a deliberately expensive, memory-hard key-derivation function based on ROMIX. This page documents what that means for someone trying to recover an Armory wallet password.

What a key-derivation function does

When you encrypt a wallet with a password, the software doesn’t use the password directly — it runs it through a key-derivation function (KDF) to produce the actual encryption key. A good KDF is deliberately slow, so that testing each guess costs real time and money, which is what makes brute-forcing impractical. The KDF’s cost is the wall an attacker — or a recovery service — has to climb for every candidate password.

Armory’s ROMIX / memory-hard design

Armory used a memory-hard KDF built on ROMIX (the core construction also used in scrypt). Memory-hard means each guess requires not just time but a large chunk of RAM, which deliberately frustrates the massively parallel hardware attackers use — you can’t cheaply run millions of guesses in parallel if each one needs significant memory. Armory even calibrated the KDF to the machine it was created on, so the cost per guess reflects that hardware.

What this means for recovery

The practical consequence is that Armory recovery is guess-limited, not instant. Each password candidate is expensive to test, so a blind, unstructured brute force of a long password is simply infeasible — you would never finish. Recovery therefore lives or dies on the quality of the candidate list: the closer the search is shaped to what the owner actually remembers, the fewer expensive guesses are needed. Good hints matter far more here than raw hardware.

Why the KDF parameters matter

To test guesses correctly you must reproduce Armory’s exact KDF parameters — the memory and iteration cost it was configured with — because the derived key depends on them. Those parameters are stored with the wallet, so part of the forensic work is reading them out and rebuilding the same derivation faithfully. Get the parameters wrong and every guess fails even when the password is right, the same trap that catches people on other format-specific wallets.

A realistic recovery approach

The workable approach is to treat it as a precision search rather than a sweep: extract the KDF parameters, reproduce the memory-hard derivation, and drive it with a candidate list built from everything the owner remembers — length, structure, fragments, habits — on hardware with enough memory to run the KDF efficiently. It is slower per guess than a lightweight wallet, but for a well-shaped list it remains entirely feasible, and Armory wallets often protect substantial long-term holdings that justify the effort.

When Armory wallets get stuck

Armory itself became difficult to run as it fell out of active maintenance, so many owners are locked out not only by a forgotten password but by an application that no longer launches cleanly on modern systems. Recovery often involves working directly with the wallet file and reproducing its cryptography outside the original software, which sidesteps the dead-application problem while still honouring the KDF the wallet was encrypted with.

If you hold an old Armory wallet

If you have an Armory wallet with funds and a password you’re unsure of, the encouraging news is that the memory-hard KDF that makes recovery slow also meant your wallet was genuinely well protected — and with a decent memory of the password, recovery is realistic. Once recovered, exporting the keys to a maintained modern wallet avoids the ongoing problem of running abandoned software.

How Armory compares to other wallets

It helps to place Armory on the spectrum of recovery difficulty. A lightweight wallet with a fast KDF can be searched at enormous speed, so even a hazy password memory often succeeds. Armory sits at the opposite end: its memory-hard derivation makes each guess costly, so the search must be lean and well-informed. That doesn’t make it harder to recover a well-remembered password — a strong hint finishes quickly either way — but it does mean a vague, sprawling guess space that might work on a fast wallet becomes infeasible on Armory. In short, Armory rewards precision: the better the owner can describe the password, the more decisively the KDF stops being an obstacle.

Our documentation

KeychainX documents Armory’s KDF here as part of our wallet-format forensics, because reproducing a memory-hard derivation faithfully — and shaping the search to the owner’s memory — is what separates a feasible Armory recovery from an impossible one. It sits alongside our other format research in this section. If you’re locked out of an Armory wallet, the KDF is a wall, not a dead end.

Preguntas frecuentes

What do you need to start an Armory recovery?

The Armory wallet file (which stores the KDF parameters) and your best memory of the password — length, structure, fragments, habits. The better the hint, the more feasible the memory-hard search.

Why is Armory password recovery slow?

Armory uses a memory-hard ROMIX key-derivation function that makes each password guess deliberately expensive in time and RAM. That defeats blind brute force, so recovery depends on a well-shaped candidate list.

Can an Armory wallet still be recovered?

Yes, if you remember enough about the password. We reproduce Armory’s exact KDF parameters and drive a memory-shaped search from your hints, on hardware with enough RAM to run the KDF.

Do I need the Armory software to work?

Not necessarily. Recovery often works directly from the wallet file, reproducing its cryptography outside the original application — which also sidesteps Armory no longer running cleanly on modern systems.

Why does my correct password fail?

If the KDF parameters aren’t reproduced exactly, the derived key is wrong and even the correct password fails. Reading the stored parameters and rebuilding the derivation faithfully is part of the work.

¿Cuánto cuesta la recuperación?

Basado en los resultados: un porcentaje del valor recuperado solo si conseguimos el dinero, y nada por adelantado.

Locked out of an Armory wallet?

The memory-hard KDF is a wall, not a dead end — with a decent password memory it’s recoverable. Tell us what you have, honest assessment within 24 hours.

Contactar con KeychainX →