keyring: remove hardcoded default passphrase on NewMnemonic (#8662)

* keyring: remove hardcoded default passphrase on NewMnemonic * minor changes * changelog * address @alessio's comment * Update CHANGELOG.md * test fixes * update comment and test Co-authored-by: Alessio Treglia <alessio@tendermint.com> Co-authored-by: Jonathan Gimeno <jgimeno@gmail.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
2021-02-23 13:49:09 -03:00 · 2021-02-23 13:49:09 -03:00 · cc70749b07
commit cc70749b07
parent 8dd6c325ba
15 changed files with 89 additions and 73 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -43,6 +43,7 @@ Ref: https://keepachangelog.com/en/1.0.0/

 ### API Breaking Changes

+* (keyring) [#\8662](https://github.com/cosmos/cosmos-sdk/pull/8662) `NewMnemonic` now receives an additional `passphrase` argument to secure the key generated by the bip39 mnemonic.
 * (x/bank) [\#8473](https://github.com/cosmos/cosmos-sdk/pull/8473) Bank keeper does not expose unsafe balance changing methods such as `SetBalance`, `SetSupply` etc.
 * (x/staking) [\#8473](https://github.com/cosmos/cosmos-sdk/pull/8473) On genesis init, if non bonded pool and bonded pool balance, coming from the bank module, does not match what is saved in the staking state, the initialization will panic.
 * (x/gov) [\#8473](https://github.com/cosmos/cosmos-sdk/pull/8473) On genesis init, if the gov module account balance, coming from bank module state, does not match the one in gov module state, the initialization will panic.
@ -66,6 +67,7 @@ Ref: https://keepachangelog.com/en/1.0.0/

 ### Bug Fixes

+* (keyring) [#\8635](https://github.com/cosmos/cosmos-sdk/issues/8635) Remove hardcoded default passphrase value on `NewMnemonic`
 * (x/evidence) [#8461](https://github.com/cosmos/cosmos-sdk/pull/8461) Fix bech32 prefix in evidence validator address conversion
 * (x/slashing) [\#8427](https://github.com/cosmos/cosmos-sdk/pull/8427) Fix query signing infos command
 * (server) [\#8399](https://github.com/cosmos/cosmos-sdk/pull/8399) fix gRPC-web flag default value
--- a/client/keys/delete_test.go
+++ b/client/keys/delete_test.go
@ -39,7 +39,7 @@ func Test_runDeleteCmd(t *testing.T) {
 	_, err = kb.NewAccount(fakeKeyName1, testutil.TestMnemonic, "", path, hd.Secp256k1)
 	require.NoError(t, err)

-	_, _, err = kb.NewMnemonic(fakeKeyName2, keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = kb.NewMnemonic(fakeKeyName2, keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	cmd.SetArgs([]string{"blah", fmt.Sprintf("--%s=%s", flags.FlagHome, kbHome)})
--- a/client/tx/tx_test.go
+++ b/client/tx/tx_test.go
@ -132,10 +132,10 @@ func TestSign(t *testing.T) {
 	var from2 = "test_key2"

 	// create a new key using a mnemonic generator and test if we can reuse seed to recreate that account
-	_, seed, err := kr.NewMnemonic(from1, keyring.English, path, hd.Secp256k1)
+	_, seed, err := kr.NewMnemonic(from1, keyring.English, path, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	requireT.NoError(err)
 	requireT.NoError(kr.Delete(from1))
-	info1, _, err := kr.NewMnemonic(from1, keyring.English, path, hd.Secp256k1)
+	info1, _, err := kr.NewMnemonic(from1, keyring.English, path, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	requireT.NoError(err)

 	info2, err := kr.NewAccount(from2, seed, "", path, hd.Secp256k1)
--- a/crypto/armor_test.go
+++ b/crypto/armor_test.go
@ -73,7 +73,7 @@ func TestArmorUnarmorPubKey(t *testing.T) {
 	cstore := keyring.NewInMemory()

 	// Add keys and see they return in alphabetical order
-	info, _, err := cstore.NewMnemonic("Bob", keyring.English, types.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := cstore.NewMnemonic("Bob", keyring.English, types.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	armored := crypto.ArmorPubKeyBytes(legacy.Cdc.Amino.MustMarshalBinaryBare(info.GetPubKey()), "")
 	pubBytes, algo, err := crypto.UnarmorPubKeyBytes(armored)
--- a/crypto/keyring/keyring.go
+++ b/crypto/keyring/keyring.go
@ -64,14 +64,17 @@ type Keyring interface {
 	Delete(uid string) error
 	DeleteByAddress(address sdk.Address) error

-	// NewMnemonic generates a new mnemonic, derives a hierarchical deterministic
-	// key from that, and persists it to the storage. Returns the generated mnemonic and the key
-	// Info. It returns an error if it fails to generate a key for the given algo type, or if
-	// another key is already stored under the same name.
-	NewMnemonic(uid string, language Language, hdPath string, algo SignatureAlgo) (Info, string, error)
+	// NewMnemonic generates a new mnemonic, derives a hierarchical deterministic key from it, and
+	// persists the key to storage. Returns the generated mnemonic and the key Info.
+	// It returns an error if it fails to generate a key for the given algo type, or if
+	// another key is already stored under the same name or address.
+	//
+	// A passphrase set to the empty string will set the passphrase to the DefaultBIP39Passphrase value.
+	NewMnemonic(uid string, language Language, hdPath, bip39Passphrase string, algo SignatureAlgo) (Info, string, error)

 	// NewAccount converts a mnemonic to a private key and BIP-39 HD Path and persists it.
-	NewAccount(uid, mnemonic, bip39Passwd, hdPath string, algo SignatureAlgo) (Info, error)
+	// It fails if there is an existing key Info with the same address.
+	NewAccount(uid, mnemonic, bip39Passphrase, hdPath string, algo SignatureAlgo) (Info, error)

 	// SaveLedgerKey retrieves a public key reference from a Ledger device and persists it.
 	SaveLedgerKey(uid string, algo SignatureAlgo, hrp string, coinType, account, index uint32) (Info, error)
@ -477,7 +480,7 @@ func (ks keystore) List() ([]Info, error) {
 	return res, nil
 }

-func (ks keystore) NewMnemonic(uid string, language Language, hdPath string, algo SignatureAlgo) (Info, string, error) {
+func (ks keystore) NewMnemonic(uid string, language Language, hdPath, bip39Passphrase string, algo SignatureAlgo) (Info, string, error) {
 	if language != English {
 		return nil, "", ErrUnsupportedLanguage
 	}
@ -498,12 +501,16 @@ func (ks keystore) NewMnemonic(uid string, language Language, hdPath string, alg
 		return nil, "", err
 	}

-	info, err := ks.NewAccount(uid, mnemonic, DefaultBIP39Passphrase, hdPath, algo)
+	if bip39Passphrase == "" {
+		bip39Passphrase = DefaultBIP39Passphrase
+	}
+
+	info, err := ks.NewAccount(uid, mnemonic, bip39Passphrase, hdPath, algo)
 	if err != nil {
 		return nil, "", err
 	}

-	return info, mnemonic, err
+	return info, mnemonic, nil
 }

 func (ks keystore) NewAccount(uid string, mnemonic string, bip39Passphrase string, hdPath string, algo SignatureAlgo) (Info, error) {
@ -519,6 +526,13 @@ func (ks keystore) NewAccount(uid string, mnemonic string, bip39Passphrase strin

 	privKey := algo.Generate()(derivedPriv)

+	// check if the a key already exists with the same address and return an error
+	// if found
+	address := sdk.AccAddress(privKey.PubKey().Address())
+	if _, err := ks.KeyByAddress(address); err == nil {
+		return nil, fmt.Errorf("account with address %s already exists in keyring, delete the key first if you want to recreate it", address)
+	}
+
 	return ks.writeLocalKey(uid, privKey, algo.Name())
 }

--- a/crypto/keyring/keyring_ledger_test.go
+++ b/crypto/keyring/keyring_ledger_test.go
@ -80,7 +80,7 @@ func TestSignVerifyKeyRingWithLedger(t *testing.T) {
 	require.True(t, i1.GetPubKey().VerifySignature(d1, s1))
 	require.True(t, bytes.Equal(s1, s2))

-	localInfo, _, err := kb.NewMnemonic("test", English, types.FullFundraiserPath, hd.Secp256k1)
+	localInfo, _, err := kb.NewMnemonic("test", English, types.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	_, _, err = SignWithLedger(localInfo, d1)
 	require.Error(t, err)
--- a/crypto/keyring/keyring_test.go
+++ b/crypto/keyring/keyring_test.go
@ -42,7 +42,7 @@ func TestNewKeyring(t *testing.T) {
 	require.Equal(t, "unknown keyring backend fuzzy", err.Error())

 	mockIn.Reset("password\npassword\n")
-	info, _, err := kr.NewMnemonic("foo", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := kr.NewMnemonic("foo", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	require.Equal(t, "foo", info.GetName())
 }
@ -59,17 +59,17 @@ func TestKeyManagementKeyRing(t *testing.T) {
 	require.Nil(t, err)
 	require.Empty(t, l)

-	_, _, err = kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, notSupportedAlgo{})
+	_, _, err = kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, notSupportedAlgo{})
 	require.Error(t, err, "ed25519 keys are currently not supported by keybase")

 	// create some keys
 	_, err = kb.Key(n1)
 	require.Error(t, err)
-	i, _, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	i, _, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)

 	require.NoError(t, err)
 	require.Equal(t, n1, i.GetName())
-	_, _, err = kb.NewMnemonic(n2, English, sdk.FullFundraiserPath, algo)
+	_, _, err = kb.NewMnemonic(n2, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.NoError(t, err)

 	// we can get these keys
@ -137,10 +137,10 @@ func TestSignVerifyKeyRing(t *testing.T) {
 	n1, n2, n3 := "some dude", "a dudette", "dude-ish"

 	// create two users and get their info
-	i1, _, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	i1, _, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err)

-	i2, _, err := kb.NewMnemonic(n2, English, sdk.FullFundraiserPath, algo)
+	i2, _, err := kb.NewMnemonic(n2, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err)

 	// let's try to sign some messages
@ -209,7 +209,7 @@ func TestExportImportKeyRing(t *testing.T) {
 	kb, err := New("keybasename", "test", t.TempDir(), nil)
 	require.NoError(t, err)

-	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	require.Equal(t, info.GetName(), "john")

@ -243,7 +243,7 @@ func TestExportImportPubKeyKeyRing(t *testing.T) {
 	algo := hd.Secp256k1

 	// CreateMnemonic a private-public key pair and ensure consistency
-	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, algo)
+	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err)
 	require.NotEqual(t, info, "")
 	require.Equal(t, info.GetName(), "john")
@ -285,7 +285,7 @@ func TestAdvancedKeyManagementKeyRing(t *testing.T) {
 	n1, n2 := "old-name", "new name"

 	// make sure key works with initial password
-	_, _, err = kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	_, _, err = kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err, "%+v", err)

 	_, err = kb.ExportPubKeyArmor(n1 + ".notreal")
@ -320,7 +320,7 @@ func TestSeedPhraseKeyRing(t *testing.T) {
 	n1, n2 := "lost-key", "found-again"

 	// make sure key works with initial password
-	info, mnemonic, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	info, mnemonic, err := kb.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err, "%+v", err)
 	require.Equal(t, n1, info.GetName())
 	require.NotEmpty(t, mnemonic)
@ -345,7 +345,7 @@ func TestKeyringKeybaseExportImportPrivKey(t *testing.T) {
 	kb, err := New("keybasename", "test", t.TempDir(), nil)
 	require.NoError(t, err)

-	_, _, err = kb.NewMnemonic("john", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = kb.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	keystr, err := kb.ExportPrivKeyArmor("john", "somepassword")
@ -372,7 +372,7 @@ func TestKeyringKeybaseExportImportPrivKey(t *testing.T) {

 func TestInMemoryLanguage(t *testing.T) {
 	kb := NewInMemory()
-	_, _, err := kb.NewMnemonic("something", Japanese, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err := kb.NewMnemonic("something", Japanese, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.Error(t, err)
 	require.Equal(t, "unsupported language: only english is supported", err.Error())
 }
@ -412,17 +412,17 @@ func TestInMemoryKeyManagement(t *testing.T) {
 	require.Nil(t, err)
 	require.Empty(t, l)

-	_, _, err = cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, notSupportedAlgo{})
+	_, _, err = cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, notSupportedAlgo{})
 	require.Error(t, err, "ed25519 keys are currently not supported by keybase")

 	// create some keys
 	_, err = cstore.Key(n1)
 	require.Error(t, err)
-	i, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	i, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)

 	require.NoError(t, err)
 	require.Equal(t, n1, i.GetName())
-	_, _, err = cstore.NewMnemonic(n2, English, sdk.FullFundraiserPath, algo)
+	_, _, err = cstore.NewMnemonic(n2, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.NoError(t, err)

 	// we can get these keys
@ -492,10 +492,10 @@ func TestInMemorySignVerify(t *testing.T) {
 	n1, n2, n3 := "some dude", "a dudette", "dude-ish"

 	// create two users and get their info
-	i1, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	i1, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err)

-	i2, _, err := cstore.NewMnemonic(n2, English, sdk.FullFundraiserPath, algo)
+	i2, _, err := cstore.NewMnemonic(n2, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err)

 	// let's try to sign some messages
@ -566,7 +566,7 @@ func TestInMemoryExportImport(t *testing.T) {
 	// make the storage with reasonable defaults
 	cstore := NewInMemory()

-	info, _, err := cstore.NewMnemonic("john", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := cstore.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	require.Equal(t, info.GetName(), "john")

@ -596,7 +596,7 @@ func TestInMemoryExportImport(t *testing.T) {
 func TestInMemoryExportImportPrivKey(t *testing.T) {
 	kb := NewInMemory()

-	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := kb.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
 	require.Equal(t, info.GetName(), "john")
 	priv1, err := kb.Key("john")
@ -624,7 +624,7 @@ func TestInMemoryExportImportPubKey(t *testing.T) {
 	cstore := NewInMemory()

 	// CreateMnemonic a private-public key pair and ensure consistency
-	info, _, err := cstore.NewMnemonic("john", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := cstore.NewMnemonic("john", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.Nil(t, err)
 	require.NotEqual(t, info, "")
 	require.Equal(t, info.GetName(), "john")
@ -663,7 +663,7 @@ func TestInMemoryAdvancedKeyManagement(t *testing.T) {
 	n1, n2 := "old-name", "new name"

 	// make sure key works with initial password
-	_, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	_, _, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err, "%+v", err)

 	// exporting requires the proper name and passphrase
@ -698,7 +698,7 @@ func TestInMemorySeedPhrase(t *testing.T) {
 	n1, n2 := "lost-key", "found-again"

 	// make sure key works with initial password
-	info, mnemonic, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, algo)
+	info, mnemonic, err := cstore.NewMnemonic(n1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, algo)
 	require.Nil(t, err, "%+v", err)
 	require.Equal(t, n1, info.GetName())
 	require.NotEmpty(t, mnemonic)
@ -724,7 +724,7 @@ func TestKeyChain_ShouldFailWhenAddingSameGeneratedAccount(t *testing.T) {
 	require.NoError(t, err)

 	// Given we create a mnemonic
-	_, seed, err := kr.NewMnemonic("test", English, "", hd.Secp256k1)
+	_, seed, err := kr.NewMnemonic("test", English, "", DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	require.NoError(t, kr.Delete("test"))
@ -745,7 +745,7 @@ func ExampleNew() {
 	sec := hd.Secp256k1

 	// Add keys and see they return in alphabetical order
-	bob, _, err := cstore.NewMnemonic("Bob", English, sdk.FullFundraiserPath, sec)
+	bob, _, err := cstore.NewMnemonic("Bob", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, sec)
 	if err != nil {
 		// this should never happen
 		fmt.Println(err)
@ -753,8 +753,8 @@ func ExampleNew() {
 		// return info here just like in List
 		fmt.Println(bob.GetName())
 	}
-	_, _, _ = cstore.NewMnemonic("Alice", English, sdk.FullFundraiserPath, sec)
-	_, _, _ = cstore.NewMnemonic("Carl", English, sdk.FullFundraiserPath, sec)
+	_, _, _ = cstore.NewMnemonic("Alice", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, sec)
+	_, _, _ = cstore.NewMnemonic("Carl", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, sec)
 	info, _ := cstore.List()
 	for _, i := range info {
 		fmt.Println(i.GetName())
@ -799,16 +799,16 @@ func TestAltKeyring_List(t *testing.T) {
 	require.Empty(t, list)

 	// Fails on creating unsupported pubKeyType
-	_, _, err = keyring.NewMnemonic("failing", English, sdk.FullFundraiserPath, notSupportedAlgo{})
+	_, _, err = keyring.NewMnemonic("failing", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, notSupportedAlgo{})
 	require.EqualError(t, err, ErrUnsupportedSigningAlgo.Error())

 	// Create 3 keys
 	uid1, uid2, uid3 := "Zkey", "Bkey", "Rkey"
-	_, _, err = keyring.NewMnemonic(uid1, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid1, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
-	_, _, err = keyring.NewMnemonic(uid2, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid2, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
-	_, _, err = keyring.NewMnemonic(uid3, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid3, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	list, err = keyring.List()
@ -852,7 +852,7 @@ func TestAltKeyring_Get(t *testing.T) {
 	require.NoError(t, err)

 	uid := someKey
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	key, err := keyring.Key(uid)
@ -865,7 +865,7 @@ func TestAltKeyring_KeyByAddress(t *testing.T) {
 	require.NoError(t, err)

 	uid := someKey
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	key, err := keyring.KeyByAddress(mnemonic.GetAddress())
@ -878,7 +878,7 @@ func TestAltKeyring_Delete(t *testing.T) {
 	require.NoError(t, err)

 	uid := someKey
-	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	list, err := keyring.List()
@ -898,7 +898,7 @@ func TestAltKeyring_DeleteByAddress(t *testing.T) {
 	require.NoError(t, err)

 	uid := someKey
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	list, err := keyring.List()
@ -940,9 +940,9 @@ func TestAltKeyring_SaveMultisig(t *testing.T) {
 	keyring, err := New(t.Name(), BackendTest, t.TempDir(), nil)
 	require.NoError(t, err)

-	mnemonic1, _, err := keyring.NewMnemonic("key1", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic1, _, err := keyring.NewMnemonic("key1", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)
-	mnemonic2, _, err := keyring.NewMnemonic("key2", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic2, _, err := keyring.NewMnemonic("key2", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	key := "multi"
@ -969,7 +969,7 @@ func TestAltKeyring_Sign(t *testing.T) {
 	require.NoError(t, err)

 	uid := "jack"
-	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	msg := []byte("some message")
@ -985,7 +985,7 @@ func TestAltKeyring_SignByAddress(t *testing.T) {
 	require.NoError(t, err)

 	uid := "jack"
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	msg := []byte("some message")
@ -1001,7 +1001,7 @@ func TestAltKeyring_ImportExportPrivKey(t *testing.T) {
 	require.NoError(t, err)

 	uid := theID
-	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	passphrase := "somePass"
@ -1027,7 +1027,7 @@ func TestAltKeyring_ImportExportPrivKey_ByAddress(t *testing.T) {
 	require.NoError(t, err)

 	uid := theID
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	passphrase := "somePass"
@ -1054,7 +1054,7 @@ func TestAltKeyring_ImportExportPubKey(t *testing.T) {
 	require.NoError(t, err)

 	uid := theID
-	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	armor, err := keyring.ExportPubKeyArmor(uid)
@ -1076,7 +1076,7 @@ func TestAltKeyring_ImportExportPubKey_ByAddress(t *testing.T) {
 	require.NoError(t, err)

 	uid := theID
-	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	mnemonic, _, err := keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	armor, err := keyring.ExportPubKeyArmorByAddress(mnemonic.GetAddress())
@ -1099,7 +1099,7 @@ func TestAltKeyring_UnsafeExportPrivKeyHex(t *testing.T) {

 	uid := theID

-	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic(uid, English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	unsafeKeyring := NewUnsafe(keyring)
@ -1121,11 +1121,11 @@ func TestAltKeyring_ConstructorSupportedAlgos(t *testing.T) {
 	require.NoError(t, err)

 	// should fail when using unsupported signing algorythm.
-	_, _, err = keyring.NewMnemonic("test", English, sdk.FullFundraiserPath, notSupportedAlgo{})
+	_, _, err = keyring.NewMnemonic("test", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, notSupportedAlgo{})
 	require.EqualError(t, err, "unsupported signing algo")

 	// but works with default signing algo.
-	_, _, err = keyring.NewMnemonic("test", English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err = keyring.NewMnemonic("test", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(t, err)

 	// but we can create a new keybase with our provided algos.
@ -1137,7 +1137,7 @@ func TestAltKeyring_ConstructorSupportedAlgos(t *testing.T) {
 	require.NoError(t, err)

 	// now this new keyring does not fail when signing with provided algo
-	_, _, err = keyring2.NewMnemonic("test", English, sdk.FullFundraiserPath, notSupportedAlgo{})
+	_, _, err = keyring2.NewMnemonic("test", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, notSupportedAlgo{})
 	require.NoError(t, err)
 }

--- a/server/init.go
+++ b/server/init.go
@ -12,7 +12,7 @@ import (
 // phrase to recover the private key.
 func GenerateCoinKey(algo keyring.SignatureAlgo) (sdk.AccAddress, string, error) {
 	// generate a private key, with recovery phrase
-	info, secret, err := keyring.NewInMemory().NewMnemonic("name", keyring.English, sdk.FullFundraiserPath, algo)
+	info, secret, err := keyring.NewInMemory().NewMnemonic("name", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, algo)
 	if err != nil {
 		return sdk.AccAddress([]byte{}), "", err
 	}
@ -43,7 +43,7 @@ func GenerateSaveCoinKey(keybase keyring.Keyring, keyName string, overwrite bool
 		}
 	}

-	info, secret, err := keybase.NewMnemonic(keyName, keyring.English, sdk.FullFundraiserPath, algo)
+	info, secret, err := keybase.NewMnemonic(keyName, keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, algo)
 	if err != nil {
 		return sdk.AccAddress([]byte{}), "", err
 	}
--- a/x/auth/client/cli/cli_test.go
+++ b/x/auth/client/cli/cli_test.go
@ -52,13 +52,13 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	s.network = network.New(s.T(), cfg)

 	kb := s.network.Validators[0].ClientCtx.Keyring
-	_, _, err := kb.NewMnemonic("newAccount", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err := kb.NewMnemonic("newAccount", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

-	account1, _, err := kb.NewMnemonic("newAccount1", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	account1, _, err := kb.NewMnemonic("newAccount1", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

-	account2, _, err := kb.NewMnemonic("newAccount2", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	account2, _, err := kb.NewMnemonic("newAccount2", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

 	multi := kmultisig.NewLegacyAminoPubKey(2, []cryptotypes.PubKey{account1.GetPubKey(), account2.GetPubKey()})
--- a/x/auth/client/rest/rest_test.go
+++ b/x/auth/client/rest/rest_test.go
@ -49,7 +49,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	s.network = network.New(s.T(), cfg)

 	kb := s.network.Validators[0].ClientCtx.Keyring
-	_, _, err := kb.NewMnemonic("newAccount", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	_, _, err := kb.NewMnemonic("newAccount", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

 	_, err = s.network.WaitForHeight(1)
--- a/x/authz/client/cli/tx_test.go
+++ b/x/authz/client/cli/tx_test.go
@ -49,7 +49,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	val := s.network.Validators[0]

 	// Create new account in the keyring.
-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)
 	newAddr := sdk.AccAddress(info.GetPubKey().Address())

--- a/x/authz/client/rest/grpc_query_test.go
+++ b/x/authz/client/rest/grpc_query_test.go
@ -41,7 +41,7 @@ func (s *IntegrationTestSuite) SetupSuite() {

 	val := s.network.Validators[0]
 	// Create new account in the keyring.
-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)
 	newAddr := sdk.AccAddress(info.GetPubKey().Address())

--- a/x/feegrant/client/cli/cli_test.go
+++ b/x/feegrant/client/cli/cli_test.go
@ -573,7 +573,7 @@ func (s *IntegrationTestSuite) TestTxWithFeeGrant() {
 	granter := val.Address

 	// creating an account manually (This account won't be exist in state)
-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)
 	grantee := sdk.AccAddress(info.GetPubKey().Address())

--- a/x/feegrant/client/rest/grpc_query_test.go
+++ b/x/feegrant/client/rest/grpc_query_test.go
@ -36,7 +36,7 @@ func (s *IntegrationTestSuite) SetupSuite() {

 	val := s.network.Validators[0]
 	// Create new account in the keyring.
-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("grantee", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)
 	newAddr := sdk.AccAddress(info.GetPubKey().Address())

--- a/x/staking/client/cli/cli_test.go
+++ b/x/staking/client/cli/cli_test.go
@ -82,7 +82,7 @@ func (s *IntegrationTestSuite) TestNewCreateValidatorCmd() {
 	consPubKey, err := sdk.Bech32ifyPubKey(sdk.Bech32PubKeyTypeConsPub, consPrivKey.PubKey())
 	s.Require().NoError(err)

-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewValidator", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewValidator", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

 	newAddr := sdk.AccAddress(info.GetPubKey().Address())
@ -1037,7 +1037,7 @@ func (s *IntegrationTestSuite) TestNewCmdEditValidator() {
 func (s *IntegrationTestSuite) TestNewCmdDelegate() {
 	val := s.network.Validators[0]

-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewAccount", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewAccount", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	s.Require().NoError(err)

 	newAddr := sdk.AccAddress(info.GetPubKey().Address())
@ -1277,7 +1277,7 @@ func (s *IntegrationTestSuite) TestBlockResults() {
 	val := s.network.Validators[0]

 	// Create new account in the keyring.
-	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewDelegator", keyring.English, sdk.FullFundraiserPath, hd.Secp256k1)
+	info, _, err := val.ClientCtx.Keyring.NewMnemonic("NewDelegator", keyring.English, sdk.FullFundraiserPath, keyring.DefaultBIP39Passphrase, hd.Secp256k1)
 	require.NoError(err)
 	newAddr := sdk.AccAddress(info.GetPubKey().Address())