From b3295ab4608aba2341590f15947e364326716720 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Tue, 14 Apr 2026 03:02:34 -0400
Subject: [PATCH 01/21] refactor: define BIP32_HARDENED and BIP32_UNHARDENED
 constants

Replace magic 0x80000000 literals with named constants for BIP32
hardened/unhardened child derivation.
---
 src/script/descriptor.cpp |  6 +++---
 src/test/bip32_tests.cpp  | 13 +++++++------
 src/util/bip32.cpp        |  2 +-
 src/util/bip32.h          |  5 +++++
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index 19315dd6a30f..d22209cb3d49 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -429,7 +429,7 @@ class BIP32PubkeyProvider final : public PubkeyProvider
         std::copy(keyid.begin(), keyid.begin() + sizeof(info.fingerprint), info.fingerprint);
         info.path = m_path;
         if (m_derive == DeriveType::UNHARDENED_RANGED) info.path.push_back((uint32_t)pos);
-        if (m_derive == DeriveType::HARDENED_RANGED) info.path.push_back(((uint32_t)pos) | 0x80000000L);
+        if (m_derive == DeriveType::HARDENED_RANGED) info.path.push_back(((uint32_t)pos) | BIP32_HARDENED);
 
         // Derive keys or fetch them from cache
         CExtPubKey final_extkey = m_root_extkey;
@@ -450,7 +450,7 @@ class BIP32PubkeyProvider final : public PubkeyProvider
             if (!GetDerivedExtKey(arg, xprv, lh_xprv)) return std::nullopt;
             parent_extkey = xprv.Neuter();
             if (m_derive == DeriveType::UNHARDENED_RANGED) der = xprv.Derive(xprv, pos);
-            if (m_derive == DeriveType::HARDENED_RANGED) der = xprv.Derive(xprv, pos | 0x80000000UL);
+            if (m_derive == DeriveType::HARDENED_RANGED) der = xprv.Derive(xprv, pos | BIP32_HARDENED);
             final_extkey = xprv.Neuter();
             if (lh_xprv.key.IsValid()) {
                 last_hardened_extkey = lh_xprv.Neuter();
@@ -576,7 +576,7 @@ class BIP32PubkeyProvider final : public PubkeyProvider
         CExtKey dummy;
         if (!GetDerivedExtKey(arg, extkey, dummy)) return;
         if (m_derive == DeriveType::UNHARDENED_RANGED && !extkey.Derive(extkey, pos)) return;
-        if (m_derive == DeriveType::HARDENED_RANGED && !extkey.Derive(extkey, pos | 0x80000000UL)) return;
+        if (m_derive == DeriveType::HARDENED_RANGED && !extkey.Derive(extkey, pos | BIP32_HARDENED)) return;
         out.keys.emplace(extkey.key.GetPubKey().GetID(), extkey.key);
     }
     std::optional<CPubKey> GetRootPubKey() const override
diff --git a/src/test/bip32_tests.cpp b/src/test/bip32_tests.cpp
index 1df368ade744..dbbe5d15a015 100644
--- a/src/test/bip32_tests.cpp
+++ b/src/test/bip32_tests.cpp
@@ -9,6 +9,7 @@
 #include <key_io.h>
 #include <streams.h>
 #include <test/util/setup_common.h>
+#include <util/bip32.h>
 #include <util/strencodings.h>
 
 #include <string>
@@ -42,13 +43,13 @@ TestVector test1 =
   TestVector("000102030405060708090a0b0c0d0e0f")
     ("xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMcet8",
      "xprv9s21ZrQH143K3QTDL4LXw2F7HEK3wJUD2nW2nRk4stbPy6cq3jPPqjiChkVvvNKmPGJxWUtg6LnF5kejMRNNU3TGtRBeJgk33yuGBxrMPHi",
-     0x80000000)
+     BIP32_HARDENED)
     ("xpub68Gmy5EdvgibQVfPdqkBBCHxA5htiqg55crXYuXoQRKfDBFA1WEjWgP6LHhwBZeNK1VTsfTFUHCdrfp1bgwQ9xv5ski8PX9rL2dZXvgGDnw",
      "xprv9uHRZZhk6KAJC1avXpDAp4MDc3sQKNxDiPvvkX8Br5ngLNv1TxvUxt4cV1rGL5hj6KCesnDYUhd7oWgT11eZG7XnxHrnYeSvkzY7d2bhkJ7",
      1)
     ("xpub6ASuArnXKPbfEwhqN6e3mwBcDTgzisQN1wXN9BJcM47sSikHjJf3UFHKkNAWbWMiGj7Wf5uMash7SyYq527Hqck2AxYysAA7xmALppuCkwQ",
      "xprv9wTYmMFdV23N2TdNG573QoEsfRrWKQgWeibmLntzniatZvR9BmLnvSxqu53Kw1UmYPxLgboyZQaXwTCg8MSY3H2EU4pWcQDnRnrVA1xe8fs",
-     0x80000002)
+     BIP32_HARDENED | 2)
     ("xpub6D4BDPcP2GT577Vvch3R8wDkScZWzQzMMUm3PWbmWvVJrZwQY4VUNgqFJPMM3No2dFDFGTsxxpG5uJh7n7epu4trkrX7x7DogT5Uv6fcLW5",
      "xprv9z4pot5VBttmtdRTWfWQmoH1taj2axGVzFqSb8C9xaxKymcFzXBDptWmT7FwuEzG3ryjH4ktypQSAewRiNMjANTtpgP4mLTj34bhnZX7UiM",
      2)
@@ -84,7 +85,7 @@ TestVector test3 =
   TestVector("4b381541583be4423346c643850da4b320e46a87ae3d2a4e6da11eba819cd4acba45d239319ac14f863b8d5ab5a0d0c64d2e8a1e7d1457df2e5a3c51c73235be")
     ("xpub661MyMwAqRbcEZVB4dScxMAdx6d4nFc9nvyvH3v4gJL378CSRZiYmhRoP7mBy6gSPSCYk6SzXPTf3ND1cZAceL7SfJ1Z3GC8vBgp2epUt13",
      "xprv9s21ZrQH143K25QhxbucbDDuQ4naNntJRi4KUfWT7xo4EKsHt2QJDu7KXp1A3u7Bi1j8ph3EGsZ9Xvz9dGuVrtHHs7pXeTzjuxBrCmmhgC6",
-      0x80000000)
+      BIP32_HARDENED)
     ("xpub68NZiKmJWnxxS6aaHmn81bvJeTESw724CRDs6HbuccFQN9Ku14VQrADWgqbhhTHBaohPX4CjNLf9fq9MYo6oDaPPLPxSb7gwQN3ih19Zm4Y",
      "xprv9uPDJpEQgRQfDcW7BkF7eTya6RPxXeJCqCJGHuCJ4GiRVLzkTXBAJMu2qaMWPrS7AANYqdq6vcBcBUdJCVVFceUvJFjaPdGZ2y9WACViL4L",
       0);
@@ -93,10 +94,10 @@ TestVector test4 =
   TestVector("3ddd5602285899a946114506157c7997e5444528f3003f6134712147db19b678")
     ("xpub661MyMwAqRbcGczjuMoRm6dXaLDEhW1u34gKenbeYqAix21mdUKJyuyu5F1rzYGVxyL6tmgBUAEPrEz92mBXjByMRiJdba9wpnN37RLLAXa",
      "xprv9s21ZrQH143K48vGoLGRPxgo2JNkJ3J3fqkirQC2zVdk5Dgd5w14S7fRDyHH4dWNHUgkvsvNDCkvAwcSHNAQwhwgNMgZhLtQC63zxwhQmRv",
-     0x80000000)
+     BIP32_HARDENED)
     ("xpub69AUMk3qDBi3uW1sXgjCmVjJ2G6WQoYSnNHyzkmdCHEhSZ4tBok37xfFEqHd2AddP56Tqp4o56AePAgCjYdvpW2PU2jbUPFKsav5ut6Ch1m",
      "xprv9vB7xEWwNp9kh1wQRfCCQMnZUEG21LpbR9NPCNN1dwhiZkjjeGRnaALmPXCX7SgjFTiCTT6bXes17boXtjq3xLpcDjzEuGLQBM5ohqkao9G",
-     0x80000001)
+     BIP32_HARDENED | 1)
     ("xpub6BJA1jSqiukeaesWfxe6sNK9CCGaujFFSJLomWHprUL9DePQ4JDkM5d88n49sMGJxrhpjazuXYWdMf17C9T5XnxkopaeS7jGk1GyyVziaMt",
      "xprv9xJocDuwtYCMNAo3Zw76WENQeAS6WGXQ55RCy7tDJ8oALr4FWkuVoHJeHVAcAqiZLE7Je3vZJHxspZdFHfnBEjHqU5hG1Jaj32dVoS6XLT1",
      0);
@@ -144,7 +145,7 @@ void RunTest(const TestVector& test)
         CExtKey keyNew;
         BOOST_CHECK(key.Derive(keyNew, derive.nChild));
         CExtPubKey pubkeyNew = keyNew.Neuter();
-        if (!(derive.nChild & 0x80000000)) {
+        if (!(derive.nChild & BIP32_HARDENED)) {
             // Compare with public derivation
             CExtPubKey pubkeyNew2;
             BOOST_CHECK(pubkey.Derive(pubkeyNew2, derive.nChild));
diff --git a/src/util/bip32.cpp b/src/util/bip32.cpp
index 2488eacf5156..77d7cf868ef2 100644
--- a/src/util/bip32.cpp
+++ b/src/util/bip32.cpp
@@ -33,7 +33,7 @@ bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypa
             if (pos != item.size() - 1) {
                 return false;
             }
-            path |= 0x80000000;
+            path |= BIP32_HARDENED;
             item = item.substr(0, item.size() - 1); // Drop the last character which is the hardened tick
         }
 
diff --git a/src/util/bip32.h b/src/util/bip32.h
index af48147aa808..265b02ce4641 100644
--- a/src/util/bip32.h
+++ b/src/util/bip32.h
@@ -9,6 +9,11 @@
 #include <string>
 #include <vector>
 
+/** BIP32 unhardened child index (no high bit set) */
+static constexpr uint32_t BIP32_UNHARDENED = 0x0;
+/** BIP32 hardened derivation flag (2^31) */
+static constexpr uint32_t BIP32_HARDENED = 0x80000000;
+
 /** Parse an HD keypaths like "m/7/0'/2000". */
 [[nodiscard]] bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypath);
 

From 4e2e42c732ceb8ddfd1b474520d712aaf8b1885d Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Tue, 14 Apr 2026 03:24:52 -0400
Subject: [PATCH 02/21] refactor: deduplicate keypath element parsing

Extract ParseKeyPathElement() as a shared helper in util/bip32 that
parses a single BIP32 key path element (e.g. "0", "0'", "0h").
Both ParseHDKeypath() and the descriptor parser's ParseKeyPathNum()
now delegate to it, eliminating duplicated parsing logic.
---
 src/script/descriptor.cpp             | 24 +++---------
 src/util/bip32.cpp                    | 53 +++++++++++++++++----------
 src/util/bip32.h                      |  7 ++++
 src/wallet/test/psbt_wallet_tests.cpp | 27 +++++++++++---
 4 files changed, 67 insertions(+), 44 deletions(-)

diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index d22209cb3d49..6a5aafb0bd65 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -1754,25 +1754,13 @@ enum class ParseScriptContext {
 std::optional<uint32_t> ParseKeyPathNum(std::span<const char> elem, bool& apostrophe, std::string& error, bool& has_hardened)
 {
     bool hardened = false;
-    if (elem.size() > 0) {
-        const char last = elem[elem.size() - 1];
-        if (last == '\'' || last == 'h') {
-            elem = elem.first(elem.size() - 1);
-            hardened = true;
-            apostrophe = last == '\'';
-        }
+    const auto index{ParseKeyPathElement(elem, hardened, error)};
+    if (!index.has_value()) return std::nullopt;
+    if (hardened) {
+        has_hardened = true;
+        apostrophe = elem.back() == '\'';
     }
-    const auto p{ToIntegral<uint32_t>(std::string_view{elem.begin(), elem.end()})};
-    if (!p) {
-        error = strprintf("Key path value '%s' is not a valid uint32", std::string_view{elem.begin(), elem.end()});
-        return std::nullopt;
-    } else if (*p > 0x7FFFFFFFUL) {
-        error = strprintf("Key path value %u is out of range", *p);
-        return std::nullopt;
-    }
-    has_hardened = has_hardened || hardened;
-
-    return std::make_optional<uint32_t>(*p | (((uint32_t)hardened) << 31));
+    return *index | (hardened ? BIP32_HARDENED : BIP32_UNHARDENED);
 }
 
 /**
diff --git a/src/util/bip32.cpp b/src/util/bip32.cpp
index 77d7cf868ef2..a27ddc288fec 100644
--- a/src/util/bip32.cpp
+++ b/src/util/bip32.cpp
@@ -11,6 +11,34 @@
 #include <cstdio>
 #include <optional>
 #include <sstream>
+#include <string_view>
+
+std::optional<uint32_t> ParseKeyPathElement(std::span<const char> elem, bool& is_hardened, std::string& error)
+{
+    is_hardened = false;
+    const std::string_view raw{elem.begin(), elem.end()};
+    if (elem.empty()) {
+        error = strprintf("Key path value '%s' is not a valid uint32", raw);
+        return std::nullopt;
+    }
+
+    const char last = elem.back();
+    if (last == '\'' || last == 'h') {
+        elem = elem.first(elem.size() - 1);
+        is_hardened = true;
+    }
+
+    const auto number{ToIntegral<uint32_t>(std::string_view{elem.begin(), elem.end()})};
+    if (!number) {
+        error = strprintf("Key path value '%s' is not a valid uint32", raw);
+        return std::nullopt;
+    }
+    if (*number >= BIP32_HARDENED) {
+        error = strprintf("Key path value %u is out of range", *number);
+        return std::nullopt;
+    }
+    return *number;
+}
 
 bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypath)
 {
@@ -25,26 +53,11 @@ bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypa
             }
             return false;
         }
-        // Finds whether it is hardened
-        uint32_t path = 0;
-        size_t pos = item.find('\'');
-        if (pos != std::string::npos) {
-            // The hardened tick can only be in the last index of the string
-            if (pos != item.size() - 1) {
-                return false;
-            }
-            path |= BIP32_HARDENED;
-            item = item.substr(0, item.size() - 1); // Drop the last character which is the hardened tick
-        }
-
-        // Ensure this is only numbers
-        const auto number{ToIntegral<uint32_t>(item)};
-        if (!number) {
-            return false;
-        }
-        path |= *number;
-
-        keypath.push_back(path);
+        bool hardened = false;
+        std::string error;
+        const auto index{ParseKeyPathElement(std::span<const char>{item.data(), item.size()}, hardened, error)};
+        if (!index.has_value()) return false;
+        keypath.push_back(*index | (hardened ? BIP32_HARDENED : BIP32_UNHARDENED));
         first = false;
     }
     return true;
diff --git a/src/util/bip32.h b/src/util/bip32.h
index 265b02ce4641..9ecc5c052bee 100644
--- a/src/util/bip32.h
+++ b/src/util/bip32.h
@@ -6,6 +6,8 @@
 #define BITCOIN_UTIL_BIP32_H
 
 #include <cstdint>
+#include <optional>
+#include <span>
 #include <string>
 #include <vector>
 
@@ -14,6 +16,11 @@ static constexpr uint32_t BIP32_UNHARDENED = 0x0;
 /** BIP32 hardened derivation flag (2^31) */
 static constexpr uint32_t BIP32_HARDENED = 0x80000000;
 
+/** Parse a single key path element like "0", "0'", or "0h".
+ *  Returns the child index and sets is_hardened, or nullopt on failure
+ *  (in which case `error` is populated with a human-readable message). */
+std::optional<uint32_t> ParseKeyPathElement(std::span<const char> elem, bool& is_hardened, std::string& error);
+
 /** Parse an HD keypaths like "m/7/0'/2000". */
 [[nodiscard]] bool ParseHDKeypath(const std::string& keypath_str, std::vector<uint32_t>& keypath);
 
diff --git a/src/wallet/test/psbt_wallet_tests.cpp b/src/wallet/test/psbt_wallet_tests.cpp
index 91b69b9d624b..5ea7ec08bcc2 100644
--- a/src/wallet/test/psbt_wallet_tests.cpp
+++ b/src/wallet/test/psbt_wallet_tests.cpp
@@ -114,8 +114,10 @@ BOOST_AUTO_TEST_CASE(parse_hd_keypath)
     BOOST_CHECK(ParseHDKeypath("42", keypath));
     BOOST_CHECK(!ParseHDKeypath("m42", keypath));
 
-    BOOST_CHECK(ParseHDKeypath("4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
-    BOOST_CHECK(!ParseHDKeypath("4294967296", keypath)); // 4294967296 == 0xFFFFFFFF (uint32_t max) + 1
+    BOOST_CHECK(ParseHDKeypath("2147483647", keypath)); // 2147483647 == 0x7FFFFFFF (max non-hardened)
+    BOOST_CHECK(!ParseHDKeypath("2147483648", keypath)); // 2147483648 == 0x80000000 (would collide with hardened bit)
+    BOOST_CHECK(!ParseHDKeypath("4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
+    BOOST_CHECK(!ParseHDKeypath("4294967296", keypath)); // 4294967296 > uint32_t max
 
     BOOST_CHECK(ParseHDKeypath("m", keypath));
     BOOST_CHECK(!ParseHDKeypath("n", keypath));
@@ -129,8 +131,17 @@ BOOST_AUTO_TEST_CASE(parse_hd_keypath)
     BOOST_CHECK(ParseHDKeypath("m/0'", keypath));
     BOOST_CHECK(!ParseHDKeypath("m/0''", keypath));
 
+    BOOST_CHECK(ParseHDKeypath("m/0h", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/0hh", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/0x", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/0a", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/0G", keypath));
+
     BOOST_CHECK(ParseHDKeypath("m/0'/0'", keypath));
+    BOOST_CHECK(ParseHDKeypath("m/0h/0h", keypath));
+    BOOST_CHECK(ParseHDKeypath("m/0'/0h", keypath));
     BOOST_CHECK(!ParseHDKeypath("m/'0/0'", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/h0/0'", keypath));
 
     BOOST_CHECK(ParseHDKeypath("m/0/0", keypath));
     BOOST_CHECK(!ParseHDKeypath("n/0/0", keypath));
@@ -147,11 +158,15 @@ BOOST_AUTO_TEST_CASE(parse_hd_keypath)
     BOOST_CHECK(ParseHDKeypath("m/1/", keypath));
     BOOST_CHECK(!ParseHDKeypath("m/1//", keypath));
 
-    BOOST_CHECK(ParseHDKeypath("m/0/4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
-    BOOST_CHECK(!ParseHDKeypath("m/0/4294967296", keypath)); // 4294967296 == 0xFFFFFFFF (uint32_t max) + 1
+    BOOST_CHECK(ParseHDKeypath("m/0/2147483647", keypath)); // 2147483647 == 0x7FFFFFFF (max non-hardened)
+    BOOST_CHECK(!ParseHDKeypath("m/0/2147483648", keypath)); // 2147483648 == 0x80000000 (would collide with hardened bit)
+    BOOST_CHECK(!ParseHDKeypath("m/0/4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
+    BOOST_CHECK(!ParseHDKeypath("m/0/4294967296", keypath)); // 4294967296 > uint32_t max
 
-    BOOST_CHECK(ParseHDKeypath("m/4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
-    BOOST_CHECK(!ParseHDKeypath("m/4294967296", keypath)); // 4294967296 == 0xFFFFFFFF (uint32_t max) + 1
+    BOOST_CHECK(ParseHDKeypath("m/2147483647", keypath)); // 2147483647 == 0x7FFFFFFF (max non-hardened)
+    BOOST_CHECK(!ParseHDKeypath("m/2147483648", keypath)); // 2147483648 == 0x80000000 (would collide with hardened bit)
+    BOOST_CHECK(!ParseHDKeypath("m/4294967295", keypath)); // 4294967295 == 0xFFFFFFFF (uint32_t max)
+    BOOST_CHECK(!ParseHDKeypath("m/4294967296", keypath)); // 4294967296 > uint32_t max
 }
 
 BOOST_AUTO_TEST_SUITE_END()

From 57a1f309c3d423f8385c36035bea63bf55a1ef94 Mon Sep 17 00:00:00 2001
From: Sjors Provoost <sjors@sprovoost.nl>
Date: Wed, 14 Jan 2026 16:04:48 +0100
Subject: [PATCH 03/21] crypto: add NonceFromBytes/NonceToBytes helpers

Add helper methods to AEADChaCha20Poly1305 for converting between
the internal Nonce96 type ({uint32_t, uint64_t}) and a 12-byte
array representation (big-endian).

RFC8439 defines the nonce as 96 opaque bits, but our implementation
splits it. These helpers make it convenient to work with byte-based
nonce representations.
---
 src/crypto/chacha20poly1305.h | 37 +++++++++++++++++++++++++++++++++++
 src/test/crypto_tests.cpp     | 29 +++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/src/crypto/chacha20poly1305.h b/src/crypto/chacha20poly1305.h
index 9a863dda97b4..7b21aca54ed9 100644
--- a/src/crypto/chacha20poly1305.h
+++ b/src/crypto/chacha20poly1305.h
@@ -34,6 +34,43 @@ class AEADChaCha20Poly1305
     /** 96-bit nonce type. */
     using Nonce96 = ChaCha20::Nonce96;
 
+    /** Size of the nonce in bytes. */
+    static constexpr unsigned NONCE_SIZE = 12;
+
+    /** Convert a 12-byte array to a Nonce96.
+     *
+     * RFC8439 defines the nonce as 96 opaque bits. This helper converts
+     * a byte array (big-endian) to the internal {uint32_t, uint64_t} representation.
+     */
+    static Nonce96 NonceFromBytes(std::span<const std::byte, NONCE_SIZE> nonce_bytes) noexcept
+    {
+        return {
+            (uint32_t(uint8_t(nonce_bytes[0])) << 24) | (uint32_t(uint8_t(nonce_bytes[1])) << 16) |
+            (uint32_t(uint8_t(nonce_bytes[2])) << 8) | uint32_t(uint8_t(nonce_bytes[3])),
+            (uint64_t(uint8_t(nonce_bytes[4])) << 56) | (uint64_t(uint8_t(nonce_bytes[5])) << 48) |
+            (uint64_t(uint8_t(nonce_bytes[6])) << 40) | (uint64_t(uint8_t(nonce_bytes[7])) << 32) |
+            (uint64_t(uint8_t(nonce_bytes[8])) << 24) | (uint64_t(uint8_t(nonce_bytes[9])) << 16) |
+            (uint64_t(uint8_t(nonce_bytes[10])) << 8) | uint64_t(uint8_t(nonce_bytes[11]))
+        };
+    }
+
+    /** Convert a Nonce96 back to a 12-byte array (big-endian). */
+    static void NonceToBytes(Nonce96 nonce, std::span<std::byte, NONCE_SIZE> nonce_bytes) noexcept
+    {
+        nonce_bytes[0] = std::byte((nonce.first >> 24) & 0xFF);
+        nonce_bytes[1] = std::byte((nonce.first >> 16) & 0xFF);
+        nonce_bytes[2] = std::byte((nonce.first >> 8) & 0xFF);
+        nonce_bytes[3] = std::byte(nonce.first & 0xFF);
+        nonce_bytes[4] = std::byte((nonce.second >> 56) & 0xFF);
+        nonce_bytes[5] = std::byte((nonce.second >> 48) & 0xFF);
+        nonce_bytes[6] = std::byte((nonce.second >> 40) & 0xFF);
+        nonce_bytes[7] = std::byte((nonce.second >> 32) & 0xFF);
+        nonce_bytes[8] = std::byte((nonce.second >> 24) & 0xFF);
+        nonce_bytes[9] = std::byte((nonce.second >> 16) & 0xFF);
+        nonce_bytes[10] = std::byte((nonce.second >> 8) & 0xFF);
+        nonce_bytes[11] = std::byte(nonce.second & 0xFF);
+    }
+
     /** Encrypt a message with a specified 96-bit nonce and aad.
      *
      * Requires cipher.size() = plain.size() + EXPANSION.
diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp
index b348793bfb63..d128eafd978e 100644
--- a/src/test/crypto_tests.cpp
+++ b/src/test/crypto_tests.cpp
@@ -23,6 +23,7 @@
 #include <util/strencodings.h>
 
 #include <algorithm>
+#include <ranges>
 #include <vector>
 
 #include <boost/test/unit_test.hpp>
@@ -1051,6 +1052,34 @@ BOOST_AUTO_TEST_CASE(chacha20poly1305_testvectors)
                            "14b94829deb27f0b1923a2af704ae5d6");
 }
 
+BOOST_AUTO_TEST_CASE(chacha20poly1305_nonce_conversion)
+{
+    // Test NonceFromBytes/NonceToBytes roundtrip
+    auto key = ParseHex<std::byte>("808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f");
+    auto nonce_bytes = ParseHex<std::byte>("000000000001020304050607");
+
+    // Convert bytes to Nonce96
+    auto nonce = AEADChaCha20Poly1305::NonceFromBytes(std::span<const std::byte, 12>{nonce_bytes.data(), 12});
+    // Expected: first 4 bytes = 0x00000000, next 8 bytes = 0x0001020304050607
+    BOOST_CHECK_EQUAL(nonce.first, 0x00000000U);
+    BOOST_CHECK_EQUAL(nonce.second, 0x0001020304050607ULL);
+
+    // Convert back to bytes and check roundtrip
+    std::array<std::byte, 12> roundtrip_bytes;
+    AEADChaCha20Poly1305::NonceToBytes(nonce, roundtrip_bytes);
+    BOOST_CHECK(std::ranges::equal(nonce_bytes, roundtrip_bytes));
+
+    // Test with different values to ensure byte ordering is correct
+    auto nonce_bytes2 = ParseHex<std::byte>("aabbccdd11223344556677ff");
+    auto nonce2 = AEADChaCha20Poly1305::NonceFromBytes(std::span<const std::byte, 12>{nonce_bytes2.data(), 12});
+    BOOST_CHECK_EQUAL(nonce2.first, 0xaabbccddU);
+    BOOST_CHECK_EQUAL(nonce2.second, 0x11223344556677ffULL);
+
+    std::array<std::byte, 12> roundtrip_bytes2;
+    AEADChaCha20Poly1305::NonceToBytes(nonce2, roundtrip_bytes2);
+    BOOST_CHECK(std::ranges::equal(nonce_bytes2, roundtrip_bytes2));
+}
+
 BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests)
 {
     // Use rfc5869 test vectors but truncated to 32 bytes (our implementation only support length 32)

From 349877e36f3ce2c9c2e680091e7febdfed7df8f8 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Thu, 15 Jan 2026 09:13:33 +0100
Subject: [PATCH 04/21] util: ParseHDKeypath allow h as hardened indicator

BIP-380 specifies that descriptors can use either ' or h as
the hardened indicator. ParseHDKeypath only supported the former.

This prepares for using ParseHDKeypath with paths extracted
from descriptors which typically use 'h' for shell-escaping convenience.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/wallet/test/psbt_wallet_tests.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/wallet/test/psbt_wallet_tests.cpp b/src/wallet/test/psbt_wallet_tests.cpp
index 5ea7ec08bcc2..9d13bb20fed7 100644
--- a/src/wallet/test/psbt_wallet_tests.cpp
+++ b/src/wallet/test/psbt_wallet_tests.cpp
@@ -143,6 +143,9 @@ BOOST_AUTO_TEST_CASE(parse_hd_keypath)
     BOOST_CHECK(!ParseHDKeypath("m/'0/0'", keypath));
     BOOST_CHECK(!ParseHDKeypath("m/h0/0'", keypath));
 
+    BOOST_CHECK(ParseHDKeypath("m/0h/0h", keypath));
+    BOOST_CHECK(!ParseHDKeypath("m/h0/0h", keypath));
+
     BOOST_CHECK(ParseHDKeypath("m/0/0", keypath));
     BOOST_CHECK(!ParseHDKeypath("n/0/0", keypath));
 

From 4eb416f28f92fcb6cff6786f6f8fb7ec14f16fb6 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 15:09:32 +0100
Subject: [PATCH 05/21] wallet: add WalletDescriptorInfo helper for descriptor
 serialization

Introduces WalletDescriptorInfo struct and DescriptorInfoToUniValue() helper
to avoid code duplication when serializing descriptor metadata to UniValue.

Refactors listdescriptors RPC to use the new helper.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/wallet/rpc/backup.cpp | 30 +++---------------------------
 src/wallet/rpc/util.cpp   | 21 +++++++++++++++++++++
 src/wallet/rpc/util.h     | 21 +++++++++++++++++++++
 3 files changed, 45 insertions(+), 27 deletions(-)

diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index 4b87ba232385..a65bde083ab0 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -509,16 +509,7 @@ RPCMethod listdescriptors()
 
     const auto active_spk_mans = wallet->GetActiveScriptPubKeyMans();
 
-    struct WalletDescInfo {
-        std::string descriptor;
-        uint64_t creation_time;
-        bool active;
-        std::optional<bool> internal;
-        std::optional<std::pair<int64_t,int64_t>> range;
-        int64_t next_index;
-    };
-
-    std::vector<WalletDescInfo> wallet_descriptors;
+    std::vector<WalletDescriptorInfo> wallet_descriptors;
     for (const auto& spk_man : wallet->GetAllScriptPubKeyMans()) {
         const auto desc_spk_man = dynamic_cast<DescriptorScriptPubKeyMan*>(spk_man);
         if (!desc_spk_man) {
@@ -544,23 +535,8 @@ RPCMethod listdescriptors()
     });
 
     UniValue descriptors(UniValue::VARR);
-    for (const WalletDescInfo& info : wallet_descriptors) {
-        UniValue spk(UniValue::VOBJ);
-        spk.pushKV("desc", info.descriptor);
-        spk.pushKV("timestamp", info.creation_time);
-        spk.pushKV("active", info.active);
-        if (info.internal.has_value()) {
-            spk.pushKV("internal", info.internal.value());
-        }
-        if (info.range.has_value()) {
-            UniValue range(UniValue::VARR);
-            range.push_back(info.range->first);
-            range.push_back(info.range->second - 1);
-            spk.pushKV("range", std::move(range));
-            spk.pushKV("next", info.next_index);
-            spk.pushKV("next_index", info.next_index);
-        }
-        descriptors.push_back(std::move(spk));
+    for (const WalletDescriptorInfo& info : wallet_descriptors) {
+        descriptors.push_back(DescriptorInfoToUniValue(info));
     }
 
     UniValue response(UniValue::VOBJ);
diff --git a/src/wallet/rpc/util.cpp b/src/wallet/rpc/util.cpp
index 77a8745ced7e..07bbe9318805 100644
--- a/src/wallet/rpc/util.cpp
+++ b/src/wallet/rpc/util.cpp
@@ -162,4 +162,25 @@ void AppendLastProcessedBlock(UniValue& entry, const CWallet& wallet)
     entry.pushKV("lastprocessedblock", std::move(lastprocessedblock));
 }
 
+UniValue DescriptorInfoToUniValue(const WalletDescriptorInfo& info)
+{
+    UniValue obj(UniValue::VOBJ);
+    obj.pushKV("desc", info.descriptor);
+    obj.pushKV("timestamp", info.creation_time);
+    obj.pushKV("active", info.active);
+    if (info.internal.has_value()) {
+        obj.pushKV("internal", info.internal.value());
+    }
+    if (info.range.has_value()) {
+        UniValue range(UniValue::VARR);
+        range.push_back(info.range->first);
+        // range_end is exclusive internally, display as inclusive (hence -1)
+        range.push_back(info.range->second - 1);
+        obj.pushKV("range", std::move(range));
+        obj.pushKV("next", info.next_index);
+        obj.pushKV("next_index", info.next_index);
+    }
+    return obj;
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/util.h b/src/wallet/rpc/util.h
index 88fdc6639f41..6a111b6a32aa 100644
--- a/src/wallet/rpc/util.h
+++ b/src/wallet/rpc/util.h
@@ -56,6 +56,27 @@ void PushParentDescriptors(const CWallet& wallet, const CScript& script_pubkey,
 
 void HandleWalletError(const std::shared_ptr<CWallet>& wallet, DatabaseStatus& status, bilingual_str& error);
 void AppendLastProcessedBlock(UniValue& entry, const CWallet& wallet) EXCLUSIVE_LOCKS_REQUIRED(wallet.cs_wallet);
+
+/**
+ * Information about a wallet descriptor, used for serialization to JSON.
+ * This struct captures all the metadata needed for listdescriptors output
+ * and importdescriptors input.
+ */
+struct WalletDescriptorInfo {
+    std::string descriptor;
+    uint64_t creation_time;
+    bool active;
+    std::optional<bool> internal;
+    std::optional<std::pair<int64_t, int64_t>> range;
+    int64_t next_index;
+};
+
+/**
+ * Convert a WalletDescriptorInfo to a UniValue object.
+ * The output format is compatible with both listdescriptors output and
+ * importdescriptors input.
+ */
+UniValue DescriptorInfoToUniValue(const WalletDescriptorInfo& info);
 } //  namespace wallet
 
 #endif // BITCOIN_WALLET_RPC_UTIL_H

From 5741144f2e0be5cdaa973ad1e233e03febbedb0d Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 16:24:06 +0100
Subject: [PATCH 06/21] wallet: BIP-xxxx key normalization primitives

Add functions for normalizing public keys to x-only format as specified
in BIP-xxxx (Bitcoin Encrypted Backup). These primitives form the foundation
for the encryption scheme.

Functions added:
- NormalizeToXOnly(): Convert CPubKey or CExtPubKey to 32-byte x-only format
- IsNUMSPoint(): Check if a key is the BIP341 unspendable NUMS point
- ExtractKeysFromDescriptor(): Extract and normalize all keys from a descriptor

Includes test vectors from the BIP specification.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |   1 +
 .../data/bip_encrypted_backup_keys_types.json |  27 +++++
 src/wallet/CMakeLists.txt                     |   1 +
 src/wallet/encryptedbackup.cpp                |  92 ++++++++++++++
 src/wallet/encryptedbackup.h                  |  73 +++++++++++
 src/wallet/test/CMakeLists.txt                |   1 +
 src/wallet/test/encrypted_backup_tests.cpp    | 113 ++++++++++++++++++
 7 files changed, 308 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_keys_types.json
 create mode 100644 src/wallet/encryptedbackup.cpp
 create mode 100644 src/wallet/encryptedbackup.h
 create mode 100644 src/wallet/test/encrypted_backup_tests.cpp

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 1365d6c147a6..505d10a02947 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -144,6 +144,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
   data/key_io_valid.json
diff --git a/src/test/data/bip_encrypted_backup_keys_types.json b/src/test/data/bip_encrypted_backup_keys_types.json
new file mode 100644
index 000000000000..ce91762d9865
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_keys_types.json
@@ -0,0 +1,27 @@
+[
+  {
+    "description": "Xpub with origin and multipath",
+    "key": "[58b7f8dc/48'/1'/0'/2']tpubDEPBvXvhta3pjVaKokqC3eeMQnszj9ehFaA2zD5nSdkaccwGAizu8jVB2NeSpvmP2P52MBoZvNCixqXRJnTyXx51FQzARR63tjxQSyP3Btw/<0;1>/*",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "Xpub with origin and w/o multipath",
+    "key": "[d4ab66f1/48'/1'/1'/2']tpubDFTxBKyUCgkwp5enwZh3t2FJ5AMJqmCWoh1NRT13qNYQb1iKTUrAG6u5gpsDYhG8cZGXouYWuQtzcuSVjPStTc4dwU6JqPMFtgaLGvSQXhi",
+    "expected": "8e886919a6b72579a28bd292505d2afd41c1b5012414c5e24d7b59f4abdfc0ce"
+  },
+  {
+    "description": "Compressed public key",
+    "key": "02ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "X only public key",
+    "key": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  },
+  {
+    "description": "Uncompressed public key",
+    "key": "04ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b517089e956909c4c07e8529f45f3ff8904d28df5a181619e21bdf748a896322530039",
+    "expected": "ebd252ca0877aae09b9d058219682775aa3cbcd049c12f07832f2cf6a3b51708"
+  }
+]
\ No newline at end of file
diff --git a/src/wallet/CMakeLists.txt b/src/wallet/CMakeLists.txt
index 36fd3ef95aec..9b0ed984ece4 100644
--- a/src/wallet/CMakeLists.txt
+++ b/src/wallet/CMakeLists.txt
@@ -10,6 +10,7 @@ add_library(bitcoin_wallet STATIC EXCLUDE_FROM_ALL
   crypter.cpp
   db.cpp
   dump.cpp
+  encryptedbackup.cpp
   external_signer_scriptpubkeyman.cpp
   feebumper.cpp
   fees.cpp
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
new file mode 100644
index 000000000000..a3801b0a7c92
--- /dev/null
+++ b/src/wallet/encryptedbackup.cpp
@@ -0,0 +1,92 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <wallet/encryptedbackup.h>
+
+#include <cstring>
+
+#include <key_io.h>
+#include <script/descriptor.h>
+
+namespace wallet {
+
+uint256 NormalizeToXOnly(const CPubKey& pubkey)
+{
+    // CPubKey is either compressed (33 bytes) or uncompressed (65 bytes)
+    // In both cases, bytes 1-32 are the x-coordinate
+    uint256 result;
+    if (pubkey.size() >= 33) {
+        std::memcpy(result.data(), pubkey.data() + 1, 32);
+    }
+    return result;
+}
+
+uint256 NormalizeToXOnly(const CExtPubKey& xpub)
+{
+    return NormalizeToXOnly(xpub.pubkey);
+}
+
+bool IsNUMSPoint(const uint256& key)
+{
+    // BIP341 NUMS point: 50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0
+    // Compare against XOnlyPubKey::NUMS_H
+    XOnlyPubKey xonly{std::span<const unsigned char>{key.data(), 32}};
+    return xonly == XOnlyPubKey::NUMS_H;
+}
+
+util::Result<std::pair<std::vector<uint256>, std::vector<DerivationPath>>> ExtractKeysFromDescriptor(const std::string& descriptor)
+{
+    FlatSigningProvider provider;
+    std::string error;
+    auto parsed = Parse(descriptor, provider, error, /*require_checksum=*/false);
+    if (parsed.empty()) {
+        return util::Error{Untranslated(strprintf("Failed to parse descriptor: %s", error))};
+    }
+
+    std::set<CPubKey> pubkeys;
+    std::set<CExtPubKey> xpubs;
+    for (const auto& desc : parsed) {
+        desc->GetPubKeys(pubkeys, xpubs);
+    }
+
+    // Normalize all keys to x-only format
+    std::set<uint256> normalized_keys;
+    for (const auto& pubkey : pubkeys) {
+        uint256 xonly = NormalizeToXOnly(pubkey);
+        // Skip NUMS point
+        if (!IsNUMSPoint(xonly)) {
+            normalized_keys.insert(xonly);
+        }
+    }
+    for (const auto& xpub : xpubs) {
+        uint256 xonly = NormalizeToXOnly(xpub);
+        // Skip NUMS point
+        if (!IsNUMSPoint(xonly)) {
+            normalized_keys.insert(xonly);
+        }
+    }
+
+    if (normalized_keys.empty()) {
+        return util::Error{Untranslated("No valid public keys found in descriptor")};
+    }
+
+    // Expand the descriptor to populate key origins with derivation paths
+    std::set<DerivationPath> unique_paths;
+    for (const auto& desc : parsed) {
+        FlatSigningProvider expanded;
+        std::vector<CScript> scripts;
+        desc->Expand(0, provider, scripts, expanded);
+        for (const auto& [_, origin] : expanded.origins) {
+            if (!origin.second.path.empty()) {
+                unique_paths.insert(origin.second.path);
+            }
+        }
+    }
+
+    return std::make_pair(
+        std::vector<uint256>(normalized_keys.begin(), normalized_keys.end()),
+        std::vector<DerivationPath>(unique_paths.begin(), unique_paths.end()));
+}
+
+} // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
new file mode 100644
index 000000000000..a5ca77386f3c
--- /dev/null
+++ b/src/wallet/encryptedbackup.h
@@ -0,0 +1,73 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
+#define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+#include <pubkey.h>
+#include <uint256.h>
+#include <util/result.h>
+
+namespace wallet {
+
+/**
+ * Implements the encrypted backup scheme from BIP-XXXX (draft).
+ *
+ * This provides encryption for wallet descriptors, labels, and other metadata
+ * that can be safely stored in untrusted locations. The encryption key is derived
+ * from the public keys in the descriptor, allowing any keyholder to decrypt
+ * without additional secrets.
+ *
+ * IMPORTANT: This format intentionally does NOT backup private key material.
+ * Restoring from an encrypted backup creates a watch-only wallet.
+ */
+
+/**
+ * Normalize a public key to 32-byte x-only format.
+ *
+ * Handles:
+ * - Extended public keys (xpubs): extracts the pubkey and returns x-coordinate
+ * - Compressed public keys (33 bytes): strips the prefix byte
+ * - X-only public keys (32 bytes): returns as-is
+ * - Uncompressed public keys (65 bytes): extracts the x-coordinate
+ *
+ * @param[in] pubkey The public key to normalize
+ * @return The 32-byte x-only representation
+ */
+uint256 NormalizeToXOnly(const CPubKey& pubkey);
+
+/**
+ * Normalize an extended public key to 32-byte x-only format.
+ *
+ * @param[in] xpub The extended public key to normalize
+ * @return The 32-byte x-only representation of the root pubkey
+ */
+uint256 NormalizeToXOnly(const CExtPubKey& xpub);
+
+/**
+ * Check if an x-only key is the BIP341 NUMS point (unspendable).
+ *
+ * @param[in] key The x-only key to check
+ * @return true if this is the NUMS point
+ */
+bool IsNUMSPoint(const uint256& key);
+
+/**
+ * Extract and normalize all public keys and derivation paths from a descriptor string.
+ *
+ * Keys are sorted lexicographically and deduplicated. The NUMS point is excluded.
+ * Derivation paths are extracted from key origins, deduplicated and sorted.
+ *
+ * @param[in] descriptor The descriptor string
+ * @return Pair of (normalized x-only public keys, derivation paths), or error message
+ */
+util::Result<std::pair<std::vector<uint256>, std::vector<DerivationPath>>> ExtractKeysFromDescriptor(const std::string& descriptor);
+
+} // namespace wallet
+
+#endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/CMakeLists.txt b/src/wallet/test/CMakeLists.txt
index 524c7218f4e6..1163fc21dc4d 100644
--- a/src/wallet/test/CMakeLists.txt
+++ b/src/wallet/test/CMakeLists.txt
@@ -11,6 +11,7 @@ target_sources(test_bitcoin
     db_tests.cpp
     coinselector_tests.cpp
     coinselection_tests.cpp
+    encrypted_backup_tests.cpp
     feebumper_tests.cpp
     group_outputs_tests.cpp
     init_tests.cpp
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
new file mode 100644
index 000000000000..42480d305c46
--- /dev/null
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -0,0 +1,113 @@
+// Copyright (c) 2025-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <wallet/encryptedbackup.h>
+
+#include <test/data/bip_encrypted_backup_keys_types.json.h>
+
+#include <base58.h>
+#include <key_io.h>
+#include <test/util/json.h>
+#include <test/util/setup_common.h>
+#include <util/strencodings.h>
+
+#include <boost/test/unit_test.hpp>
+#include <univalue.h>
+
+namespace wallet {
+
+// Use RegTest chain type so tpub keys (testnet prefixes) can be parsed
+struct EncryptedBackupTestingSetup : public BasicTestingSetup {
+    EncryptedBackupTestingSetup() : BasicTestingSetup(ChainType::REGTEST) {}
+};
+
+BOOST_FIXTURE_TEST_SUITE(encrypted_backup_tests, EncryptedBackupTestingSetup)
+
+BOOST_AUTO_TEST_CASE(key_normalization_test)
+{
+    // Test key normalization using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_keys_types);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        std::string key_str = vec["key"].get_str();
+        std::string expected_hex = vec["expected"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse the expected x-only key
+        auto expected_bytes = ParseHex(expected_hex);
+        BOOST_REQUIRE_EQUAL(expected_bytes.size(), 32u);
+        uint256 expected;
+        std::memcpy(expected.data(), expected_bytes.data(), 32);
+
+        // Determine key type and normalize
+        uint256 result;
+
+        if (key_str.size() == 64) {
+            // X-only public key (32 bytes hex = 64 chars)
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 32u);
+            std::memcpy(result.data(), key_bytes.data(), 32);
+        } else if (key_str.size() == 66 && (key_str[0] == '0' && (key_str[1] == '2' || key_str[1] == '3'))) {
+            // Compressed public key
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 33u);
+            CPubKey pubkey(key_bytes.begin(), key_bytes.end());
+            result = NormalizeToXOnly(pubkey);
+        } else if (key_str.size() == 130 && key_str.starts_with("04")) {
+            // Uncompressed public key
+            auto key_bytes = ParseHex(key_str);
+            BOOST_REQUIRE_EQUAL(key_bytes.size(), 65u);
+            CPubKey pubkey(key_bytes.begin(), key_bytes.end());
+            result = NormalizeToXOnly(pubkey);
+        } else if (key_str.find("pub") != std::string::npos || key_str[0] == '[') {
+            // Extended public key (xpub/tpub) potentially with origin info
+            // For these test vectors, we're testing key extraction, not descriptor parsing.
+            // We strip the derivation path suffix and extract just the xpub/tpub key.
+            std::string xpub_only = key_str;
+
+            // Remove origin prefix if present: [fingerprint/path]
+            if (xpub_only[0] == '[') {
+                size_t close = xpub_only.find(']');
+                if (close != std::string::npos) {
+                    xpub_only = xpub_only.substr(close + 1);
+                }
+            }
+
+            // Remove derivation suffix if present: /<0;1>/* or /0/* etc
+            size_t slash = xpub_only.find('/');
+            if (slash != std::string::npos) {
+                xpub_only = xpub_only.substr(0, slash);
+            }
+
+            // Parse the extended public key (uses RegTest chain so tpub prefix works)
+            CExtPubKey ext_pubkey = DecodeExtPubKey(xpub_only);
+            if (ext_pubkey.pubkey.IsValid()) {
+                result = NormalizeToXOnly(ext_pubkey.pubkey);
+            } else {
+                // Fallback to raw base58 decoding for xpub (mainnet) keys
+                std::vector<unsigned char> decoded_data;
+                if (!DecodeBase58Check(xpub_only, decoded_data, 78)) {
+                    BOOST_FAIL("Failed to decode xpub base58: " + xpub_only);
+                }
+                BOOST_REQUIRE_EQUAL(decoded_data.size(), 78u);
+                CPubKey pubkey;
+                pubkey.Set(decoded_data.begin() + 45, decoded_data.end());
+                BOOST_REQUIRE_MESSAGE(pubkey.IsValid(), "Invalid pubkey in xpub");
+                result = NormalizeToXOnly(pubkey);
+            }
+        } else {
+            BOOST_FAIL("Unrecognized key format: " + key_str);
+        }
+
+        BOOST_CHECK_MESSAGE(result == expected,
+            description << ": expected " << expected_hex << " got " << HexStr(result));
+    }
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace wallet

From def48523da380b6993a45710cf74be4cc129a1e6 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 16:26:03 +0100
Subject: [PATCH 07/21] wallet: BIP-xxxx secret computation

Add functions to compute the decryption secret and individual secrets
as specified in BIP-xxxx. The decryption secret is derived from sorted
public keys, and individual secrets allow any keyholder to decrypt.

Functions added:
- ComputeDecryptionSecret(): Hash sorted keys to derive decryption secret
- ComputeIndividualSecret(): Hash a single key to derive its individual secret
- ComputeAllIndividualSecrets(): Compute XOR'd secrets for all keys

Includes test vectors from the BIP specification.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |  1 +
 ...ip_encrypted_backup_encryption_secret.json | 89 +++++++++++++++++++
 src/wallet/encryptedbackup.cpp                | 37 ++++++++
 src/wallet/encryptedbackup.h                  | 40 +++++++++
 src/wallet/test/encrypted_backup_tests.cpp    | 75 ++++++++++++++++
 5 files changed, 242 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_encryption_secret.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 505d10a02947..1b693050b84e 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -144,6 +144,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
diff --git a/src/test/data/bip_encrypted_backup_encryption_secret.json b/src/test/data/bip_encrypted_backup_encryption_secret.json
new file mode 100644
index 000000000000..a04b37af9355
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_encryption_secret.json
@@ -0,0 +1,89 @@
+[
+  {
+    "description": "Single public key",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "a37acb446622cf11ffe44e1f17892d7b330b721b992513f680a52b128fb181b1",
+    "individual_secrets": [
+      "ff34b3411f78127b71ca2e3cc60d0fd71350ee557c37d71f4d81fb913461ae00"
+    ]
+  },
+  {
+    "description": "Two public keys",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07"
+    ],
+    "decryption_secret": "154eaceae97b166f15a1d37fbc6d9477b1cf067c60352909a97f32b432412f0c",
+    "individual_secrets": [
+      "5e3eb8a36f7bf32e02810c14666476f2b28a15cd499c30f8f98e926639a0765c",
+      "4900d4ef9021cb059b8fb35c6de9b6db91949a328527ede0645be237899100bd"
+    ]
+  },
+  {
+    "description": "Three public keys",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "03c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5"
+    ],
+    "decryption_secret": "6f54d3b9bc4bfb8464d6985318aff845aa0d14e1df0f580edd204888c4bad958",
+    "individual_secrets": [
+      "2424c7f03a4b1ec573f64738c2a61ac0a9480750f6a641ff8dd1e85acf5b8008",
+      "6e5f3aab8b6dfe2f8c09da023a29f797d8333736fb7b7c64958d0ff4109ba93a",
+      "331aabbcc51126eeeaf8f870c92bdae98a5688af3a1d9ce71004980b7f6af6e9"
+    ]
+  },
+  {
+    "description": "Three public keys bis (different sorting)",
+    "keys": [
+      "03c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5",
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07"
+    ],
+    "decryption_secret": "6f54d3b9bc4bfb8464d6985318aff845aa0d14e1df0f580edd204888c4bad958",
+    "individual_secrets": [
+      "2424c7f03a4b1ec573f64738c2a61ac0a9480750f6a641ff8dd1e85acf5b8008",
+      "6e5f3aab8b6dfe2f8c09da023a29f797d8333736fb7b7c64958d0ff4109ba93a",
+      "331aabbcc51126eeeaf8f870c92bdae98a5688af3a1d9ce71004980b7f6af6e9"
+    ]
+  },
+  {
+    "description": "Three public keys ter (different sorting)",
+    "keys": [
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "03c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5",
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "6f54d3b9bc4bfb8464d6985318aff845aa0d14e1df0f580edd204888c4bad958",
+    "individual_secrets": [
+      "2424c7f03a4b1ec573f64738c2a61ac0a9480750f6a641ff8dd1e85acf5b8008",
+      "6e5f3aab8b6dfe2f8c09da023a29f797d8333736fb7b7c64958d0ff4109ba93a",
+      "331aabbcc51126eeeaf8f870c92bdae98a5688af3a1d9ce71004980b7f6af6e9"
+    ]
+  },
+  {
+    "description": "Keys processed in sorted order",
+    "keys": [
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "154eaceae97b166f15a1d37fbc6d9477b1cf067c60352909a97f32b432412f0c",
+    "individual_secrets": [
+      "5e3eb8a36f7bf32e02810c14666476f2b28a15cd499c30f8f98e926639a0765c",
+      "4900d4ef9021cb059b8fb35c6de9b6db91949a328527ede0645be237899100bd"
+    ]
+  },
+  {
+    "description": "Duplicate keys should be handled",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "decryption_secret": "a37acb446622cf11ffe44e1f17892d7b330b721b992513f680a52b128fb181b1",
+    "individual_secrets": [
+      "ff34b3411f78127b71ca2e3cc60d0fd71350ee557c37d71f4d81fb913461ae00"
+    ]
+  }
+]
\ No newline at end of file
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index a3801b0a7c92..206c47d2d667 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -6,6 +6,7 @@
 
 #include <cstring>
 
+#include <hash.h>
 #include <key_io.h>
 #include <script/descriptor.h>
 
@@ -89,4 +90,40 @@ util::Result<std::pair<std::vector<uint256>, std::vector<DerivationPath>>> Extra
         std::vector<DerivationPath>(unique_paths.begin(), unique_paths.end()));
 }
 
+uint256 ComputeDecryptionSecret(const std::vector<uint256>& keys)
+{
+    // BIP340-style tagged hash: sha256(sha256(tag) || sha256(tag) || p1 || ... || pn)
+    HashWriter hasher{TaggedHash(std::string{BIP_DECRYPTION_SECRET_TAG})};
+    for (const auto& key : keys) {
+        hasher << std::span{key.data(), 32};
+    }
+    return hasher.GetSHA256();
+}
+
+uint256 ComputeIndividualSecret(const uint256& key)
+{
+    // BIP340-style tagged hash: sha256(sha256(tag) || sha256(tag) || pi)
+    HashWriter hasher{TaggedHash(std::string{BIP_INDIVIDUAL_SECRET_TAG})};
+    hasher << std::span{key.data(), 32};
+    return hasher.GetSHA256();
+}
+
+std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
+                                                  const std::vector<uint256>& keys)
+{
+    std::vector<uint256> result;
+    result.reserve(keys.size());
+
+    for (const auto& key : keys) {
+        uint256 si = ComputeIndividualSecret(key);
+        // ci = s XOR si
+        uint256 ci;
+        for (size_t i = 0; i < 32; ++i) {
+            ci.data()[i] = decryption_secret.data()[i] ^ si.data()[i];
+        }
+        result.push_back(ci);
+    }
+    return result;
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index a5ca77386f3c..77020d4e2d6a 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -27,6 +27,12 @@ namespace wallet {
  * Restoring from an encrypted backup creates a watch-only wallet.
  */
 
+/** Prefix for deriving the decryption secret */
+static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIPXXX_DECRYPTION_SECRET";
+
+/** Prefix for deriving individual secrets */
+static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIPXXX_INDIVIDUAL_SECRET";
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -68,6 +74,40 @@ bool IsNUMSPoint(const uint256& key);
  */
 util::Result<std::pair<std::vector<uint256>, std::vector<DerivationPath>>> ExtractKeysFromDescriptor(const std::string& descriptor);
 
+/**
+ * Compute the decryption secret from a set of public keys.
+ *
+ * s = tagged_hash("BIPXXX_DECRYPTION_SECRET", p1 || p2 || ... || pn)
+ * where tagged_hash is BIP340-style (sha256(sha256(tag) || sha256(tag) || data))
+ * and p1...pn are sorted lexicographically.
+ *
+ * @param[in] keys The normalized x-only public keys (must be sorted)
+ * @return The 32-byte decryption secret
+ */
+uint256 ComputeDecryptionSecret(const std::vector<uint256>& keys);
+
+/**
+ * Compute an individual secret for a specific public key.
+ *
+ * si = tagged_hash("BIPXXX_INDIVIDUAL_SECRET", pi) (BIP340-style)
+ *
+ * @param[in] key The normalized x-only public key
+ * @return The 32-byte individual secret
+ */
+uint256 ComputeIndividualSecret(const uint256& key);
+
+/**
+ * Compute all individual secrets from the decryption secret and keys.
+ *
+ * ci = s XOR si
+ *
+ * @param[in] decryption_secret The decryption secret
+ * @param[in] keys The normalized x-only public keys
+ * @return Vector of individual secrets (ci values)
+ */
+std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
+                                                  const std::vector<uint256>& keys);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 42480d305c46..dc91462841fc 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,10 +4,12 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
 #include <base58.h>
 #include <key_io.h>
+#include <random.h>
 #include <test/util/json.h>
 #include <test/util/setup_common.h>
 #include <util/strencodings.h>
@@ -108,6 +110,79 @@ BOOST_AUTO_TEST_CASE(key_normalization_test)
     }
 }
 
+BOOST_AUTO_TEST_CASE(secret_derivation_test)
+{
+    // Test secret derivation using BIP test vectors. Keys in the vectors are
+    // 33-byte compressed pubkeys; normalize to 32-byte x-only before sorting.
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_encryption_secret);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        const UniValue& keys_arr = vec["keys"];
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse and normalize keys (compressed -> x-only).
+        std::vector<uint256> keys;
+        for (size_t j = 0; j < keys_arr.size(); ++j) {
+            auto key_bytes = ParseHex(keys_arr[j].get_str());
+            uint256 key;
+            if (key_bytes.size() == 33) {
+                std::memcpy(key.data(), key_bytes.data() + 1, 32);
+            } else if (key_bytes.size() == 32) {
+                std::memcpy(key.data(), key_bytes.data(), 32);
+            } else {
+                BOOST_FAIL("Unexpected key size in vector");
+            }
+            keys.push_back(key);
+        }
+
+        // Sort + dedupe (per spec: sorted lexicographically).
+        std::sort(keys.begin(), keys.end());
+        keys.erase(std::unique(keys.begin(), keys.end()), keys.end());
+
+        uint256 decryption_secret = ComputeDecryptionSecret(keys);
+        auto individual_secrets = ComputeAllIndividualSecrets(decryption_secret, keys);
+
+        // Compare decryption_secret to expected.
+        auto expected_bytes = ParseHex(vec["decryption_secret"].get_str());
+        BOOST_REQUIRE_EQUAL(expected_bytes.size(), 32u);
+        uint256 expected;
+        std::memcpy(expected.data(), expected_bytes.data(), 32);
+        BOOST_CHECK_MESSAGE(decryption_secret == expected,
+            description << ": decryption_secret mismatch, got " << HexStr(decryption_secret));
+
+        // Compare individual_secrets to expected (order matches sorted keys).
+        const UniValue& expected_ind = vec["individual_secrets"];
+        BOOST_REQUIRE_EQUAL(expected_ind.size(), individual_secrets.size());
+        for (size_t j = 0; j < individual_secrets.size(); ++j) {
+            auto exp_bytes = ParseHex(expected_ind[j].get_str());
+            BOOST_REQUIRE_EQUAL(exp_bytes.size(), 32u);
+            uint256 exp_ci;
+            std::memcpy(exp_ci.data(), exp_bytes.data(), 32);
+            BOOST_CHECK_MESSAGE(individual_secrets[j] == exp_ci,
+                description << ": individual_secrets[" << j << "] mismatch, got "
+                << HexStr(individual_secrets[j]));
+        }
+    }
+}
+
+BOOST_AUTO_TEST_CASE(nums_point_test)
+{
+    // Verify NUMS point detection
+    auto nums_bytes = ParseHex("50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0");
+    uint256 nums_key;
+    std::memcpy(nums_key.data(), nums_bytes.data(), 32);
+
+    BOOST_CHECK(IsNUMSPoint(nums_key));
+
+    // Random key should not be NUMS
+    uint256 random_key;
+    GetStrongRandBytes(random_key);
+    BOOST_CHECK(!IsNUMSPoint(random_key));
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From b1b417e43a2887e194358a3927c12c86268a2847 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 16:30:00 +0100
Subject: [PATCH 08/21] wallet: BIP-xxxx derivation path encoding

Add functions for encoding/decoding derivation paths as specified in BIP-xxxx:
- ParseDerivationPath: parse m/44'/0'/0' style strings
- EncodeDerivationPaths: encode to binary format (count + path lengths + BE child indices)
- DecodeDerivationPaths: decode from binary format

Includes test vectors from the BIP specification.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |   1 +
 .../bip_encrypted_backup_derivation_path.json | 146 ++++++++++++++++++
 src/wallet/encryptedbackup.cpp                |  82 ++++++++++
 src/wallet/encryptedbackup.h                  |  31 ++++
 src/wallet/test/encrypted_backup_tests.cpp    | 124 +++++++++++++++
 5 files changed, 384 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_derivation_path.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 1b693050b84e..12b57ac554dd 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -144,6 +144,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
diff --git a/src/test/data/bip_encrypted_backup_derivation_path.json b/src/test/data/bip_encrypted_backup_derivation_path.json
new file mode 100644
index 000000000000..05402f1d7981
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_derivation_path.json
@@ -0,0 +1,146 @@
+[
+  {
+    "description": "Empty derivation paths",
+    "paths": [],
+    "expected": "00"
+  },
+  {
+    "description": "Single path with one child: m/0",
+    "paths": ["m/0"],
+    "expected": "010100000000"
+  },
+  {
+    "description": "Single path with hardened child: m/44'",
+    "paths": ["m/44'"],
+    "expected": "01018000002c"
+  },
+  {
+    "description": "Standard BIP-84 path: m/84'/0'/0'",
+    "paths": ["m/84'/0'/0'"],
+    "expected": "0103800000548000000080000000"
+  },
+  {
+    "description": "Mixed hardened and normal: m/0/1'/2/3'",
+    "paths": ["m/0/1'/2/3'"],
+    "expected": "010400000000800000010000000280000003"
+  },
+  {
+    "description": "Multiple paths: m/0/1'/2/3' and m/84'/0'/0'/2'",
+    "paths": ["m/0/1'/2/3'", "m/84'/0'/0'/2'"],
+    "expected": "0204000000008000000100000002800000030480000054800000008000000080000002"
+  },
+  {
+    "description": "Path with large indices: m/2147483647'/2147483646",
+    "paths": ["m/2147483647'/2147483646"],
+    "expected": "0102ffffffff7ffffffe"
+  },
+  {
+    "description": "Single child path: m/1",
+    "paths": ["m/1"],
+    "expected": "010100000001"
+  },
+  {
+    "description": "Path with max normal index: m/2147483647",
+    "paths": ["m/2147483647"],
+    "expected": "01017fffffff"
+  },
+  {
+    "description": "Path with multiple normal indices: m/0/1/2/3/4",
+    "paths": ["m/0/1/2/3/4"],
+    "expected": "01050000000000000001000000020000000300000004"
+  },
+  {
+    "description": "Path with all hardened: m/0'/1'/2'",
+    "paths": ["m/0'/1'/2'"],
+    "expected": "0103800000008000000180000002"
+  },
+  {
+    "description": "Two different single-child paths: m/0 and m/1",
+    "paths": ["m/0", "m/1"],
+    "expected": "0201000000000100000001"
+  },
+  {
+    "description": "BIP-44 account 0: m/44'/0'/0'",
+    "paths": ["m/44'/0'/0'"],
+    "expected": "01038000002c8000000080000000"
+  },
+  {
+    "description": "BIP-49 account 0: m/49'/0'/0'",
+    "paths": ["m/49'/0'/0'"],
+    "expected": "0103800000318000000080000000"
+  },
+  {
+    "description": "Single path with 255 children (maximum depth, success)",
+    "paths": ["m/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0"],
+    "expected": "01ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+  },
+  {
+    "description": "256 paths should fail (exceeds u8::MAX)",
+    "paths": [
+      "m/0", "m/1", "m/2", "m/3", "m/4", "m/5", "m/6", "m/7", "m/8", "m/9",
+      "m/10", "m/11", "m/12", "m/13", "m/14", "m/15", "m/16", "m/17", "m/18", "m/19",
+      "m/20", "m/21", "m/22", "m/23", "m/24", "m/25", "m/26", "m/27", "m/28", "m/29",
+      "m/30", "m/31", "m/32", "m/33", "m/34", "m/35", "m/36", "m/37", "m/38", "m/39",
+      "m/40", "m/41", "m/42", "m/43", "m/44", "m/45", "m/46", "m/47", "m/48", "m/49",
+      "m/50", "m/51", "m/52", "m/53", "m/54", "m/55", "m/56", "m/57", "m/58", "m/59",
+      "m/60", "m/61", "m/62", "m/63", "m/64", "m/65", "m/66", "m/67", "m/68", "m/69",
+      "m/70", "m/71", "m/72", "m/73", "m/74", "m/75", "m/76", "m/77", "m/78", "m/79",
+      "m/80", "m/81", "m/82", "m/83", "m/84", "m/85", "m/86", "m/87", "m/88", "m/89",
+      "m/90", "m/91", "m/92", "m/93", "m/94", "m/95", "m/96", "m/97", "m/98", "m/99",
+      "m/100", "m/101", "m/102", "m/103", "m/104", "m/105", "m/106", "m/107", "m/108", "m/109",
+      "m/110", "m/111", "m/112", "m/113", "m/114", "m/115", "m/116", "m/117", "m/118", "m/119",
+      "m/120", "m/121", "m/122", "m/123", "m/124", "m/125", "m/126", "m/127", "m/128", "m/129",
+      "m/130", "m/131", "m/132", "m/133", "m/134", "m/135", "m/136", "m/137", "m/138", "m/139",
+      "m/140", "m/141", "m/142", "m/143", "m/144", "m/145", "m/146", "m/147", "m/148", "m/149",
+      "m/150", "m/151", "m/152", "m/153", "m/154", "m/155", "m/156", "m/157", "m/158", "m/159",
+      "m/160", "m/161", "m/162", "m/163", "m/164", "m/165", "m/166", "m/167", "m/168", "m/169",
+      "m/170", "m/171", "m/172", "m/173", "m/174", "m/175", "m/176", "m/177", "m/178", "m/179",
+      "m/180", "m/181", "m/182", "m/183", "m/184", "m/185", "m/186", "m/187", "m/188", "m/189",
+      "m/190", "m/191", "m/192", "m/193", "m/194", "m/195", "m/196", "m/197", "m/198", "m/199",
+      "m/200", "m/201", "m/202", "m/203", "m/204", "m/205", "m/206", "m/207", "m/208", "m/209",
+      "m/210", "m/211", "m/212", "m/213", "m/214", "m/215", "m/216", "m/217", "m/218", "m/219",
+      "m/220", "m/221", "m/222", "m/223", "m/224", "m/225", "m/226", "m/227", "m/228", "m/229",
+      "m/230", "m/231", "m/232", "m/233", "m/234", "m/235", "m/236", "m/237", "m/238", "m/239",
+      "m/240", "m/241", "m/242", "m/243", "m/244", "m/245", "m/246", "m/247", "m/248", "m/249",
+      "m/250", "m/251", "m/252", "m/253", "m/254", "m/255"
+    ],
+    "expected": null
+  },
+  {
+    "description": "Path with 256 children should fail (exceeds u8::MAX)",
+    "paths": ["m/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0"],
+    "expected": null
+  },
+  {
+    "description": "255 paths should succeed (maximum allowed)",
+    "paths": [
+      "m/0", "m/1", "m/2", "m/3", "m/4", "m/5", "m/6", "m/7", "m/8", "m/9",
+      "m/10", "m/11", "m/12", "m/13", "m/14", "m/15", "m/16", "m/17", "m/18", "m/19",
+      "m/20", "m/21", "m/22", "m/23", "m/24", "m/25", "m/26", "m/27", "m/28", "m/29",
+      "m/30", "m/31", "m/32", "m/33", "m/34", "m/35", "m/36", "m/37", "m/38", "m/39",
+      "m/40", "m/41", "m/42", "m/43", "m/44", "m/45", "m/46", "m/47", "m/48", "m/49",
+      "m/50", "m/51", "m/52", "m/53", "m/54", "m/55", "m/56", "m/57", "m/58", "m/59",
+      "m/60", "m/61", "m/62", "m/63", "m/64", "m/65", "m/66", "m/67", "m/68", "m/69",
+      "m/70", "m/71", "m/72", "m/73", "m/74", "m/75", "m/76", "m/77", "m/78", "m/79",
+      "m/80", "m/81", "m/82", "m/83", "m/84", "m/85", "m/86", "m/87", "m/88", "m/89",
+      "m/90", "m/91", "m/92", "m/93", "m/94", "m/95", "m/96", "m/97", "m/98", "m/99",
+      "m/100", "m/101", "m/102", "m/103", "m/104", "m/105", "m/106", "m/107", "m/108", "m/109",
+      "m/110", "m/111", "m/112", "m/113", "m/114", "m/115", "m/116", "m/117", "m/118", "m/119",
+      "m/120", "m/121", "m/122", "m/123", "m/124", "m/125", "m/126", "m/127", "m/128", "m/129",
+      "m/130", "m/131", "m/132", "m/133", "m/134", "m/135", "m/136", "m/137", "m/138", "m/139",
+      "m/140", "m/141", "m/142", "m/143", "m/144", "m/145", "m/146", "m/147", "m/148", "m/149",
+      "m/150", "m/151", "m/152", "m/153", "m/154", "m/155", "m/156", "m/157", "m/158", "m/159",
+      "m/160", "m/161", "m/162", "m/163", "m/164", "m/165", "m/166", "m/167", "m/168", "m/169",
+      "m/170", "m/171", "m/172", "m/173", "m/174", "m/175", "m/176", "m/177", "m/178", "m/179",
+      "m/180", "m/181", "m/182", "m/183", "m/184", "m/185", "m/186", "m/187", "m/188", "m/189",
+      "m/190", "m/191", "m/192", "m/193", "m/194", "m/195", "m/196", "m/197", "m/198", "m/199",
+      "m/200", "m/201", "m/202", "m/203", "m/204", "m/205", "m/206", "m/207", "m/208", "m/209",
+      "m/210", "m/211", "m/212", "m/213", "m/214", "m/215", "m/216", "m/217", "m/218", "m/219",
+      "m/220", "m/221", "m/222", "m/223", "m/224", "m/225", "m/226", "m/227", "m/228", "m/229",
+      "m/230", "m/231", "m/232", "m/233", "m/234", "m/235", "m/236", "m/237", "m/238", "m/239",
+      "m/240", "m/241", "m/242", "m/243", "m/244", "m/245", "m/246", "m/247", "m/248", "m/249",
+      "m/250", "m/251", "m/252", "m/253", "m/254"
+    ],
+    "expected": "ff0100000000010000000101000000020100000003010000000401000000050100000006010000000701000000080100000009010000000a010000000b010000000c010000000d010000000e010000000f0100000010010000001101000000120100000013010000001401000000150100000016010000001701000000180100000019010000001a010000001b010000001c010000001d010000001e010000001f0100000020010000002101000000220100000023010000002401000000250100000026010000002701000000280100000029010000002a010000002b010000002c010000002d010000002e010000002f0100000030010000003101000000320100000033010000003401000000350100000036010000003701000000380100000039010000003a010000003b010000003c010000003d010000003e010000003f0100000040010000004101000000420100000043010000004401000000450100000046010000004701000000480100000049010000004a010000004b010000004c010000004d010000004e010000004f0100000050010000005101000000520100000053010000005401000000550100000056010000005701000000580100000059010000005a010000005b010000005c010000005d010000005e010000005f0100000060010000006101000000620100000063010000006401000000650100000066010000006701000000680100000069010000006a010000006b010000006c010000006d010000006e010000006f0100000070010000007101000000720100000073010000007401000000750100000076010000007701000000780100000079010000007a010000007b010000007c010000007d010000007e010000007f0100000080010000008101000000820100000083010000008401000000850100000086010000008701000000880100000089010000008a010000008b010000008c010000008d010000008e010000008f0100000090010000009101000000920100000093010000009401000000950100000096010000009701000000980100000099010000009a010000009b010000009c010000009d010000009e010000009f01000000a001000000a101000000a201000000a301000000a401000000a501000000a601000000a701000000a801000000a901000000aa01000000ab01000000ac01000000ad01000000ae01000000af01000000b001000000b101000000b201000000b301000000b401000000b501000000b601000000b701000000b801000000b901000000ba01000000bb01000000bc01000000bd01000000be01000000bf01000000c001000000c101000000c201000000c301000000c401000000c501000000c601000000c701000000c801000000c901000000ca01000000cb01000000cc01000000cd01000000ce01000000cf01000000d001000000d101000000d201000000d301000000d401000000d501000000d601000000d701000000d801000000d901000000da01000000db01000000dc01000000dd01000000de01000000df01000000e001000000e101000000e201000000e301000000e401000000e501000000e601000000e701000000e801000000e901000000ea01000000eb01000000ec01000000ed01000000ee01000000ef01000000f001000000f101000000f201000000f301000000f401000000f501000000f601000000f701000000f801000000f901000000fa01000000fb01000000fc01000000fd01000000fe"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 206c47d2d667..a7c4a76242d0 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -9,6 +9,7 @@
 #include <hash.h>
 #include <key_io.h>
 #include <script/descriptor.h>
+#include <util/bip32.h>
 
 namespace wallet {
 
@@ -126,4 +127,85 @@ std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secre
     return result;
 }
 
+util::Result<DerivationPath> ParseDerivationPath(const std::string& path_str)
+{
+    DerivationPath result;
+    if (path_str.empty() || !ParseHDKeypath(path_str, result)) {
+        return util::Error{Untranslated(strprintf("Invalid derivation path: %s", path_str))};
+    }
+    return result;
+}
+
+// <COUNT><CHILD_COUNT><CHILD>...<CHILD><CHILD_COUNT><CHILD>...<CHILD>
+util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<DerivationPath>& paths)
+{
+    if (paths.size() > 255) {
+        return util::Error{Untranslated("Too many derivation paths (max 255)")};
+    }
+
+    std::vector<uint8_t> result;
+    // <COUNT>
+    result.push_back(static_cast<uint8_t>(paths.size()));
+
+    for (const auto& path : paths) {
+        if (path.size() > 255) {
+            return util::Error{Untranslated("Derivation path too long (max 255 child)")};
+        }
+        // <CHILD_COUNT>
+        result.push_back(static_cast<uint8_t>(path.size()));
+        for (uint32_t child : path) {
+            // <CHILD> (Big Endian)
+            result.push_back((child >> 24) & 0xFF);
+            result.push_back((child >> 16) & 0xFF);
+            result.push_back((child >> 8) & 0xFF);
+            result.push_back(child & 0xFF);
+        }
+    }
+
+    return result;
+}
+
+util::Result<std::pair<std::vector<DerivationPath>, size_t>> DecodeDerivationPaths(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty derivation paths data")};
+    }
+
+    // Parsed paths are deduplicated and sorted on decode, matching the
+    // reference implementation's BTreeSet behavior.
+    std::set<DerivationPath> unique_paths;
+    size_t pos = 0;
+
+    uint8_t count = data[pos++];
+
+    for (uint8_t i = 0; i < count; ++i) {
+        if (pos >= data.size()) {
+            return util::Error{Untranslated("Truncated derivation path data")};
+        }
+
+        uint8_t child_count = data[pos++];
+        if (child_count == 0) {
+            return util::Error{Untranslated("Child count must be > 0")};
+        }
+
+        DerivationPath path;
+        path.reserve(child_count);
+
+        for (uint8_t j = 0; j < child_count; ++j) {
+            if (pos + 4 > data.size()) {
+                return util::Error{Untranslated("Truncated child index")};
+            }
+            uint32_t child = (static_cast<uint32_t>(data[pos]) << 24) |
+                            (static_cast<uint32_t>(data[pos + 1]) << 16) |
+                            (static_cast<uint32_t>(data[pos + 2]) << 8) |
+                            static_cast<uint32_t>(data[pos + 3]);
+            pos += 4;
+            path.push_back(child);
+        }
+        unique_paths.insert(std::move(path));
+    }
+
+    return std::make_pair(std::vector<DerivationPath>(unique_paths.begin(), unique_paths.end()), pos);
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 77020d4e2d6a..b57ce92f2f25 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -6,6 +6,7 @@
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
 #include <cstdint>
+#include <span>
 #include <string>
 #include <vector>
 
@@ -33,6 +34,12 @@ static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIPXXX_DECRYPTION
 /** Prefix for deriving individual secrets */
 static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIPXXX_INDIVIDUAL_SECRET";
 
+/**
+ * Represents a parsed derivation path (e.g., m/44'/0'/0').
+ * Each element is a 32-bit child index where hardened indices have the high bit set.
+ */
+using DerivationPath = std::vector<uint32_t>;
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -108,6 +115,30 @@ uint256 ComputeIndividualSecret(const uint256& key);
 std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
                                                   const std::vector<uint256>& keys);
 
+/**
+ * Parse a derivation path string (e.g., "m/44'/0'/0'") into a DerivationPath.
+ *
+ * @param[in] path_str The path string to parse
+ * @return The parsed path, or error message
+ */
+util::Result<DerivationPath> ParseDerivationPath(const std::string& path_str);
+
+/**
+ * Encode derivation paths according to the backup format.
+ *
+ * @param[in] paths Vector of derivation paths
+ * @return Encoded bytes, or error if too many paths
+ */
+util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<DerivationPath>& paths);
+
+/**
+ * Decode derivation paths from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Pair of (derivation paths, bytes consumed), or error message
+ */
+util::Result<std::pair<std::vector<DerivationPath>, size_t>> DecodeDerivationPaths(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index dc91462841fc..8f489893a09a 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,6 +4,7 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
@@ -183,6 +184,129 @@ BOOST_AUTO_TEST_CASE(nums_point_test)
     BOOST_CHECK(!IsNUMSPoint(random_key));
 }
 
+BOOST_AUTO_TEST_CASE(derivation_path_encoding_test)
+{
+    // Test derivation path encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_derivation_path);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        const UniValue& paths_arr = vec["paths"];
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse paths
+        std::vector<DerivationPath> paths;
+        bool parse_failed = false;
+        for (size_t j = 0; j < paths_arr.size(); ++j) {
+            auto path_result = ParseDerivationPath(paths_arr[j].get_str());
+            if (!path_result) {
+                parse_failed = true;
+                break;
+            }
+            paths.push_back(*path_result);
+        }
+
+        // Check if this test vector should fail
+        if (vec["expected"].isNull()) {
+            if (!parse_failed) {
+                auto encoded_result = EncodeDerivationPaths(paths);
+                BOOST_CHECK_MESSAGE(!encoded_result,
+                    description << ": expected failure but got success");
+            }
+            continue;
+        }
+
+        BOOST_REQUIRE_MESSAGE(!parse_failed, description << ": unexpected parse failure");
+        std::string expected_hex = vec["expected"].get_str();
+
+        // Encode
+        auto encoded_result = EncodeDerivationPaths(paths);
+        BOOST_REQUIRE_MESSAGE(encoded_result, util::ErrorString(encoded_result).original);
+
+        std::string result_hex = HexStr(*encoded_result);
+        BOOST_CHECK_MESSAGE(result_hex == expected_hex,
+            description << ": expected " << expected_hex << " got " << result_hex);
+
+        // Test round-trip decode
+        auto decoded_result = DecodeDerivationPaths(*encoded_result);
+        BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+        BOOST_CHECK_EQUAL(decoded_result->first.size(), paths.size());
+        BOOST_CHECK_EQUAL(decoded_result->second, encoded_result->size());
+    }
+}
+
+// ---------- Derivation path edge cases ----------
+
+BOOST_AUTO_TEST_CASE(derivation_path_parse_corrupt_test)
+{
+    // child count = 1 but 0/1/2/3 trailing bytes => truncated (need 4)
+    BOOST_CHECK(!DecodeDerivationPaths(std::vector<uint8_t>{0x01, 0x01, 0x00}));
+    BOOST_CHECK(!DecodeDerivationPaths(std::vector<uint8_t>{0x01, 0x01, 0x00, 0x00}));
+    BOOST_CHECK(!DecodeDerivationPaths(std::vector<uint8_t>{0x01, 0x01, 0x00, 0x00, 0x00}));
+    // child count = 0 is invalid
+    BOOST_CHECK(!DecodeDerivationPaths(std::vector<uint8_t>{0x01, 0x00}));
+    // single valid path m/1
+    auto ok = DecodeDerivationPaths(std::vector<uint8_t>{0x01, 0x01, 0x00, 0x00, 0x00, 0x01});
+    BOOST_REQUIRE(ok);
+    BOOST_CHECK_EQUAL(ok->first.size(), 1u);
+}
+
+BOOST_AUTO_TEST_CASE(derivation_path_empty_test)
+{
+    auto bytes = EncodeDerivationPaths({});
+    BOOST_REQUIRE(bytes);
+    BOOST_CHECK_EQUAL(HexStr(*bytes), "00");
+    auto decoded = DecodeDerivationPaths(*bytes);
+    BOOST_REQUIRE(decoded);
+    BOOST_CHECK(decoded->first.empty());
+}
+
+BOOST_AUTO_TEST_CASE(derivation_path_too_many_test)
+{
+    std::vector<DerivationPath> paths;
+    DerivationPath p{0, 1, 2, 3};
+    for (size_t i = 0; i < 256; ++i) {
+        DerivationPath tmp = p;
+        tmp[0] = static_cast<uint32_t>(i);
+        paths.push_back(tmp);
+    }
+    BOOST_CHECK(!EncodeDerivationPaths(paths));
+}
+
+BOOST_AUTO_TEST_CASE(derivation_path_too_long_test)
+{
+    DerivationPath path(256, 0u);
+    BOOST_CHECK(!EncodeDerivationPaths({path}));
+}
+
+BOOST_AUTO_TEST_CASE(derivation_path_decode_dedup_test)
+{
+    // Hand-craft a byte stream with two identical paths; decoder must collapse.
+    std::vector<uint8_t> bytes{0x02,
+        0x01, 0x00, 0x00, 0x00, 0x01,
+        0x01, 0x00, 0x00, 0x00, 0x01};
+    auto decoded = DecodeDerivationPaths(bytes);
+    BOOST_REQUIRE(decoded);
+    BOOST_CHECK_EQUAL(decoded->first.size(), 1u);
+}
+
+BOOST_AUTO_TEST_CASE(derivation_path_decode_sorted_test)
+{
+    // Encode two paths in unsorted order, decode must return them sorted.
+    auto bytes = EncodeDerivationPaths({
+        DerivationPath{0x80000054u, 0x80000000u, 0x80000000u, 0x80000002u},
+        DerivationPath{0u, 0x80000001u, 2u, 0x80000003u},
+    });
+    BOOST_REQUIRE(bytes);
+    auto decoded = DecodeDerivationPaths(*bytes);
+    BOOST_REQUIRE(decoded);
+    BOOST_REQUIRE_EQUAL(decoded->first.size(), 2u);
+    BOOST_CHECK_EQUAL(decoded->first[0][0], 0u);
+    BOOST_CHECK_EQUAL(decoded->first[1][0], 0x80000054u);
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From f49aec699932e9140d28b87a3802cd465cc95ee1 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 16:31:41 +0100
Subject: [PATCH 09/21] wallet: BIP-xxxx individual secrets encoding

Add functions for encoding/decoding individual secrets as specified in BIP-xxxx:
- EncodeIndividualSecrets: encode sorted secrets to binary format
- DecodeIndividualSecrets: decode from binary format

Individual secrets allow any keyholder to derive the decryption secret using:
decryption_secret = ci XOR sha256("BIP_XXXX_INDIVIDUAL_SECRET" || pi)

Includes test vectors from the BIP specification.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |   1 +
 ...p_encrypted_backup_individual_secrets.json | 554 ++++++++++++++++++
 src/wallet/encryptedbackup.cpp                |  66 ++-
 src/wallet/encryptedbackup.h                  |  19 +
 src/wallet/test/encrypted_backup_tests.cpp    |  97 +++
 5 files changed, 732 insertions(+), 5 deletions(-)
 create mode 100644 src/test/data/bip_encrypted_backup_individual_secrets.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 12b57ac554dd..3e85a9175a46 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -146,6 +146,7 @@ target_json_data_sources(test_bitcoin
   data/bip341_wallet_vectors.json
   data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
+  data/bip_encrypted_backup_individual_secrets.json
   data/bip_encrypted_backup_keys_types.json
   data/blockfilters.json
   data/key_io_invalid.json
diff --git a/src/test/data/bip_encrypted_backup_individual_secrets.json b/src/test/data/bip_encrypted_backup_individual_secrets.json
new file mode 100644
index 000000000000..8e4f1a4812a8
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_individual_secrets.json
@@ -0,0 +1,554 @@
+[
+  {
+    "description": "Single secret",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000"
+    ],
+    "expected": "010000000000000000000000000000000000000000000000000000000000000000"
+  },
+  {
+    "description": "Two different secrets",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0101010101010101010101010101010101010101010101010101010101010101"
+    ],
+    "expected": "0200000000000000000000000000000000000000000000000000000000000000000101010101010101010101010101010101010101010101010101010101010101"
+  },
+  {
+    "description": "Three secrets with different patterns",
+    "secrets": [
+      "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    ],
+    "expected": "030000000000000000000000000000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+  },
+  {
+    "description": "Empty secrets should fail",
+    "secrets": [],
+    "expected": null
+  },
+  {
+    "description": "256 secrets should fail (exceeds u8::MAX)",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0000000000000000000000000000000000000000000000000000000000000001",
+      "0000000000000000000000000000000000000000000000000000000000000002",
+      "0000000000000000000000000000000000000000000000000000000000000003",
+      "0000000000000000000000000000000000000000000000000000000000000004",
+      "0000000000000000000000000000000000000000000000000000000000000005",
+      "0000000000000000000000000000000000000000000000000000000000000006",
+      "0000000000000000000000000000000000000000000000000000000000000007",
+      "0000000000000000000000000000000000000000000000000000000000000008",
+      "0000000000000000000000000000000000000000000000000000000000000009",
+      "000000000000000000000000000000000000000000000000000000000000000a",
+      "000000000000000000000000000000000000000000000000000000000000000b",
+      "000000000000000000000000000000000000000000000000000000000000000c",
+      "000000000000000000000000000000000000000000000000000000000000000d",
+      "000000000000000000000000000000000000000000000000000000000000000e",
+      "000000000000000000000000000000000000000000000000000000000000000f",
+      "0000000000000000000000000000000000000000000000000000000000000010",
+      "0000000000000000000000000000000000000000000000000000000000000011",
+      "0000000000000000000000000000000000000000000000000000000000000012",
+      "0000000000000000000000000000000000000000000000000000000000000013",
+      "0000000000000000000000000000000000000000000000000000000000000014",
+      "0000000000000000000000000000000000000000000000000000000000000015",
+      "0000000000000000000000000000000000000000000000000000000000000016",
+      "0000000000000000000000000000000000000000000000000000000000000017",
+      "0000000000000000000000000000000000000000000000000000000000000018",
+      "0000000000000000000000000000000000000000000000000000000000000019",
+      "000000000000000000000000000000000000000000000000000000000000001a",
+      "000000000000000000000000000000000000000000000000000000000000001b",
+      "000000000000000000000000000000000000000000000000000000000000001c",
+      "000000000000000000000000000000000000000000000000000000000000001d",
+      "000000000000000000000000000000000000000000000000000000000000001e",
+      "000000000000000000000000000000000000000000000000000000000000001f",
+      "0000000000000000000000000000000000000000000000000000000000000020",
+      "0000000000000000000000000000000000000000000000000000000000000021",
+      "0000000000000000000000000000000000000000000000000000000000000022",
+      "0000000000000000000000000000000000000000000000000000000000000023",
+      "0000000000000000000000000000000000000000000000000000000000000024",
+      "0000000000000000000000000000000000000000000000000000000000000025",
+      "0000000000000000000000000000000000000000000000000000000000000026",
+      "0000000000000000000000000000000000000000000000000000000000000027",
+      "0000000000000000000000000000000000000000000000000000000000000028",
+      "0000000000000000000000000000000000000000000000000000000000000029",
+      "000000000000000000000000000000000000000000000000000000000000002a",
+      "000000000000000000000000000000000000000000000000000000000000002b",
+      "000000000000000000000000000000000000000000000000000000000000002c",
+      "000000000000000000000000000000000000000000000000000000000000002d",
+      "000000000000000000000000000000000000000000000000000000000000002e",
+      "000000000000000000000000000000000000000000000000000000000000002f",
+      "0000000000000000000000000000000000000000000000000000000000000030",
+      "0000000000000000000000000000000000000000000000000000000000000031",
+      "0000000000000000000000000000000000000000000000000000000000000032",
+      "0000000000000000000000000000000000000000000000000000000000000033",
+      "0000000000000000000000000000000000000000000000000000000000000034",
+      "0000000000000000000000000000000000000000000000000000000000000035",
+      "0000000000000000000000000000000000000000000000000000000000000036",
+      "0000000000000000000000000000000000000000000000000000000000000037",
+      "0000000000000000000000000000000000000000000000000000000000000038",
+      "0000000000000000000000000000000000000000000000000000000000000039",
+      "000000000000000000000000000000000000000000000000000000000000003a",
+      "000000000000000000000000000000000000000000000000000000000000003b",
+      "000000000000000000000000000000000000000000000000000000000000003c",
+      "000000000000000000000000000000000000000000000000000000000000003d",
+      "000000000000000000000000000000000000000000000000000000000000003e",
+      "000000000000000000000000000000000000000000000000000000000000003f",
+      "0000000000000000000000000000000000000000000000000000000000000040",
+      "0000000000000000000000000000000000000000000000000000000000000041",
+      "0000000000000000000000000000000000000000000000000000000000000042",
+      "0000000000000000000000000000000000000000000000000000000000000043",
+      "0000000000000000000000000000000000000000000000000000000000000044",
+      "0000000000000000000000000000000000000000000000000000000000000045",
+      "0000000000000000000000000000000000000000000000000000000000000046",
+      "0000000000000000000000000000000000000000000000000000000000000047",
+      "0000000000000000000000000000000000000000000000000000000000000048",
+      "0000000000000000000000000000000000000000000000000000000000000049",
+      "000000000000000000000000000000000000000000000000000000000000004a",
+      "000000000000000000000000000000000000000000000000000000000000004b",
+      "000000000000000000000000000000000000000000000000000000000000004c",
+      "000000000000000000000000000000000000000000000000000000000000004d",
+      "000000000000000000000000000000000000000000000000000000000000004e",
+      "000000000000000000000000000000000000000000000000000000000000004f",
+      "0000000000000000000000000000000000000000000000000000000000000050",
+      "0000000000000000000000000000000000000000000000000000000000000051",
+      "0000000000000000000000000000000000000000000000000000000000000052",
+      "0000000000000000000000000000000000000000000000000000000000000053",
+      "0000000000000000000000000000000000000000000000000000000000000054",
+      "0000000000000000000000000000000000000000000000000000000000000055",
+      "0000000000000000000000000000000000000000000000000000000000000056",
+      "0000000000000000000000000000000000000000000000000000000000000057",
+      "0000000000000000000000000000000000000000000000000000000000000058",
+      "0000000000000000000000000000000000000000000000000000000000000059",
+      "000000000000000000000000000000000000000000000000000000000000005a",
+      "000000000000000000000000000000000000000000000000000000000000005b",
+      "000000000000000000000000000000000000000000000000000000000000005c",
+      "000000000000000000000000000000000000000000000000000000000000005d",
+      "000000000000000000000000000000000000000000000000000000000000005e",
+      "000000000000000000000000000000000000000000000000000000000000005f",
+      "0000000000000000000000000000000000000000000000000000000000000060",
+      "0000000000000000000000000000000000000000000000000000000000000061",
+      "0000000000000000000000000000000000000000000000000000000000000062",
+      "0000000000000000000000000000000000000000000000000000000000000063",
+      "0000000000000000000000000000000000000000000000000000000000000064",
+      "0000000000000000000000000000000000000000000000000000000000000065",
+      "0000000000000000000000000000000000000000000000000000000000000066",
+      "0000000000000000000000000000000000000000000000000000000000000067",
+      "0000000000000000000000000000000000000000000000000000000000000068",
+      "0000000000000000000000000000000000000000000000000000000000000069",
+      "000000000000000000000000000000000000000000000000000000000000006a",
+      "000000000000000000000000000000000000000000000000000000000000006b",
+      "000000000000000000000000000000000000000000000000000000000000006c",
+      "000000000000000000000000000000000000000000000000000000000000006d",
+      "000000000000000000000000000000000000000000000000000000000000006e",
+      "000000000000000000000000000000000000000000000000000000000000006f",
+      "0000000000000000000000000000000000000000000000000000000000000070",
+      "0000000000000000000000000000000000000000000000000000000000000071",
+      "0000000000000000000000000000000000000000000000000000000000000072",
+      "0000000000000000000000000000000000000000000000000000000000000073",
+      "0000000000000000000000000000000000000000000000000000000000000074",
+      "0000000000000000000000000000000000000000000000000000000000000075",
+      "0000000000000000000000000000000000000000000000000000000000000076",
+      "0000000000000000000000000000000000000000000000000000000000000077",
+      "0000000000000000000000000000000000000000000000000000000000000078",
+      "0000000000000000000000000000000000000000000000000000000000000079",
+      "000000000000000000000000000000000000000000000000000000000000007a",
+      "000000000000000000000000000000000000000000000000000000000000007b",
+      "000000000000000000000000000000000000000000000000000000000000007c",
+      "000000000000000000000000000000000000000000000000000000000000007d",
+      "000000000000000000000000000000000000000000000000000000000000007e",
+      "000000000000000000000000000000000000000000000000000000000000007f",
+      "0000000000000000000000000000000000000000000000000000000000000080",
+      "0000000000000000000000000000000000000000000000000000000000000081",
+      "0000000000000000000000000000000000000000000000000000000000000082",
+      "0000000000000000000000000000000000000000000000000000000000000083",
+      "0000000000000000000000000000000000000000000000000000000000000084",
+      "0000000000000000000000000000000000000000000000000000000000000085",
+      "0000000000000000000000000000000000000000000000000000000000000086",
+      "0000000000000000000000000000000000000000000000000000000000000087",
+      "0000000000000000000000000000000000000000000000000000000000000088",
+      "0000000000000000000000000000000000000000000000000000000000000089",
+      "000000000000000000000000000000000000000000000000000000000000008a",
+      "000000000000000000000000000000000000000000000000000000000000008b",
+      "000000000000000000000000000000000000000000000000000000000000008c",
+      "000000000000000000000000000000000000000000000000000000000000008d",
+      "000000000000000000000000000000000000000000000000000000000000008e",
+      "000000000000000000000000000000000000000000000000000000000000008f",
+      "0000000000000000000000000000000000000000000000000000000000000090",
+      "0000000000000000000000000000000000000000000000000000000000000091",
+      "0000000000000000000000000000000000000000000000000000000000000092",
+      "0000000000000000000000000000000000000000000000000000000000000093",
+      "0000000000000000000000000000000000000000000000000000000000000094",
+      "0000000000000000000000000000000000000000000000000000000000000095",
+      "0000000000000000000000000000000000000000000000000000000000000096",
+      "0000000000000000000000000000000000000000000000000000000000000097",
+      "0000000000000000000000000000000000000000000000000000000000000098",
+      "0000000000000000000000000000000000000000000000000000000000000099",
+      "000000000000000000000000000000000000000000000000000000000000009a",
+      "000000000000000000000000000000000000000000000000000000000000009b",
+      "000000000000000000000000000000000000000000000000000000000000009c",
+      "000000000000000000000000000000000000000000000000000000000000009d",
+      "000000000000000000000000000000000000000000000000000000000000009e",
+      "000000000000000000000000000000000000000000000000000000000000009f",
+      "00000000000000000000000000000000000000000000000000000000000000a0",
+      "00000000000000000000000000000000000000000000000000000000000000a1",
+      "00000000000000000000000000000000000000000000000000000000000000a2",
+      "00000000000000000000000000000000000000000000000000000000000000a3",
+      "00000000000000000000000000000000000000000000000000000000000000a4",
+      "00000000000000000000000000000000000000000000000000000000000000a5",
+      "00000000000000000000000000000000000000000000000000000000000000a6",
+      "00000000000000000000000000000000000000000000000000000000000000a7",
+      "00000000000000000000000000000000000000000000000000000000000000a8",
+      "00000000000000000000000000000000000000000000000000000000000000a9",
+      "00000000000000000000000000000000000000000000000000000000000000aa",
+      "00000000000000000000000000000000000000000000000000000000000000ab",
+      "00000000000000000000000000000000000000000000000000000000000000ac",
+      "00000000000000000000000000000000000000000000000000000000000000ad",
+      "00000000000000000000000000000000000000000000000000000000000000ae",
+      "00000000000000000000000000000000000000000000000000000000000000af",
+      "00000000000000000000000000000000000000000000000000000000000000b0",
+      "00000000000000000000000000000000000000000000000000000000000000b1",
+      "00000000000000000000000000000000000000000000000000000000000000b2",
+      "00000000000000000000000000000000000000000000000000000000000000b3",
+      "00000000000000000000000000000000000000000000000000000000000000b4",
+      "00000000000000000000000000000000000000000000000000000000000000b5",
+      "00000000000000000000000000000000000000000000000000000000000000b6",
+      "00000000000000000000000000000000000000000000000000000000000000b7",
+      "00000000000000000000000000000000000000000000000000000000000000b8",
+      "00000000000000000000000000000000000000000000000000000000000000b9",
+      "00000000000000000000000000000000000000000000000000000000000000ba",
+      "00000000000000000000000000000000000000000000000000000000000000bb",
+      "00000000000000000000000000000000000000000000000000000000000000bc",
+      "00000000000000000000000000000000000000000000000000000000000000bd",
+      "00000000000000000000000000000000000000000000000000000000000000be",
+      "00000000000000000000000000000000000000000000000000000000000000bf",
+      "00000000000000000000000000000000000000000000000000000000000000c0",
+      "00000000000000000000000000000000000000000000000000000000000000c1",
+      "00000000000000000000000000000000000000000000000000000000000000c2",
+      "00000000000000000000000000000000000000000000000000000000000000c3",
+      "00000000000000000000000000000000000000000000000000000000000000c4",
+      "00000000000000000000000000000000000000000000000000000000000000c5",
+      "00000000000000000000000000000000000000000000000000000000000000c6",
+      "00000000000000000000000000000000000000000000000000000000000000c7",
+      "00000000000000000000000000000000000000000000000000000000000000c8",
+      "00000000000000000000000000000000000000000000000000000000000000c9",
+      "00000000000000000000000000000000000000000000000000000000000000ca",
+      "00000000000000000000000000000000000000000000000000000000000000cb",
+      "00000000000000000000000000000000000000000000000000000000000000cc",
+      "00000000000000000000000000000000000000000000000000000000000000cd",
+      "00000000000000000000000000000000000000000000000000000000000000ce",
+      "00000000000000000000000000000000000000000000000000000000000000cf",
+      "00000000000000000000000000000000000000000000000000000000000000d0",
+      "00000000000000000000000000000000000000000000000000000000000000d1",
+      "00000000000000000000000000000000000000000000000000000000000000d2",
+      "00000000000000000000000000000000000000000000000000000000000000d3",
+      "00000000000000000000000000000000000000000000000000000000000000d4",
+      "00000000000000000000000000000000000000000000000000000000000000d5",
+      "00000000000000000000000000000000000000000000000000000000000000d6",
+      "00000000000000000000000000000000000000000000000000000000000000d7",
+      "00000000000000000000000000000000000000000000000000000000000000d8",
+      "00000000000000000000000000000000000000000000000000000000000000d9",
+      "00000000000000000000000000000000000000000000000000000000000000da",
+      "00000000000000000000000000000000000000000000000000000000000000db",
+      "00000000000000000000000000000000000000000000000000000000000000dc",
+      "00000000000000000000000000000000000000000000000000000000000000dd",
+      "00000000000000000000000000000000000000000000000000000000000000de",
+      "00000000000000000000000000000000000000000000000000000000000000df",
+      "00000000000000000000000000000000000000000000000000000000000000e0",
+      "00000000000000000000000000000000000000000000000000000000000000e1",
+      "00000000000000000000000000000000000000000000000000000000000000e2",
+      "00000000000000000000000000000000000000000000000000000000000000e3",
+      "00000000000000000000000000000000000000000000000000000000000000e4",
+      "00000000000000000000000000000000000000000000000000000000000000e5",
+      "00000000000000000000000000000000000000000000000000000000000000e6",
+      "00000000000000000000000000000000000000000000000000000000000000e7",
+      "00000000000000000000000000000000000000000000000000000000000000e8",
+      "00000000000000000000000000000000000000000000000000000000000000e9",
+      "00000000000000000000000000000000000000000000000000000000000000ea",
+      "00000000000000000000000000000000000000000000000000000000000000eb",
+      "00000000000000000000000000000000000000000000000000000000000000ec",
+      "00000000000000000000000000000000000000000000000000000000000000ed",
+      "00000000000000000000000000000000000000000000000000000000000000ee",
+      "00000000000000000000000000000000000000000000000000000000000000ef",
+      "00000000000000000000000000000000000000000000000000000000000000f0",
+      "00000000000000000000000000000000000000000000000000000000000000f1",
+      "00000000000000000000000000000000000000000000000000000000000000f2",
+      "00000000000000000000000000000000000000000000000000000000000000f3",
+      "00000000000000000000000000000000000000000000000000000000000000f4",
+      "00000000000000000000000000000000000000000000000000000000000000f5",
+      "00000000000000000000000000000000000000000000000000000000000000f6",
+      "00000000000000000000000000000000000000000000000000000000000000f7",
+      "00000000000000000000000000000000000000000000000000000000000000f8",
+      "00000000000000000000000000000000000000000000000000000000000000f9",
+      "00000000000000000000000000000000000000000000000000000000000000fa",
+      "00000000000000000000000000000000000000000000000000000000000000fb",
+      "00000000000000000000000000000000000000000000000000000000000000fc",
+      "00000000000000000000000000000000000000000000000000000000000000fd",
+      "00000000000000000000000000000000000000000000000000000000000000fe",
+      "00000000000000000000000000000000000000000000000000000000000000ff"
+    ],
+    "expected": null
+  },
+  {
+    "description": "256 secrets should pass)",
+    "secrets": [
+      "0000000000000000000000000000000000000000000000000000000000000000",
+      "0000000000000000000000000000000000000000000000000000000000000001",
+      "0000000000000000000000000000000000000000000000000000000000000002",
+      "0000000000000000000000000000000000000000000000000000000000000003",
+      "0000000000000000000000000000000000000000000000000000000000000004",
+      "0000000000000000000000000000000000000000000000000000000000000005",
+      "0000000000000000000000000000000000000000000000000000000000000006",
+      "0000000000000000000000000000000000000000000000000000000000000007",
+      "0000000000000000000000000000000000000000000000000000000000000008",
+      "0000000000000000000000000000000000000000000000000000000000000009",
+      "000000000000000000000000000000000000000000000000000000000000000a",
+      "000000000000000000000000000000000000000000000000000000000000000b",
+      "000000000000000000000000000000000000000000000000000000000000000c",
+      "000000000000000000000000000000000000000000000000000000000000000d",
+      "000000000000000000000000000000000000000000000000000000000000000e",
+      "000000000000000000000000000000000000000000000000000000000000000f",
+      "0000000000000000000000000000000000000000000000000000000000000010",
+      "0000000000000000000000000000000000000000000000000000000000000011",
+      "0000000000000000000000000000000000000000000000000000000000000012",
+      "0000000000000000000000000000000000000000000000000000000000000013",
+      "0000000000000000000000000000000000000000000000000000000000000014",
+      "0000000000000000000000000000000000000000000000000000000000000015",
+      "0000000000000000000000000000000000000000000000000000000000000016",
+      "0000000000000000000000000000000000000000000000000000000000000017",
+      "0000000000000000000000000000000000000000000000000000000000000018",
+      "0000000000000000000000000000000000000000000000000000000000000019",
+      "000000000000000000000000000000000000000000000000000000000000001a",
+      "000000000000000000000000000000000000000000000000000000000000001b",
+      "000000000000000000000000000000000000000000000000000000000000001c",
+      "000000000000000000000000000000000000000000000000000000000000001d",
+      "000000000000000000000000000000000000000000000000000000000000001e",
+      "000000000000000000000000000000000000000000000000000000000000001f",
+      "0000000000000000000000000000000000000000000000000000000000000020",
+      "0000000000000000000000000000000000000000000000000000000000000021",
+      "0000000000000000000000000000000000000000000000000000000000000022",
+      "0000000000000000000000000000000000000000000000000000000000000023",
+      "0000000000000000000000000000000000000000000000000000000000000024",
+      "0000000000000000000000000000000000000000000000000000000000000025",
+      "0000000000000000000000000000000000000000000000000000000000000026",
+      "0000000000000000000000000000000000000000000000000000000000000027",
+      "0000000000000000000000000000000000000000000000000000000000000028",
+      "0000000000000000000000000000000000000000000000000000000000000029",
+      "000000000000000000000000000000000000000000000000000000000000002a",
+      "000000000000000000000000000000000000000000000000000000000000002b",
+      "000000000000000000000000000000000000000000000000000000000000002c",
+      "000000000000000000000000000000000000000000000000000000000000002d",
+      "000000000000000000000000000000000000000000000000000000000000002e",
+      "000000000000000000000000000000000000000000000000000000000000002f",
+      "0000000000000000000000000000000000000000000000000000000000000030",
+      "0000000000000000000000000000000000000000000000000000000000000031",
+      "0000000000000000000000000000000000000000000000000000000000000032",
+      "0000000000000000000000000000000000000000000000000000000000000033",
+      "0000000000000000000000000000000000000000000000000000000000000034",
+      "0000000000000000000000000000000000000000000000000000000000000035",
+      "0000000000000000000000000000000000000000000000000000000000000036",
+      "0000000000000000000000000000000000000000000000000000000000000037",
+      "0000000000000000000000000000000000000000000000000000000000000038",
+      "0000000000000000000000000000000000000000000000000000000000000039",
+      "000000000000000000000000000000000000000000000000000000000000003a",
+      "000000000000000000000000000000000000000000000000000000000000003b",
+      "000000000000000000000000000000000000000000000000000000000000003c",
+      "000000000000000000000000000000000000000000000000000000000000003d",
+      "000000000000000000000000000000000000000000000000000000000000003e",
+      "000000000000000000000000000000000000000000000000000000000000003f",
+      "0000000000000000000000000000000000000000000000000000000000000040",
+      "0000000000000000000000000000000000000000000000000000000000000041",
+      "0000000000000000000000000000000000000000000000000000000000000042",
+      "0000000000000000000000000000000000000000000000000000000000000043",
+      "0000000000000000000000000000000000000000000000000000000000000044",
+      "0000000000000000000000000000000000000000000000000000000000000045",
+      "0000000000000000000000000000000000000000000000000000000000000046",
+      "0000000000000000000000000000000000000000000000000000000000000047",
+      "0000000000000000000000000000000000000000000000000000000000000048",
+      "0000000000000000000000000000000000000000000000000000000000000049",
+      "000000000000000000000000000000000000000000000000000000000000004a",
+      "000000000000000000000000000000000000000000000000000000000000004b",
+      "000000000000000000000000000000000000000000000000000000000000004c",
+      "000000000000000000000000000000000000000000000000000000000000004d",
+      "000000000000000000000000000000000000000000000000000000000000004e",
+      "000000000000000000000000000000000000000000000000000000000000004f",
+      "0000000000000000000000000000000000000000000000000000000000000050",
+      "0000000000000000000000000000000000000000000000000000000000000051",
+      "0000000000000000000000000000000000000000000000000000000000000052",
+      "0000000000000000000000000000000000000000000000000000000000000053",
+      "0000000000000000000000000000000000000000000000000000000000000054",
+      "0000000000000000000000000000000000000000000000000000000000000055",
+      "0000000000000000000000000000000000000000000000000000000000000056",
+      "0000000000000000000000000000000000000000000000000000000000000057",
+      "0000000000000000000000000000000000000000000000000000000000000058",
+      "0000000000000000000000000000000000000000000000000000000000000059",
+      "000000000000000000000000000000000000000000000000000000000000005a",
+      "000000000000000000000000000000000000000000000000000000000000005b",
+      "000000000000000000000000000000000000000000000000000000000000005c",
+      "000000000000000000000000000000000000000000000000000000000000005d",
+      "000000000000000000000000000000000000000000000000000000000000005e",
+      "000000000000000000000000000000000000000000000000000000000000005f",
+      "0000000000000000000000000000000000000000000000000000000000000060",
+      "0000000000000000000000000000000000000000000000000000000000000061",
+      "0000000000000000000000000000000000000000000000000000000000000062",
+      "0000000000000000000000000000000000000000000000000000000000000063",
+      "0000000000000000000000000000000000000000000000000000000000000064",
+      "0000000000000000000000000000000000000000000000000000000000000065",
+      "0000000000000000000000000000000000000000000000000000000000000066",
+      "0000000000000000000000000000000000000000000000000000000000000067",
+      "0000000000000000000000000000000000000000000000000000000000000068",
+      "0000000000000000000000000000000000000000000000000000000000000069",
+      "000000000000000000000000000000000000000000000000000000000000006a",
+      "000000000000000000000000000000000000000000000000000000000000006b",
+      "000000000000000000000000000000000000000000000000000000000000006c",
+      "000000000000000000000000000000000000000000000000000000000000006d",
+      "000000000000000000000000000000000000000000000000000000000000006e",
+      "000000000000000000000000000000000000000000000000000000000000006f",
+      "0000000000000000000000000000000000000000000000000000000000000070",
+      "0000000000000000000000000000000000000000000000000000000000000071",
+      "0000000000000000000000000000000000000000000000000000000000000072",
+      "0000000000000000000000000000000000000000000000000000000000000073",
+      "0000000000000000000000000000000000000000000000000000000000000074",
+      "0000000000000000000000000000000000000000000000000000000000000075",
+      "0000000000000000000000000000000000000000000000000000000000000076",
+      "0000000000000000000000000000000000000000000000000000000000000077",
+      "0000000000000000000000000000000000000000000000000000000000000078",
+      "0000000000000000000000000000000000000000000000000000000000000079",
+      "000000000000000000000000000000000000000000000000000000000000007a",
+      "000000000000000000000000000000000000000000000000000000000000007b",
+      "000000000000000000000000000000000000000000000000000000000000007c",
+      "000000000000000000000000000000000000000000000000000000000000007d",
+      "000000000000000000000000000000000000000000000000000000000000007e",
+      "000000000000000000000000000000000000000000000000000000000000007f",
+      "0000000000000000000000000000000000000000000000000000000000000080",
+      "0000000000000000000000000000000000000000000000000000000000000081",
+      "0000000000000000000000000000000000000000000000000000000000000082",
+      "0000000000000000000000000000000000000000000000000000000000000083",
+      "0000000000000000000000000000000000000000000000000000000000000084",
+      "0000000000000000000000000000000000000000000000000000000000000085",
+      "0000000000000000000000000000000000000000000000000000000000000086",
+      "0000000000000000000000000000000000000000000000000000000000000087",
+      "0000000000000000000000000000000000000000000000000000000000000088",
+      "0000000000000000000000000000000000000000000000000000000000000089",
+      "000000000000000000000000000000000000000000000000000000000000008a",
+      "000000000000000000000000000000000000000000000000000000000000008b",
+      "000000000000000000000000000000000000000000000000000000000000008c",
+      "000000000000000000000000000000000000000000000000000000000000008d",
+      "000000000000000000000000000000000000000000000000000000000000008e",
+      "000000000000000000000000000000000000000000000000000000000000008f",
+      "0000000000000000000000000000000000000000000000000000000000000090",
+      "0000000000000000000000000000000000000000000000000000000000000091",
+      "0000000000000000000000000000000000000000000000000000000000000092",
+      "0000000000000000000000000000000000000000000000000000000000000093",
+      "0000000000000000000000000000000000000000000000000000000000000094",
+      "0000000000000000000000000000000000000000000000000000000000000095",
+      "0000000000000000000000000000000000000000000000000000000000000096",
+      "0000000000000000000000000000000000000000000000000000000000000097",
+      "0000000000000000000000000000000000000000000000000000000000000098",
+      "0000000000000000000000000000000000000000000000000000000000000099",
+      "000000000000000000000000000000000000000000000000000000000000009a",
+      "000000000000000000000000000000000000000000000000000000000000009b",
+      "000000000000000000000000000000000000000000000000000000000000009c",
+      "000000000000000000000000000000000000000000000000000000000000009d",
+      "000000000000000000000000000000000000000000000000000000000000009e",
+      "000000000000000000000000000000000000000000000000000000000000009f",
+      "00000000000000000000000000000000000000000000000000000000000000a0",
+      "00000000000000000000000000000000000000000000000000000000000000a1",
+      "00000000000000000000000000000000000000000000000000000000000000a2",
+      "00000000000000000000000000000000000000000000000000000000000000a3",
+      "00000000000000000000000000000000000000000000000000000000000000a4",
+      "00000000000000000000000000000000000000000000000000000000000000a5",
+      "00000000000000000000000000000000000000000000000000000000000000a6",
+      "00000000000000000000000000000000000000000000000000000000000000a7",
+      "00000000000000000000000000000000000000000000000000000000000000a8",
+      "00000000000000000000000000000000000000000000000000000000000000a9",
+      "00000000000000000000000000000000000000000000000000000000000000aa",
+      "00000000000000000000000000000000000000000000000000000000000000ab",
+      "00000000000000000000000000000000000000000000000000000000000000ac",
+      "00000000000000000000000000000000000000000000000000000000000000ad",
+      "00000000000000000000000000000000000000000000000000000000000000ae",
+      "00000000000000000000000000000000000000000000000000000000000000af",
+      "00000000000000000000000000000000000000000000000000000000000000b0",
+      "00000000000000000000000000000000000000000000000000000000000000b1",
+      "00000000000000000000000000000000000000000000000000000000000000b2",
+      "00000000000000000000000000000000000000000000000000000000000000b3",
+      "00000000000000000000000000000000000000000000000000000000000000b4",
+      "00000000000000000000000000000000000000000000000000000000000000b5",
+      "00000000000000000000000000000000000000000000000000000000000000b6",
+      "00000000000000000000000000000000000000000000000000000000000000b7",
+      "00000000000000000000000000000000000000000000000000000000000000b8",
+      "00000000000000000000000000000000000000000000000000000000000000b9",
+      "00000000000000000000000000000000000000000000000000000000000000ba",
+      "00000000000000000000000000000000000000000000000000000000000000bb",
+      "00000000000000000000000000000000000000000000000000000000000000bc",
+      "00000000000000000000000000000000000000000000000000000000000000bd",
+      "00000000000000000000000000000000000000000000000000000000000000be",
+      "00000000000000000000000000000000000000000000000000000000000000bf",
+      "00000000000000000000000000000000000000000000000000000000000000c0",
+      "00000000000000000000000000000000000000000000000000000000000000c1",
+      "00000000000000000000000000000000000000000000000000000000000000c2",
+      "00000000000000000000000000000000000000000000000000000000000000c3",
+      "00000000000000000000000000000000000000000000000000000000000000c4",
+      "00000000000000000000000000000000000000000000000000000000000000c5",
+      "00000000000000000000000000000000000000000000000000000000000000c6",
+      "00000000000000000000000000000000000000000000000000000000000000c7",
+      "00000000000000000000000000000000000000000000000000000000000000c8",
+      "00000000000000000000000000000000000000000000000000000000000000c9",
+      "00000000000000000000000000000000000000000000000000000000000000ca",
+      "00000000000000000000000000000000000000000000000000000000000000cb",
+      "00000000000000000000000000000000000000000000000000000000000000cc",
+      "00000000000000000000000000000000000000000000000000000000000000cd",
+      "00000000000000000000000000000000000000000000000000000000000000ce",
+      "00000000000000000000000000000000000000000000000000000000000000cf",
+      "00000000000000000000000000000000000000000000000000000000000000d0",
+      "00000000000000000000000000000000000000000000000000000000000000d1",
+      "00000000000000000000000000000000000000000000000000000000000000d2",
+      "00000000000000000000000000000000000000000000000000000000000000d3",
+      "00000000000000000000000000000000000000000000000000000000000000d4",
+      "00000000000000000000000000000000000000000000000000000000000000d5",
+      "00000000000000000000000000000000000000000000000000000000000000d6",
+      "00000000000000000000000000000000000000000000000000000000000000d7",
+      "00000000000000000000000000000000000000000000000000000000000000d8",
+      "00000000000000000000000000000000000000000000000000000000000000d9",
+      "00000000000000000000000000000000000000000000000000000000000000da",
+      "00000000000000000000000000000000000000000000000000000000000000db",
+      "00000000000000000000000000000000000000000000000000000000000000dc",
+      "00000000000000000000000000000000000000000000000000000000000000dd",
+      "00000000000000000000000000000000000000000000000000000000000000de",
+      "00000000000000000000000000000000000000000000000000000000000000df",
+      "00000000000000000000000000000000000000000000000000000000000000e0",
+      "00000000000000000000000000000000000000000000000000000000000000e1",
+      "00000000000000000000000000000000000000000000000000000000000000e2",
+      "00000000000000000000000000000000000000000000000000000000000000e3",
+      "00000000000000000000000000000000000000000000000000000000000000e4",
+      "00000000000000000000000000000000000000000000000000000000000000e5",
+      "00000000000000000000000000000000000000000000000000000000000000e6",
+      "00000000000000000000000000000000000000000000000000000000000000e7",
+      "00000000000000000000000000000000000000000000000000000000000000e8",
+      "00000000000000000000000000000000000000000000000000000000000000e9",
+      "00000000000000000000000000000000000000000000000000000000000000ea",
+      "00000000000000000000000000000000000000000000000000000000000000eb",
+      "00000000000000000000000000000000000000000000000000000000000000ec",
+      "00000000000000000000000000000000000000000000000000000000000000ed",
+      "00000000000000000000000000000000000000000000000000000000000000ee",
+      "00000000000000000000000000000000000000000000000000000000000000ef",
+      "00000000000000000000000000000000000000000000000000000000000000f0",
+      "00000000000000000000000000000000000000000000000000000000000000f1",
+      "00000000000000000000000000000000000000000000000000000000000000f2",
+      "00000000000000000000000000000000000000000000000000000000000000f3",
+      "00000000000000000000000000000000000000000000000000000000000000f4",
+      "00000000000000000000000000000000000000000000000000000000000000f5",
+      "00000000000000000000000000000000000000000000000000000000000000f6",
+      "00000000000000000000000000000000000000000000000000000000000000f7",
+      "00000000000000000000000000000000000000000000000000000000000000f8",
+      "00000000000000000000000000000000000000000000000000000000000000f9",
+      "00000000000000000000000000000000000000000000000000000000000000fa",
+      "00000000000000000000000000000000000000000000000000000000000000fb",
+      "00000000000000000000000000000000000000000000000000000000000000fc",
+      "00000000000000000000000000000000000000000000000000000000000000fd",
+      "00000000000000000000000000000000000000000000000000000000000000fe"
+    ],
+    "expected": "ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000003000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000b000000000000000000000000000000000000000000000000000000000000000c000000000000000000000000000000000000000000000000000000000000000d000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000000f0000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000001100000000000000000000000000000000000000000000000000000000000000120000000000000000000000000000000000000000000000000000000000000013000000000000000000000000000000000000000000000000000000000000001400000000000000000000000000000000000000000000000000000000000000150000000000000000000000000000000000000000000000000000000000000016000000000000000000000000000000000000000000000000000000000000001700000000000000000000000000000000000000000000000000000000000000180000000000000000000000000000000000000000000000000000000000000019000000000000000000000000000000000000000000000000000000000000001a000000000000000000000000000000000000000000000000000000000000001b000000000000000000000000000000000000000000000000000000000000001c000000000000000000000000000000000000000000000000000000000000001d000000000000000000000000000000000000000000000000000000000000001e000000000000000000000000000000000000000000000000000000000000001f0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002100000000000000000000000000000000000000000000000000000000000000220000000000000000000000000000000000000000000000000000000000000023000000000000000000000000000000000000000000000000000000000000002400000000000000000000000000000000000000000000000000000000000000250000000000000000000000000000000000000000000000000000000000000026000000000000000000000000000000000000000000000000000000000000002700000000000000000000000000000000000000000000000000000000000000280000000000000000000000000000000000000000000000000000000000000029000000000000000000000000000000000000000000000000000000000000002a000000000000000000000000000000000000000000000000000000000000002b000000000000000000000000000000000000000000000000000000000000002c000000000000000000000000000000000000000000000000000000000000002d000000000000000000000000000000000000000000000000000000000000002e000000000000000000000000000000000000000000000000000000000000002f0000000000000000000000000000000000000000000000000000000000000030000000000000000000000000000000000000000000000000000000000000003100000000000000000000000000000000000000000000000000000000000000320000000000000000000000000000000000000000000000000000000000000033000000000000000000000000000000000000000000000000000000000000003400000000000000000000000000000000000000000000000000000000000000350000000000000000000000000000000000000000000000000000000000000036000000000000000000000000000000000000000000000000000000000000003700000000000000000000000000000000000000000000000000000000000000380000000000000000000000000000000000000000000000000000000000000039000000000000000000000000000000000000000000000000000000000000003a000000000000000000000000000000000000000000000000000000000000003b000000000000000000000000000000000000000000000000000000000000003c000000000000000000000000000000000000000000000000000000000000003d000000000000000000000000000000000000000000000000000000000000003e000000000000000000000000000000000000000000000000000000000000003f0000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000004100000000000000000000000000000000000000000000000000000000000000420000000000000000000000000000000000000000000000000000000000000043000000000000000000000000000000000000000000000000000000000000004400000000000000000000000000000000000000000000000000000000000000450000000000000000000000000000000000000000000000000000000000000046000000000000000000000000000000000000000000000000000000000000004700000000000000000000000000000000000000000000000000000000000000480000000000000000000000000000000000000000000000000000000000000049000000000000000000000000000000000000000000000000000000000000004a000000000000000000000000000000000000000000000000000000000000004b000000000000000000000000000000000000000000000000000000000000004c000000000000000000000000000000000000000000000000000000000000004d000000000000000000000000000000000000000000000000000000000000004e000000000000000000000000000000000000000000000000000000000000004f0000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000005100000000000000000000000000000000000000000000000000000000000000520000000000000000000000000000000000000000000000000000000000000053000000000000000000000000000000000000000000000000000000000000005400000000000000000000000000000000000000000000000000000000000000550000000000000000000000000000000000000000000000000000000000000056000000000000000000000000000000000000000000000000000000000000005700000000000000000000000000000000000000000000000000000000000000580000000000000000000000000000000000000000000000000000000000000059000000000000000000000000000000000000000000000000000000000000005a000000000000000000000000000000000000000000000000000000000000005b000000000000000000000000000000000000000000000000000000000000005c000000000000000000000000000000000000000000000000000000000000005d000000000000000000000000000000000000000000000000000000000000005e000000000000000000000000000000000000000000000000000000000000005f0000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000006100000000000000000000000000000000000000000000000000000000000000620000000000000000000000000000000000000000000000000000000000000063000000000000000000000000000000000000000000000000000000000000006400000000000000000000000000000000000000000000000000000000000000650000000000000000000000000000000000000000000000000000000000000066000000000000000000000000000000000000000000000000000000000000006700000000000000000000000000000000000000000000000000000000000000680000000000000000000000000000000000000000000000000000000000000069000000000000000000000000000000000000000000000000000000000000006a000000000000000000000000000000000000000000000000000000000000006b000000000000000000000000000000000000000000000000000000000000006c000000000000000000000000000000000000000000000000000000000000006d000000000000000000000000000000000000000000000000000000000000006e000000000000000000000000000000000000000000000000000000000000006f0000000000000000000000000000000000000000000000000000000000000070000000000000000000000000000000000000000000000000000000000000007100000000000000000000000000000000000000000000000000000000000000720000000000000000000000000000000000000000000000000000000000000073000000000000000000000000000000000000000000000000000000000000007400000000000000000000000000000000000000000000000000000000000000750000000000000000000000000000000000000000000000000000000000000076000000000000000000000000000000000000000000000000000000000000007700000000000000000000000000000000000000000000000000000000000000780000000000000000000000000000000000000000000000000000000000000079000000000000000000000000000000000000000000000000000000000000007a000000000000000000000000000000000000000000000000000000000000007b000000000000000000000000000000000000000000000000000000000000007c000000000000000000000000000000000000000000000000000000000000007d000000000000000000000000000000000000000000000000000000000000007e000000000000000000000000000000000000000000000000000000000000007f0000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000008100000000000000000000000000000000000000000000000000000000000000820000000000000000000000000000000000000000000000000000000000000083000000000000000000000000000000000000000000000000000000000000008400000000000000000000000000000000000000000000000000000000000000850000000000000000000000000000000000000000000000000000000000000086000000000000000000000000000000000000000000000000000000000000008700000000000000000000000000000000000000000000000000000000000000880000000000000000000000000000000000000000000000000000000000000089000000000000000000000000000000000000000000000000000000000000008a000000000000000000000000000000000000000000000000000000000000008b000000000000000000000000000000000000000000000000000000000000008c000000000000000000000000000000000000000000000000000000000000008d000000000000000000000000000000000000000000000000000000000000008e000000000000000000000000000000000000000000000000000000000000008f0000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000009100000000000000000000000000000000000000000000000000000000000000920000000000000000000000000000000000000000000000000000000000000093000000000000000000000000000000000000000000000000000000000000009400000000000000000000000000000000000000000000000000000000000000950000000000000000000000000000000000000000000000000000000000000096000000000000000000000000000000000000000000000000000000000000009700000000000000000000000000000000000000000000000000000000000000980000000000000000000000000000000000000000000000000000000000000099000000000000000000000000000000000000000000000000000000000000009a000000000000000000000000000000000000000000000000000000000000009b000000000000000000000000000000000000000000000000000000000000009c000000000000000000000000000000000000000000000000000000000000009d000000000000000000000000000000000000000000000000000000000000009e000000000000000000000000000000000000000000000000000000000000009f00000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000a100000000000000000000000000000000000000000000000000000000000000a200000000000000000000000000000000000000000000000000000000000000a300000000000000000000000000000000000000000000000000000000000000a400000000000000000000000000000000000000000000000000000000000000a500000000000000000000000000000000000000000000000000000000000000a600000000000000000000000000000000000000000000000000000000000000a700000000000000000000000000000000000000000000000000000000000000a800000000000000000000000000000000000000000000000000000000000000a900000000000000000000000000000000000000000000000000000000000000aa00000000000000000000000000000000000000000000000000000000000000ab00000000000000000000000000000000000000000000000000000000000000ac00000000000000000000000000000000000000000000000000000000000000ad00000000000000000000000000000000000000000000000000000000000000ae00000000000000000000000000000000000000000000000000000000000000af00000000000000000000000000000000000000000000000000000000000000b000000000000000000000000000000000000000000000000000000000000000b100000000000000000000000000000000000000000000000000000000000000b200000000000000000000000000000000000000000000000000000000000000b300000000000000000000000000000000000000000000000000000000000000b400000000000000000000000000000000000000000000000000000000000000b500000000000000000000000000000000000000000000000000000000000000b600000000000000000000000000000000000000000000000000000000000000b700000000000000000000000000000000000000000000000000000000000000b800000000000000000000000000000000000000000000000000000000000000b900000000000000000000000000000000000000000000000000000000000000ba00000000000000000000000000000000000000000000000000000000000000bb00000000000000000000000000000000000000000000000000000000000000bc00000000000000000000000000000000000000000000000000000000000000bd00000000000000000000000000000000000000000000000000000000000000be00000000000000000000000000000000000000000000000000000000000000bf00000000000000000000000000000000000000000000000000000000000000c000000000000000000000000000000000000000000000000000000000000000c100000000000000000000000000000000000000000000000000000000000000c200000000000000000000000000000000000000000000000000000000000000c300000000000000000000000000000000000000000000000000000000000000c400000000000000000000000000000000000000000000000000000000000000c500000000000000000000000000000000000000000000000000000000000000c600000000000000000000000000000000000000000000000000000000000000c700000000000000000000000000000000000000000000000000000000000000c800000000000000000000000000000000000000000000000000000000000000c900000000000000000000000000000000000000000000000000000000000000ca00000000000000000000000000000000000000000000000000000000000000cb00000000000000000000000000000000000000000000000000000000000000cc00000000000000000000000000000000000000000000000000000000000000cd00000000000000000000000000000000000000000000000000000000000000ce00000000000000000000000000000000000000000000000000000000000000cf00000000000000000000000000000000000000000000000000000000000000d000000000000000000000000000000000000000000000000000000000000000d100000000000000000000000000000000000000000000000000000000000000d200000000000000000000000000000000000000000000000000000000000000d300000000000000000000000000000000000000000000000000000000000000d400000000000000000000000000000000000000000000000000000000000000d500000000000000000000000000000000000000000000000000000000000000d600000000000000000000000000000000000000000000000000000000000000d700000000000000000000000000000000000000000000000000000000000000d800000000000000000000000000000000000000000000000000000000000000d900000000000000000000000000000000000000000000000000000000000000da00000000000000000000000000000000000000000000000000000000000000db00000000000000000000000000000000000000000000000000000000000000dc00000000000000000000000000000000000000000000000000000000000000dd00000000000000000000000000000000000000000000000000000000000000de00000000000000000000000000000000000000000000000000000000000000df00000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000000e100000000000000000000000000000000000000000000000000000000000000e200000000000000000000000000000000000000000000000000000000000000e300000000000000000000000000000000000000000000000000000000000000e400000000000000000000000000000000000000000000000000000000000000e500000000000000000000000000000000000000000000000000000000000000e600000000000000000000000000000000000000000000000000000000000000e700000000000000000000000000000000000000000000000000000000000000e800000000000000000000000000000000000000000000000000000000000000e900000000000000000000000000000000000000000000000000000000000000ea00000000000000000000000000000000000000000000000000000000000000eb00000000000000000000000000000000000000000000000000000000000000ec00000000000000000000000000000000000000000000000000000000000000ed00000000000000000000000000000000000000000000000000000000000000ee00000000000000000000000000000000000000000000000000000000000000ef00000000000000000000000000000000000000000000000000000000000000f000000000000000000000000000000000000000000000000000000000000000f100000000000000000000000000000000000000000000000000000000000000f200000000000000000000000000000000000000000000000000000000000000f300000000000000000000000000000000000000000000000000000000000000f400000000000000000000000000000000000000000000000000000000000000f500000000000000000000000000000000000000000000000000000000000000f600000000000000000000000000000000000000000000000000000000000000f700000000000000000000000000000000000000000000000000000000000000f800000000000000000000000000000000000000000000000000000000000000f900000000000000000000000000000000000000000000000000000000000000fa00000000000000000000000000000000000000000000000000000000000000fb00000000000000000000000000000000000000000000000000000000000000fc00000000000000000000000000000000000000000000000000000000000000fd00000000000000000000000000000000000000000000000000000000000000fe"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index a7c4a76242d0..e6865f8a632b 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -5,6 +5,7 @@
 #include <wallet/encryptedbackup.h>
 
 #include <cstring>
+#include <set>
 
 #include <hash.h>
 #include <key_io.h>
@@ -101,6 +102,15 @@ uint256 ComputeDecryptionSecret(const std::vector<uint256>& keys)
     return hasher.GetSHA256();
 }
 
+uint256 XorUint256(const uint256& a, const uint256& b)
+{
+    uint256 out;
+    for (size_t i = 0; i < 32; ++i) {
+        out.data()[i] = a.data()[i] ^ b.data()[i];
+    }
+    return out;
+}
+
 uint256 ComputeIndividualSecret(const uint256& key)
 {
     // BIP340-style tagged hash: sha256(sha256(tag) || sha256(tag) || pi)
@@ -118,11 +128,7 @@ std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secre
     for (const auto& key : keys) {
         uint256 si = ComputeIndividualSecret(key);
         // ci = s XOR si
-        uint256 ci;
-        for (size_t i = 0; i < 32; ++i) {
-            ci.data()[i] = decryption_secret.data()[i] ^ si.data()[i];
-        }
-        result.push_back(ci);
+        result.push_back(XorUint256(decryption_secret, si));
     }
     return result;
 }
@@ -208,4 +214,54 @@ util::Result<std::pair<std::vector<DerivationPath>, size_t>> DecodeDerivationPat
     return std::make_pair(std::vector<DerivationPath>(unique_paths.begin(), unique_paths.end()), pos);
 }
 
+util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uint256>& secrets)
+{
+    // Deduplicate and sort lexicographically.
+    std::set<uint256> unique_secrets(secrets.begin(), secrets.end());
+    if (unique_secrets.empty()) {
+        return util::Error{Untranslated("At least one individual secret is required")};
+    }
+    if (unique_secrets.size() > 255) {
+        return util::Error{Untranslated("Too many individual secrets (max 255)")};
+    }
+
+    std::vector<uint8_t> result;
+    result.reserve(1 + unique_secrets.size() * SECRET_SIZE);
+    result.push_back(static_cast<uint8_t>(unique_secrets.size()));
+
+    for (const auto& secret : unique_secrets) {
+        result.insert(result.end(), secret.begin(), secret.end());
+    }
+
+    return result;
+}
+
+util::Result<std::pair<std::vector<uint256>, size_t>> DecodeIndividualSecrets(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty individual secrets data")};
+    }
+
+    uint8_t count = data[0];
+    if (count == 0) {
+        return util::Error{Untranslated("At least one individual secret is required")};
+    }
+
+    size_t expected_size = 1 + count * SECRET_SIZE;
+    if (data.size() < expected_size) {
+        return util::Error{Untranslated("Truncated individual secrets data")};
+    }
+
+    // Parsed secrets are deduplicated and sorted on decode, matching the
+    // reference implementation's BTreeSet behavior.
+    std::set<uint256> unique_secrets;
+    for (size_t i = 0; i < count; ++i) {
+        uint256 secret;
+        std::memcpy(secret.data(), data.data() + 1 + i * SECRET_SIZE, SECRET_SIZE);
+        unique_secrets.insert(secret);
+    }
+
+    return std::make_pair(std::vector<uint256>(unique_secrets.begin(), unique_secrets.end()), expected_size);
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index b57ce92f2f25..6d3d9d357d6c 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -5,6 +5,7 @@
 #ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
+#include <cstddef>
 #include <cstdint>
 #include <span>
 #include <string>
@@ -16,6 +17,8 @@
 
 namespace wallet {
 
+const size_t SECRET_SIZE = 32;
+
 /**
  * Implements the encrypted backup scheme from BIP-XXXX (draft).
  *
@@ -139,6 +142,22 @@ util::Result<std::vector<uint8_t>> EncodeDerivationPaths(const std::vector<Deriv
  */
 util::Result<std::pair<std::vector<DerivationPath>, size_t>> DecodeDerivationPaths(std::span<const uint8_t> data);
 
+/**
+ * Encode individual secrets according to the backup format.
+ *
+ * @param[in] secrets Vector of individual secrets
+ * @return Encoded bytes, or error if empty or too many secrets
+ */
+util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uint256>& secrets);
+
+/**
+ * Decode individual secrets from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Pair of (individual secrets, bytes consumed), or error message
+ */
+util::Result<std::pair<std::vector<uint256>, size_t>> DecodeIndividualSecrets(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 8f489893a09a..7b1c4f4e8960 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -6,6 +6,7 @@
 
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
+#include <test/data/bip_encrypted_backup_individual_secrets.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
 
 #include <base58.h>
@@ -307,6 +308,102 @@ BOOST_AUTO_TEST_CASE(derivation_path_decode_sorted_test)
     BOOST_CHECK_EQUAL(decoded->first[1][0], 0x80000054u);
 }
 
+BOOST_AUTO_TEST_CASE(individual_secrets_encoding_test)
+{
+    // Test individual secrets encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_individual_secrets);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        const UniValue& secrets_arr = vec["secrets"];
+
+        // Parse secrets
+        std::vector<uint256> secrets;
+        for (size_t j = 0; j < secrets_arr.size(); ++j) {
+            auto secret_bytes = ParseHex(secrets_arr[j].get_str());
+            if (secret_bytes.size() == 32) {
+                uint256 secret;
+                std::memcpy(secret.data(), secret_bytes.data(), 32);
+                secrets.push_back(secret);
+            }
+        }
+
+        // Check if this should fail
+        if (vec["expected"].isNull()) {
+            auto encoded_result = EncodeIndividualSecrets(secrets);
+            BOOST_CHECK_MESSAGE(!encoded_result,
+                description << ": expected failure but got success");
+            continue;
+        }
+
+        std::string expected_hex = vec["expected"].get_str();
+
+        // Encode
+        auto encoded_result = EncodeIndividualSecrets(secrets);
+        BOOST_REQUIRE_MESSAGE(encoded_result, util::ErrorString(encoded_result).original);
+
+        std::string result_hex = HexStr(*encoded_result);
+        BOOST_CHECK_MESSAGE(result_hex == expected_hex,
+            description << ": expected " << expected_hex << " got " << result_hex);
+
+        // Test round-trip decode
+        auto decoded_result = DecodeIndividualSecrets(*encoded_result);
+        BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+        BOOST_CHECK_EQUAL(decoded_result->first.size(), secrets.size());
+        BOOST_CHECK_EQUAL(decoded_result->second, encoded_result->size());
+    }
+}
+
+// ---------- Individual secrets edge cases ----------
+
+BOOST_AUTO_TEST_CASE(individual_secrets_parse_empty_test)
+{
+    BOOST_CHECK(!DecodeIndividualSecrets(std::vector<uint8_t>{}));
+    BOOST_CHECK(!DecodeIndividualSecrets(std::vector<uint8_t>{0x00}));
+}
+
+BOOST_AUTO_TEST_CASE(individual_secrets_encode_empty_test)
+{
+    BOOST_CHECK(!EncodeIndividualSecrets({}));
+}
+
+BOOST_AUTO_TEST_CASE(individual_secrets_too_many_test)
+{
+    std::vector<uint256> secrets;
+    for (size_t i = 0; i < 256; ++i) {
+        uint256 s;
+        GetStrongRandBytes(s);
+        secrets.push_back(s);
+    }
+    BOOST_CHECK(!EncodeIndividualSecrets(secrets));
+}
+
+BOOST_AUTO_TEST_CASE(individual_secrets_encode_dedup_byte_test)
+{
+    // Two identical secrets collapse to one in the encoding.
+    uint256 zero;
+    std::memset(zero.data(), 0, 32);
+    auto bytes = EncodeIndividualSecrets({zero, zero});
+    BOOST_REQUIRE(bytes);
+    std::string expected = "01" + std::string(64, '0');
+    BOOST_CHECK_EQUAL(HexStr(*bytes), expected);
+}
+
+BOOST_AUTO_TEST_CASE(individual_secrets_decode_dedup_test)
+{
+    // Byte stream with count=2 and identical payloads; decoder collapses.
+    std::vector<uint8_t> bytes{0x02};
+    bytes.resize(1 + 2 * 32, 0x00);
+    auto decoded = DecodeIndividualSecrets(bytes);
+    BOOST_REQUIRE(decoded);
+    BOOST_CHECK_EQUAL(decoded->first.size(), 1u);
+    BOOST_CHECK_EQUAL(decoded->second, 1 + 2 * 32);
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From c0ead9debd6d5702795ec8f4b11123a3fbb5e2ab Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 05:32:43 -0400
Subject: [PATCH 10/21] wallet: BIP-xxxx content type encoding

Add functions for encoding/decoding content type metadata as specified in BIP-xxxx:
- EncodeContent: encode BIP_NUMBER or VENDOR_SPECIFIC content types
- DecodeContent: decode content type from binary format

Content types define what kind of data is in the encrypted payload:
- BIP_NUMBER: references a BIP specification (e.g., 380 for descriptors)
- VENDOR_SPECIFIC: application-defined content with length prefix

Includes test vectors from the BIP specification.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |  1 +
 .../bip_encrypted_backup_content_type.json    | 67 +++++++++++++
 src/wallet/encryptedbackup.cpp                | 85 +++++++++++++++++
 src/wallet/encryptedbackup.h                  | 52 +++++++++-
 src/wallet/test/encrypted_backup_tests.cpp    | 94 +++++++++++++++++++
 5 files changed, 294 insertions(+), 5 deletions(-)
 create mode 100644 src/test/data/bip_encrypted_backup_content_type.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 3e85a9175a46..8a5f5f5ecc6c 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -144,6 +144,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_content_type.json
   data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_individual_secrets.json
diff --git a/src/test/data/bip_encrypted_backup_content_type.json b/src/test/data/bip_encrypted_backup_content_type.json
new file mode 100644
index 000000000000..f688fd47fca7
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_content_type.json
@@ -0,0 +1,67 @@
+[
+  {
+    "description": "Bip 380",
+    "valid": true,
+    "content": "01017c"
+  },
+  {
+    "description": "Bip 388",
+    "valid": true,
+    "content": "010184"
+  },
+  {
+    "description": "Bip 329",
+    "valid": true,
+    "content": "010149"
+  },
+  {
+    "description": "Bip 999",
+    "valid": true,
+    "content": "0103e7"
+  },
+  {
+    "description": "Bip max",
+    "valid": true,
+    "content": "01ffff"
+  },
+  {
+    "description": "Bip min",
+    "valid": true,
+    "content": "010000"
+  },
+  {
+    "description": "Propietary 00010203",
+    "valid": true,
+    "content": "020400010203"
+  },
+  {
+    "description": "TYPE 0x00 is reserved",
+    "valid": false,
+    "content": "00"
+  },
+  {
+    "description": "Invalid BIP (insufficient bytes)",
+    "valid": false,
+    "content": "0100"
+  },
+  {
+    "description": "Invalid proprietary (missing data)",
+    "valid": false,
+    "content": "0201"
+  },
+  {
+    "description": "Invalid proprietary (LENGTH exceeds payload)",
+    "valid": false,
+    "content": "020500"
+  },
+  {
+    "description": "TYPE >= 0x80 stops parsing",
+    "valid": false,
+    "content": "ff"
+  },
+  {
+    "description": "TYPE >= 0x80 stops parsing",
+    "valid": false,
+    "content": "ff000000"
+  }
+]
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index e6865f8a632b..61818c179f01 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -7,10 +7,15 @@
 #include <cstring>
 #include <set>
 
+#include <crypto/chacha20poly1305.h>
 #include <hash.h>
 #include <key_io.h>
+#include <random.h>
 #include <script/descriptor.h>
+#include <serialize.h>
+#include <streams.h>
 #include <util/bip32.h>
+#include <util/strencodings.h>
 
 namespace wallet {
 
@@ -264,4 +269,84 @@ util::Result<std::pair<std::vector<uint256>, size_t>> DecodeIndividualSecrets(st
     return std::make_pair(std::vector<uint256>(unique_secrets.begin(), unique_secrets.end()), expected_size);
 }
 
+util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& content)
+{
+    std::vector<uint8_t> result;
+
+    switch (content.type) {
+    case ContentType::RESERVED:
+        return util::Error{Untranslated("Reserved content type cannot be encoded")};
+
+    case ContentType::BIP_NUMBER:
+        result.push_back(static_cast<uint8_t>(ContentType::BIP_NUMBER));
+        // BIP number is big-endian uint16, no LENGTH field
+        result.push_back((content.bip_number >> 8) & 0xFF);
+        result.push_back(content.bip_number & 0xFF);
+        break;
+
+    case ContentType::VENDOR_SPECIFIC: {
+        result.push_back(static_cast<uint8_t>(ContentType::VENDOR_SPECIFIC));
+        // CompactSize encoding for length
+        DataStream ss;
+        WriteCompactSize(ss, content.vendor_data.size());
+        result.insert(result.end(), UCharCast(ss.data()), UCharCast(ss.data()) + ss.size());
+        result.insert(result.end(), content.vendor_data.begin(), content.vendor_data.end());
+        break;
+    }
+
+    default:
+        return util::Error{Untranslated("Unknown content type")};
+    }
+
+    return result;
+}
+
+util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data)
+{
+    if (data.empty()) {
+        return util::Error{Untranslated("Empty content data")};
+    }
+
+    const uint8_t type_byte = data[0];
+    if (type_byte == 0x00) {
+        return util::Error{Untranslated("Reserved content type 0x00")};
+    }
+    if (type_byte >= 0x80) {
+        return util::Error{Untranslated("Content type >= 0x80 stops parsing")};
+    }
+
+    EncryptedBackupContent content;
+    content.type = static_cast<ContentType>(type_byte);
+    SpanReader reader{data.subspan(1)};
+
+    if (content.type == ContentType::BIP_NUMBER) {
+        if (reader.size() < 2) {
+            return util::Error{Untranslated("Truncated BIP_NUMBER content")};
+        }
+        // BIP number is big-endian uint16, read manually
+        uint8_t hi, lo;
+        reader >> hi >> lo;
+        content.bip_number = (static_cast<uint16_t>(hi) << 8) | lo;
+    } else {
+        uint64_t length;
+        try {
+            length = ReadCompactSize(reader);
+        } catch (const std::ios_base::failure& e) {
+            return util::Error{Untranslated(strprintf("Failed to decode content length: %s", e.what()))};
+        }
+        if (length > reader.size()) {
+            return util::Error{Untranslated("Content data exceeds remaining bytes")};
+        }
+        if (content.type == ContentType::VENDOR_SPECIFIC) {
+            content.vendor_data.resize(length);
+            reader.read(MakeWritableByteSpan(content.vendor_data));
+        } else {
+            // Unknown type < 0x80: skip the payload
+            reader.ignore(length);
+        }
+    }
+
+    return std::make_pair(content, data.size() - reader.size());
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 6d3d9d357d6c..58bb6ef1d9c2 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -5,16 +5,17 @@
 #ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
+#include <pubkey.h>
+#include <uint256.h>
+#include <util/result.h>
+
 #include <cstddef>
 #include <cstdint>
 #include <span>
 #include <string>
+#include <utility>
 #include <vector>
 
-#include <pubkey.h>
-#include <uint256.h>
-#include <util/result.h>
-
 namespace wallet {
 
 const size_t SECRET_SIZE = 32;
@@ -43,6 +44,31 @@ static constexpr std::string_view BIP_INDIVIDUAL_SECRET_TAG = "BIPXXX_INDIVIDUAL
  */
 using DerivationPath = std::vector<uint32_t>;
 
+/** Content type identifiers */
+enum class ContentType : uint8_t {
+    RESERVED = 0x00,
+    BIP_NUMBER = 0x01,
+    VENDOR_SPECIFIC = 0x02,
+};
+
+/** Well-known BIP numbers for content types */
+static constexpr uint16_t BIP_DESCRIPTORS = 380;
+static constexpr uint16_t BIP_WALLET_POLICIES = 388;
+static constexpr uint16_t BIP_LABELS = 329;
+
+/**
+ * Represents the content metadata in an encrypted backup.
+ */
+struct EncryptedBackupContent {
+    ContentType type{ContentType::RESERVED};
+    uint16_t bip_number{0};           // Used when type == BIP_NUMBER
+    std::vector<uint8_t> vendor_data; // Used when type == VENDOR_SPECIFIC
+
+    static EncryptedBackupContent Bip(uint16_t bip) { return {ContentType::BIP_NUMBER, bip, {}}; }
+
+    bool operator==(const EncryptedBackupContent&) const = default;
+};
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -116,7 +142,7 @@ uint256 ComputeIndividualSecret(const uint256& key);
  * @return Vector of individual secrets (ci values)
  */
 std::vector<uint256> ComputeAllIndividualSecrets(const uint256& decryption_secret,
-                                                  const std::vector<uint256>& keys);
+                                                 const std::vector<uint256>& keys);
 
 /**
  * Parse a derivation path string (e.g., "m/44'/0'/0'") into a DerivationPath.
@@ -158,6 +184,22 @@ util::Result<std::vector<uint8_t>> EncodeIndividualSecrets(const std::vector<uin
  */
 util::Result<std::pair<std::vector<uint256>, size_t>> DecodeIndividualSecrets(std::span<const uint8_t> data);
 
+/**
+ * Encode content metadata according to the backup format.
+ *
+ * @param[in] content The content metadata
+ * @return Encoded bytes, or error message
+ */
+util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& content);
+
+/**
+ * Decode content metadata from backup format.
+ *
+ * @param[in] data The encoded data
+ * @return Content metadata and bytes consumed, or error message
+ */
+util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 7b1c4f4e8960..631b6c101a1d 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,6 +4,7 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_content_type.json.h>
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_individual_secrets.json.h>
@@ -404,6 +405,99 @@ BOOST_AUTO_TEST_CASE(individual_secrets_decode_dedup_test)
     BOOST_CHECK_EQUAL(decoded->second, 1 + 2 * 32);
 }
 
+BOOST_AUTO_TEST_CASE(content_type_encoding_test)
+{
+    // Test content type encoding using BIP test vectors
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_content_type);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        bool valid = vec["valid"].get_bool();
+        std::string content_hex = vec["content"].get_str();
+
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        auto content_bytes = ParseHex(content_hex);
+
+        // Try to decode
+        auto decoded_result = DecodeContent(content_bytes);
+
+        if (!valid) {
+            BOOST_CHECK_MESSAGE(!decoded_result,
+                description << ": expected decode failure but got success");
+        } else {
+            BOOST_REQUIRE_MESSAGE(decoded_result,
+                description << ": expected decode success but got: " <<
+                (decoded_result ? "" : util::ErrorString(decoded_result).original));
+
+            auto [content, bytes_consumed] = *decoded_result;
+
+            if (content.type == ContentType::BIP_NUMBER ||
+                content.type == ContentType::VENDOR_SPECIFIC) {
+                auto reencoded = EncodeContent(content);
+                BOOST_REQUIRE_MESSAGE(reencoded, util::ErrorString(reencoded).original);
+                BOOST_CHECK_MESSAGE(HexStr(*reencoded) == content_hex,
+                    description << ": re-encoded " << HexStr(*reencoded)
+                    << " != input " << content_hex);
+            }
+        }
+    }
+}
+
+// ---------- Content type edge cases ----------
+
+BOOST_AUTO_TEST_CASE(content_parse_empty_test)
+{
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{}));
+}
+
+BOOST_AUTO_TEST_CASE(content_parse_reserved_test)
+{
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x00}));
+}
+
+BOOST_AUTO_TEST_CASE(content_parse_bip_insufficient_test)
+{
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x01}));
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x01, 0x01}));
+}
+
+BOOST_AUTO_TEST_CASE(content_parse_vendor_insufficient_test)
+{
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x02, 0x03, 0xAA, 0xBB}));
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x02, 0x05, 0xAA, 0xBB, 0xCC}));
+}
+
+BOOST_AUTO_TEST_CASE(content_parse_upgrade_stop_test)
+{
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0xFF}));
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0xFF, 0xAA}));
+    BOOST_CHECK(!DecodeContent(std::vector<uint8_t>{0x80, 0x00}));
+}
+
+BOOST_AUTO_TEST_CASE(content_parse_unknown_skip_test)
+{
+    auto decoded = DecodeContent(std::vector<uint8_t>{0x05, 0x02, 0xAA, 0xBB});
+    BOOST_REQUIRE(decoded);
+    BOOST_CHECK_EQUAL(decoded->second, 4u);
+}
+
+BOOST_AUTO_TEST_CASE(content_serialize_known_test)
+{
+    auto enc = [](uint16_t n) {
+        EncryptedBackupContent c;
+        c.type = ContentType::BIP_NUMBER;
+        c.bip_number = n;
+        auto r = EncodeContent(c);
+        BOOST_REQUIRE(r);
+        return HexStr(*r);
+    };
+    BOOST_CHECK_EQUAL(enc(BIP_DESCRIPTORS), "01017c");
+    BOOST_CHECK_EQUAL(enc(BIP_WALLET_POLICIES), "010184");
+    BOOST_CHECK_EQUAL(enc(BIP_LABELS), "010149");
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From 4bd20607bbd8b1330c8b3c78dd4175bb5db5c539 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 05:32:50 -0400
Subject: [PATCH 11/21] wallet: BIP-xxxx ChaCha20-Poly1305 encryption helpers

Add the AEAD primitives used to encrypt and decrypt the backup payload:
- EncryptChaCha20Poly1305: encrypt with ChaCha20-Poly1305 AEAD
- DecryptChaCha20Poly1305: decrypt and verify the authentication tag

These wrap AEADChaCha20Poly1305 from src/crypto/, exposing a uint8_t
interface keyed on the BIP-xxxx 32-byte secret and 12-byte nonce.
---
 src/test/CMakeLists.txt                       |   1 +
 ...ed_backup_chacha20poly1305_encryption.json |  37 +++++++
 src/wallet/encryptedbackup.cpp                |  87 +++++++++++++++
 src/wallet/encryptedbackup.h                  |  32 ++++++
 src/wallet/test/encrypted_backup_tests.cpp    | 103 ++++++++++++++++++
 5 files changed, 260 insertions(+)
 create mode 100644 src/test/data/bip_encrypted_backup_chacha20poly1305_encryption.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index 8a5f5f5ecc6c..b70085bb1624 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -144,6 +144,7 @@ include(TargetDataSources)
 target_json_data_sources(test_bitcoin
   data/base58_encode_decode.json
   data/bip341_wallet_vectors.json
+  data/bip_encrypted_backup_chacha20poly1305_encryption.json
   data/bip_encrypted_backup_content_type.json
   data/bip_encrypted_backup_derivation_path.json
   data/bip_encrypted_backup_encryption_secret.json
diff --git a/src/test/data/bip_encrypted_backup_chacha20poly1305_encryption.json b/src/test/data/bip_encrypted_backup_chacha20poly1305_encryption.json
new file mode 100644
index 000000000000..625862d177eb
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_chacha20poly1305_encryption.json
@@ -0,0 +1,37 @@
+[
+  {
+    "description": "Basic encryption with short plaintext",
+    "nonce": "000102030405060708090a0b",
+    "plaintext": "48656c6c6f",
+    "secret": "0000000000000000000000000000000000000000000000000000000000000000",
+    "ciphertext": "7df9cb9a0ac5851cc054b14d05f781127b2b0d31fa"
+  },
+  {
+    "description": "Empty plaintext should fail",
+    "nonce": "000102030405060708090a0b",
+    "plaintext": "",
+    "secret": "0000000000000000000000000000000000000000000000000000000000000000",
+    "ciphertext": null
+  },
+  {
+    "description": "Encryption with zeroed nonce should fail",
+    "nonce": "000000000000000000000000",
+    "plaintext": "00000000000000000000000000000000",
+    "secret": "0000000000000000000000000000000000000000000000000000000000000000",
+    "ciphertext": null
+  },
+  {
+    "description": "Encryption with all FFs",
+    "nonce": "ffffffffffffffffffffffff",
+    "plaintext": "ffffffffffffffffffffffffffffffff",
+    "secret": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+    "ciphertext": "22d8bfc313e141bd692c82cec7785b29a0e5d5014c0d3b2d3a8b00548cd8d221"
+  },
+  {
+    "description": "Longer plaintext",
+    "nonce": "0f1e2d3c4b5a69788796a5b4",
+    "plaintext": "546869732069732061206c6f6e67657220706c61696e746578742074686174207368756c6420626520656e637279707465642070726f7065726c792e",
+    "secret": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef",
+    "ciphertext": "2af094190e2b43a02b8dd6bfc25a8833f84f81bc6f690d75f0214e466ef392616c4644bee65118c444a926e1e365b3a7ba0509a5636524eb4e5722f5926938f32e4df79237acb6dd4a6ccbc4"
+  }
+]
\ No newline at end of file
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 61818c179f01..701b368df0ea 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -349,4 +349,91 @@ util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<
     return std::make_pair(content, data.size() - reader.size());
 }
 
+namespace {
+// Build a ChaCha20 Nonce96 from a 12-byte nonce using the RFC 8439 convention
+// (state[13..16] = LE32(nonce[0..4]), LE32(nonce[4..8]), LE32(nonce[8..12])).
+// Bitcoin Core's AEADChaCha20Poly1305::NonceFromBytes uses a big-endian +
+// swapped-word layout suited to BIP324; it is not interoperable with RFC 8439,
+// which is the construction BIP encrypted backup relies on.
+AEADChaCha20Poly1305::Nonce96 Rfc8439Nonce(std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> n)
+{
+    auto le32 = [&](size_t off) -> uint32_t {
+        return uint32_t(n[off])
+            | (uint32_t(n[off + 1]) << 8)
+            | (uint32_t(n[off + 2]) << 16)
+            | (uint32_t(n[off + 3]) << 24);
+    };
+    uint32_t w0 = le32(0);
+    uint32_t w1 = le32(4);
+    uint32_t w2 = le32(8);
+    return {w0, uint64_t(w1) | (uint64_t(w2) << 32)};
+}
+} // namespace
+
+std::vector<uint8_t> EncryptChaCha20Poly1305(std::span<const uint8_t> plaintext,
+                                              const uint256& secret,
+                                              std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce)
+{
+    // Convert secret to byte span
+    std::array<std::byte, SECRET_SIZE> key_bytes;
+    std::memcpy(key_bytes.data(), secret.data(), SECRET_SIZE);
+
+    // Initialize AEAD
+    AEADChaCha20Poly1305 aead{key_bytes};
+
+    auto nonce96 = Rfc8439Nonce(nonce);
+
+    // Convert plaintext to byte span
+    std::vector<std::byte> plain_bytes(plaintext.size());
+    std::memcpy(plain_bytes.data(), plaintext.data(), plaintext.size());
+
+    // Allocate output (plaintext + 16-byte tag)
+    std::vector<std::byte> cipher_bytes(plaintext.size() + AEADChaCha20Poly1305::EXPANSION);
+
+    // Encrypt with empty AAD
+    aead.Encrypt(plain_bytes, {}, nonce96, cipher_bytes);
+
+    // Convert back to uint8_t
+    std::vector<uint8_t> result(cipher_bytes.size());
+    std::memcpy(result.data(), cipher_bytes.data(), cipher_bytes.size());
+
+    return result;
+}
+
+std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint8_t> ciphertext,
+                                                             const uint256& secret,
+                                                             std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce)
+{
+    if (ciphertext.size() < AEADChaCha20Poly1305::EXPANSION) {
+        return std::nullopt;
+    }
+
+    // Convert secret to byte span
+    std::array<std::byte, SECRET_SIZE> key_bytes;
+    std::memcpy(key_bytes.data(), secret.data(), SECRET_SIZE);
+
+    // Initialize AEAD
+    AEADChaCha20Poly1305 aead{key_bytes};
+
+    auto nonce96 = Rfc8439Nonce(nonce);
+
+    // Convert ciphertext to byte span
+    std::vector<std::byte> cipher_bytes(ciphertext.size());
+    std::memcpy(cipher_bytes.data(), ciphertext.data(), ciphertext.size());
+
+    // Allocate output
+    std::vector<std::byte> plain_bytes(ciphertext.size() - AEADChaCha20Poly1305::EXPANSION);
+
+    // Decrypt with empty AAD
+    if (!aead.Decrypt(cipher_bytes, {}, nonce96, plain_bytes)) {
+        return std::nullopt;
+    }
+
+    // Convert back to uint8_t
+    std::vector<uint8_t> result(plain_bytes.size());
+    std::memcpy(result.data(), plain_bytes.data(), plain_bytes.size());
+
+    return result;
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 58bb6ef1d9c2..7129877a3a26 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -5,12 +5,14 @@
 #ifndef BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 #define BITCOIN_WALLET_ENCRYPTEDBACKUP_H
 
+#include <crypto/chacha20poly1305.h>
 #include <pubkey.h>
 #include <uint256.h>
 #include <util/result.h>
 
 #include <cstddef>
 #include <cstdint>
+#include <optional>
 #include <span>
 #include <string>
 #include <utility>
@@ -32,6 +34,12 @@ const size_t SECRET_SIZE = 32;
  * Restoring from an encrypted backup creates a watch-only wallet.
  */
 
+/** Encryption algorithm identifiers */
+enum class EncryptionAlgorithm : uint8_t {
+    RESERVED = 0x00,
+    CHACHA20_POLY1305 = 0x01,
+};
+
 /** Prefix for deriving the decryption secret */
 static constexpr std::string_view BIP_DECRYPTION_SECRET_TAG = "BIPXXX_DECRYPTION_SECRET";
 
@@ -200,6 +208,30 @@ util::Result<std::vector<uint8_t>> EncodeContent(const EncryptedBackupContent& c
  */
 util::Result<std::pair<EncryptedBackupContent, size_t>> DecodeContent(std::span<const uint8_t> data);
 
+/**
+ * Encrypt plaintext using ChaCha20-Poly1305.
+ *
+ * @param[in] plaintext The data to encrypt
+ * @param[in] secret The 32-byte encryption secret
+ * @param[in] nonce The 12-byte nonce
+ * @return Ciphertext with authentication tag appended
+ */
+std::vector<uint8_t> EncryptChaCha20Poly1305(std::span<const uint8_t> plaintext,
+                                             const uint256& secret,
+                                             std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce);
+
+/**
+ * Decrypt ciphertext using ChaCha20-Poly1305.
+ *
+ * @param[in] ciphertext The encrypted data with authentication tag
+ * @param[in] secret The 32-byte decryption secret
+ * @param[in] nonce The 12-byte nonce
+ * @return Plaintext, or nullopt if authentication fails
+ */
+std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint8_t> ciphertext,
+                                                            const uint256& secret,
+                                                            std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 631b6c101a1d..d38f3db9074c 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -4,6 +4,7 @@
 
 #include <wallet/encryptedbackup.h>
 
+#include <test/data/bip_encrypted_backup_chacha20poly1305_encryption.json.h>
 #include <test/data/bip_encrypted_backup_content_type.json.h>
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
@@ -498,6 +499,108 @@ BOOST_AUTO_TEST_CASE(content_serialize_known_test)
     BOOST_CHECK_EQUAL(enc(BIP_LABELS), "010149");
 }
 
+BOOST_AUTO_TEST_CASE(chacha20poly1305_roundtrip_test)
+{
+    // Test basic encryption/decryption roundtrip
+    std::vector<uint8_t> plaintext = {'H', 'e', 'l', 'l', 'o', ' ', 'W', 'o', 'r', 'l', 'd'};
+    uint256 secret;
+    GetStrongRandBytes(secret);
+
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+    GetStrongRandBytes(nonce);
+
+    // Encrypt
+    auto ciphertext = EncryptChaCha20Poly1305(plaintext, secret, nonce);
+    BOOST_CHECK_EQUAL(ciphertext.size(), plaintext.size() + AEADChaCha20Poly1305::EXPANSION);
+
+    // Decrypt with correct key
+    auto decrypted = DecryptChaCha20Poly1305(ciphertext, secret, nonce);
+    BOOST_REQUIRE(decrypted.has_value());
+    BOOST_CHECK(decrypted.value() == plaintext);
+
+    // Decrypt with wrong key should fail
+    uint256 wrong_secret;
+    GetStrongRandBytes(wrong_secret);
+    auto decrypted_wrong = DecryptChaCha20Poly1305(ciphertext, wrong_secret, nonce);
+    BOOST_CHECK(!decrypted_wrong.has_value());
+}
+
+BOOST_AUTO_TEST_CASE(chacha20poly1305_vector_test)
+{
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_chacha20poly1305_encryption);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        auto nonce_bytes = ParseHex(vec["nonce"].get_str());
+        BOOST_REQUIRE_EQUAL(nonce_bytes.size(), AEADChaCha20Poly1305::NONCE_SIZE);
+        std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+        std::memcpy(nonce.data(), nonce_bytes.data(), nonce.size());
+
+        auto secret_bytes = ParseHex(vec["secret"].get_str());
+        BOOST_REQUIRE_EQUAL(secret_bytes.size(), 32u);
+        uint256 secret;
+        std::memcpy(secret.data(), secret_bytes.data(), 32);
+
+        auto plaintext = ParseHex(vec["plaintext"].get_str());
+
+        // Vectors with null ciphertext represent inputs the spec rejects (e.g.
+        // empty plaintext). The low-level EncryptChaCha20Poly1305 doesn't
+        // enforce that rule; it lives at the CreateEncryptedBackup* layer, so
+        // drive those cases through the high-level helper and assert failure.
+        if (vec["ciphertext"].isNull()) {
+            std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+            EncryptedBackupContent content;
+            content.type = ContentType::BIP_NUMBER;
+            content.bip_number = BIP_DESCRIPTORS;
+            auto result = CreateEncryptedBackupWithNonce(descriptor, plaintext, content, {}, nonce);
+            BOOST_CHECK_MESSAGE(!result,
+                description << ": CreateEncryptedBackupWithNonce must reject this input");
+            continue;
+        }
+
+        auto ciphertext = EncryptChaCha20Poly1305(plaintext, secret, nonce);
+        std::string expected_hex = vec["ciphertext"].get_str();
+        BOOST_CHECK_MESSAGE(HexStr(ciphertext) == expected_hex,
+            description << ": ciphertext mismatch, got " << HexStr(ciphertext));
+
+        auto decrypted = DecryptChaCha20Poly1305(ciphertext, secret, nonce);
+        BOOST_REQUIRE(decrypted.has_value());
+        BOOST_CHECK(*decrypted == plaintext);
+    }
+}
+
+// ---------- ChaCha20-Poly1305 negative tests ----------
+
+BOOST_AUTO_TEST_CASE(chacha_decrypt_wrong_nonce_test)
+{
+    std::vector<uint8_t> plaintext{'p', 'a', 'y', 'l', 'o', 'a', 'd'};
+    uint256 secret;
+    GetStrongRandBytes(secret);
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce_a;
+    GetStrongRandBytes(nonce_a);
+    auto ct = EncryptChaCha20Poly1305(plaintext, secret, nonce_a);
+
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce_b;
+    std::memset(nonce_b.data(), 0xF1, nonce_b.size());
+    BOOST_CHECK(!DecryptChaCha20Poly1305(ct, secret, nonce_b).has_value());
+}
+
+BOOST_AUTO_TEST_CASE(chacha_decrypt_corrupted_test)
+{
+    std::vector<uint8_t> plaintext(32, 0x42);
+    uint256 secret;
+    GetStrongRandBytes(secret);
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+    GetStrongRandBytes(nonce);
+    auto ct = EncryptChaCha20Poly1305(plaintext, secret, nonce);
+    BOOST_REQUIRE(DecryptChaCha20Poly1305(ct, secret, nonce).has_value());
+    ct.back() ^= 0x01;
+    BOOST_CHECK(!DecryptChaCha20Poly1305(ct, secret, nonce).has_value());
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From eb707e4e55d9abc35c55f10b693581b9b7da1d2f Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 05:32:58 -0400
Subject: [PATCH 12/21] wallet: BIP-xxxx backup struct and binary encoding

Add the EncryptedBackup struct and the binary/base64 wire encoding:
- EncodeEncryptedBackup: encode to binary format
- EncodeEncryptedBackupBase64: encode to base64 string
- DecodeEncryptedBackup: decode from binary format
- DecodeEncryptedBackupBase64: decode from base64 string

The format uses 6-byte magic "BIPXXX", version byte, derivation paths,
individual secrets (ci values for key recovery), encryption algorithm
identifier, nonce, and CompactSize-prefixed ciphertext.
---
 src/wallet/encryptedbackup.cpp | 123 +++++++++++++++++++++++++++++++++
 src/wallet/encryptedbackup.h   |  56 +++++++++++++++
 2 files changed, 179 insertions(+)

diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 701b368df0ea..c4d5c998e76f 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -436,4 +436,127 @@ std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint
     return result;
 }
 
+util::Result<std::vector<uint8_t>> EncodeEncryptedBackup(const EncryptedBackup& backup)
+{
+    std::vector<uint8_t> result;
+
+    // MAGIC (6 bytes)
+    result.insert(result.end(), ENCRYPTED_BACKUP_MAGIC.begin(), ENCRYPTED_BACKUP_MAGIC.end());
+
+    // VERSION (1 byte)
+    result.push_back(backup.version);
+
+    // DERIVATION_PATHS
+    auto paths_encoded = EncodeDerivationPaths(backup.derivation_paths);
+    if (!paths_encoded) {
+        return util::Error{util::ErrorString(paths_encoded)};
+    }
+    result.insert(result.end(), paths_encoded->begin(), paths_encoded->end());
+
+    // INDIVIDUAL_SECRETS
+    auto secrets_encoded = EncodeIndividualSecrets(backup.individual_secrets);
+    if (!secrets_encoded) {
+        return util::Error{util::ErrorString(secrets_encoded)};
+    }
+    result.insert(result.end(), secrets_encoded->begin(), secrets_encoded->end());
+
+    // ENCRYPTION (1 byte)
+    result.push_back(static_cast<uint8_t>(backup.encryption));
+
+    // ENCRYPTED_PAYLOAD: NONCE || LENGTH || CIPHERTEXT
+    result.insert(result.end(), backup.nonce.begin(), backup.nonce.end());
+
+    // CompactSize encoding for ciphertext length
+    {
+        DataStream ss;
+        WriteCompactSize(ss, backup.ciphertext.size());
+        result.insert(result.end(), UCharCast(ss.data()), UCharCast(ss.data()) + ss.size());
+    }
+
+    result.insert(result.end(), backup.ciphertext.begin(), backup.ciphertext.end());
+
+    return result;
+}
+
+util::Result<std::string> EncodeEncryptedBackupBase64(const EncryptedBackup& backup)
+{
+    auto binary = EncodeEncryptedBackup(backup);
+    if (!binary) return util::Error{util::ErrorString(binary)};
+    return EncodeBase64(*binary);
+}
+
+util::Result<EncryptedBackup> DecodeEncryptedBackup(std::span<const uint8_t> data)
+{
+    const util::Error truncated{Untranslated("Truncated encrypted backup")};
+
+    if (data.size() < 6 + 1 + 1 + 1 + 1 + 12 + 1) return truncated;
+
+    size_t pos = 0;
+    EncryptedBackup backup;
+
+    // Check MAGIC
+    if (!std::equal(ENCRYPTED_BACKUP_MAGIC.begin(), ENCRYPTED_BACKUP_MAGIC.end(), data.begin())) {
+        return util::Error{Untranslated("Invalid magic bytes")};
+    }
+    pos += ENCRYPTED_BACKUP_MAGIC.size();
+
+    // VERSION
+    backup.version = data[pos++];
+    if (backup.version != ENCRYPTED_BACKUP_V1) {
+        return util::Error{Untranslated(strprintf("Unsupported version: %d", backup.version))};
+    }
+
+    // DERIVATION_PATHS
+    auto paths_result = DecodeDerivationPaths(data.subspan(pos));
+    if (!paths_result) {
+        return util::Error{util::ErrorString(paths_result)};
+    }
+    backup.derivation_paths = std::move(paths_result->first);
+    pos += paths_result->second;
+
+    // INDIVIDUAL_SECRETS
+    if (pos >= data.size()) return truncated;
+    auto secrets_result = DecodeIndividualSecrets(data.subspan(pos));
+    if (!secrets_result) {
+        return util::Error{util::ErrorString(secrets_result)};
+    }
+    backup.individual_secrets = std::move(secrets_result->first);
+    pos += secrets_result->second;
+
+    // ENCRYPTION
+    if (pos >= data.size()) return truncated;
+    uint8_t enc_byte = data[pos++];
+    backup.encryption = static_cast<EncryptionAlgorithm>(enc_byte);
+    if (backup.encryption != EncryptionAlgorithm::CHACHA20_POLY1305) {
+        return util::Error{Untranslated("Unsupported encryption algorithm")};
+    }
+
+    // NONCE
+    if (pos + AEADChaCha20Poly1305::NONCE_SIZE > data.size()) return truncated;
+    std::memcpy(backup.nonce.data(), data.data() + pos, AEADChaCha20Poly1305::NONCE_SIZE);
+    pos += AEADChaCha20Poly1305::NONCE_SIZE;
+
+    // LENGTH (CompactSize) and CIPHERTEXT
+    try {
+        SpanReader reader{data.subspan(pos)};
+        uint64_t cipher_len = ReadCompactSize(reader);
+        if (cipher_len > reader.size()) return truncated;
+        backup.ciphertext.resize(cipher_len);
+        reader.read(MakeWritableByteSpan(backup.ciphertext));
+    } catch (const std::ios_base::failure& e) {
+        return util::Error{Untranslated(strprintf("Invalid ciphertext length: %s", e.what()))};
+    }
+
+    return backup;
+}
+
+util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& base64_str)
+{
+    auto decoded = DecodeBase64(base64_str);
+    if (!decoded) {
+        return util::Error{Untranslated("Invalid base64 encoding")};
+    }
+    return DecodeEncryptedBackup(*decoded);
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 7129877a3a26..fcc4066e49bd 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -10,6 +10,7 @@
 #include <uint256.h>
 #include <util/result.h>
 
+#include <array>
 #include <cstddef>
 #include <cstdint>
 #include <optional>
@@ -34,6 +35,12 @@ const size_t SECRET_SIZE = 32;
  * Restoring from an encrypted backup creates a watch-only wallet.
  */
 
+/** Magic bytes for encrypted backup format */
+static constexpr std::array<uint8_t, 6> ENCRYPTED_BACKUP_MAGIC = {'B', 'I', 'P', 'X', 'X', 'X'};
+
+/** Current format version */
+static constexpr uint8_t ENCRYPTED_BACKUP_V1 = 0x01;
+
 /** Encryption algorithm identifiers */
 enum class EncryptionAlgorithm : uint8_t {
     RESERVED = 0x00,
@@ -77,6 +84,23 @@ struct EncryptedBackupContent {
     bool operator==(const EncryptedBackupContent&) const = default;
 };
 
+/**
+ * Represents a complete encrypted backup structure.
+ *
+ * This struct represents the parsed/encoded backup format. Note that the content
+ * type metadata is stored inside the encrypted payload, not in this struct.
+ * The content is passed separately to CreateEncryptedBackup() and decoded
+ * separately after decryption.
+ */
+struct EncryptedBackup {
+    uint8_t version{ENCRYPTED_BACKUP_V1};
+    std::vector<DerivationPath> derivation_paths;
+    std::vector<uint256> individual_secrets;
+    EncryptionAlgorithm encryption{EncryptionAlgorithm::CHACHA20_POLY1305};
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+    std::vector<uint8_t> ciphertext; // Includes content prefix and authentication tag
+};
+
 /**
  * Normalize a public key to 32-byte x-only format.
  *
@@ -232,6 +256,38 @@ std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint
                                                             const uint256& secret,
                                                             std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce);
 
+/**
+ * Encode an encrypted backup to binary format.
+ *
+ * @param[in] backup The backup structure to encode
+ * @return Encoded binary data
+ */
+util::Result<std::vector<uint8_t>> EncodeEncryptedBackup(const EncryptedBackup& backup);
+
+/**
+ * Encode an encrypted backup to base64 string.
+ *
+ * @param[in] backup The backup structure to encode
+ * @return Base64-encoded string
+ */
+util::Result<std::string> EncodeEncryptedBackupBase64(const EncryptedBackup& backup);
+
+/**
+ * Decode an encrypted backup from binary format.
+ *
+ * @param[in] data The encoded binary data
+ * @return The backup structure, or error message
+ */
+util::Result<EncryptedBackup> DecodeEncryptedBackup(std::span<const uint8_t> data);
+
+/**
+ * Decode an encrypted backup from base64 string.
+ *
+ * @param[in] base64_str The base64-encoded string
+ * @return The backup structure, or error message
+ */
+util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& base64_str);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H

From c6eb02d41c8325e74c56e487b495bbf4bbb37c30 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 05:33:06 -0400
Subject: [PATCH 13/21] wallet: BIP-xxxx encrypted backup creation and
 decryption

Add the high-level API tying the primitives together:
- CreateEncryptedBackup: create a backup from a descriptor and plaintext
- DecryptBackupWithKey: attempt decryption using a single public key
- DecryptBackupWithDescriptor: try all keys from a descriptor

Decryption reconstructs the per-key share via si = sha256(tag || pi) and
recovers the decryption secret as s = ci XOR si for each candidate ci in
the backup, then attempts AEAD decryption.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/test/CMakeLists.txt                       |   1 +
 ...bip_encrypted_backup_encrypted_backup.json |  67 ++++
 src/wallet/encryptedbackup.cpp                | 115 ++++++
 src/wallet/encryptedbackup.h                  |  50 +++
 src/wallet/test/encrypted_backup_tests.cpp    | 357 +++++++++++++++++-
 5 files changed, 585 insertions(+), 5 deletions(-)
 create mode 100644 src/test/data/bip_encrypted_backup_encrypted_backup.json

diff --git a/src/test/CMakeLists.txt b/src/test/CMakeLists.txt
index b70085bb1624..2093b6c3c379 100644
--- a/src/test/CMakeLists.txt
+++ b/src/test/CMakeLists.txt
@@ -147,6 +147,7 @@ target_json_data_sources(test_bitcoin
   data/bip_encrypted_backup_chacha20poly1305_encryption.json
   data/bip_encrypted_backup_content_type.json
   data/bip_encrypted_backup_derivation_path.json
+  data/bip_encrypted_backup_encrypted_backup.json
   data/bip_encrypted_backup_encryption_secret.json
   data/bip_encrypted_backup_individual_secrets.json
   data/bip_encrypted_backup_keys_types.json
diff --git a/src/test/data/bip_encrypted_backup_encrypted_backup.json b/src/test/data/bip_encrypted_backup_encrypted_backup.json
new file mode 100644
index 000000000000..327913b2ccee
--- /dev/null
+++ b/src/test/data/bip_encrypted_backup_encrypted_backup.json
@@ -0,0 +1,67 @@
+[
+  {
+    "description": "Single key, no derivation paths, BIP380 content",
+    "version": 1,
+    "encryption": 1,
+    "content": "01017c",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "derivation_paths": [],
+    "plaintext": "00",
+    "nonce": "a1b2c3d4e5f607080910a1b2",
+    "expected": "424950585858010001ff34b3411f78127b71ca2e3cc60d0fd71350ee557c37d71f4d81fb913461ae0001a1b2c3d4e5f607080910a1b2151d8f44dba6f420976b9343f792b4bd58c06289d234",
+    "trailing": "deadbeef00ff",
+    "expected_base64": "QklQWFhYAQAB/zSzQR94Entxyi48xg0P1xNQ7lV8N9cfTYH7kTRhrgABobLD1OX2BwgJEKGyFR2PRNum9CCXa5ND95K0vVjAYonSNA=="
+  },
+  {
+    "description": "Two keys, 1 derivation paths, BIP380 content",
+    "version": 1,
+    "encryption": 1,
+    "content": "01017c",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07"
+    ],
+    "derivation_paths": [
+      "m/48'/1'/0'/2'"
+    ],
+    "plaintext": "wsh(or_d(pk([9d69155f/48'/1'/0'/2']tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x/<0;1>/*),and_v(v:pkh([9d69155f/48'/1'/0'/2']tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x/<2;3>/*),older(52596))))#gx5f42wh",
+    "nonce": "0102030405060708090a0b0c",
+    "expected": "42495058585801010480000030800000018000000080000002024900d4ef9021cb059b8fb35c6de9b6db91949a328527ede0645be237899100bd5e3eb8a36f7bf32e02810c14666476f2b28a15cd499c30f8f98e926639a0765c010102030405060708090a0b0cfd63012f51db36ae620d6522a86e4ce7d9daff2f50826aae70c1d3707d18b8075543da1848ad904b11be465e768d8b1ea74a1b21f21f882262bd0d5f7165991720c1836f1bce2dec7ba3813fc1c0bc6404a0fd6228e239f8bddd398c32f8274f9de0f0b5662854ce900d7d5b14a16605eb2a49d031b98513b73777685693b45b17e08a60e095b66403efcc7036cd82a8d675362eab43bcdecb158e8b0dcca476173345d189c2277dc25b9851b2be92c7ef8b69a565af1ccf9726e322db2b8d5266a5df4296527c716b8ba004fb1408cbd7cc7a18575286e6f03e1793b25eea11223fd6cc7a497d8328997b1eb770fcc8125e60511eefb8232b780d80f1d71e9e937627dfb62cd6c5807b35e7d7bb9aaf18d5a46c6ea271f2be26bd1cc35bb2b70cc1930ad5f472b1bf0d7b3bed3dfe358a69beabdafd6316968c530237f21e1c89662ada34d666735f791db5eb68ee29d2d06f42421ec311d6284f5be9850d63e0cfd6cfe207",
+    "expected_base64": "QklQWFhYAQEEgAAAMIAAAAGAAAAAgAAAAgJJANTvkCHLBZuPs1xt6bbbkZSaMoUn7eBkW+I3iZEAvV4+uKNve/MuAoEMFGZkdvKyihXNSZww+PmOkmY5oHZcAQECAwQFBgcICQoLDP1jAS9R2zauYg1lIqhuTOfZ2v8vUIJqrnDB03B9GLgHVUPaGEitkEsRvkZedo2LHqdKGyHyH4giYr0NX3FlmRcgwYNvG84t7HujgT/BwLxkBKD9YijiOfi93TmMMvgnT53g8LVmKFTOkA19WxShZgXrKknQMbmFE7c3d2hWk7RbF+CKYOCVtmQD78xwNs2CqNZ1Ni6rQ7zeyxWOiw3MpHYXM0XRicInfcJbmFGyvpLH74tppWWvHM+XJuMi2yuNUmal30KWUnxxa4ugBPsUCMvXzHoYV1KG5vA+F5OyXuoRIj/WzHpJfYMomXset3D8yBJeYFEe77gjK3gNgPHXHp6TdifftizWxYB7NefXu5qvGNWkbG6icfK+Jr0cw1uytwzBkwrV9HKxvw17O+09/jWKab6r2v1jFpaMUwI38h4ciWYq2jTWZnNfeR2162juKdLQb0JCHsMR1ihPW+mFDWPgz9bP4gc="
+  },
+  {
+    "description": "Three keys, multiple derivation paths, BIP329 content",
+    "version": 1,
+    "encryption": 1,
+    "content": "010149",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443",
+      "0384526253c27c7aef56c7b71a5cd25bebb66dddda437826defc5b2568bde81f07",
+      "03c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5"
+    ],
+    "derivation_paths": [
+      "m/84'/0'/0'",
+      "m/0/1'/2/3'"
+    ],
+    "plaintext": "{\"type\":\"tx\",\"ref\":\"f91d0a8a78462bc59398f2c5d7a84fcff491c26ba54c4833478b202796c8aafd\",\"label\":\"Transaction\",\"origin\":\"wpkh([d34db33f/84'/0'/0'])\"}\n{\"type\":\"addr\",\"ref\":\"bc1q34aq5drpuwy3wgl9lhup9892qp6svr8ldzyy7c\",\"label\":\"Address\"}\n{\"type\":\"pubkey\",\"ref\":\"0283409659355b6d1cc3c32decd5d561abaac86c37a353b52895a5e6c196d6f448\",\"label\":\"Public Key\"}\n{\"type\":\"input\",\"ref\":\"f91d0a8a78462bc59398f2c5d7a84fcff491c26ba54c4833478b202796c8aafd:0\",\"label\":\"Input\"}\n{\"type\":\"output\",\"ref\":\"f91d0a8a78462bc59398f2c5d7a84fcff491c26ba54c4833478b202796c8aafd:1\",\"label\":\"Output\",\"spendable\":false}\n{\"type\":\"xpub\",\"ref\":\"xpub661MyMwAqRbcFtXgS5sYJABqqG9YLmC4Q1Rdap9gSE8NqtwybGhePY2gZ29ESFjqJoCu1Rupje8YtGqsefD265TMg7usUDFdp6W1EGMcet8\",\"label\":\"Extended Public Key\"}\n{\"type\":\"tx\",\"ref\":\"f546156d9044844e02b181026a1a407abfca62e7ea1159f87bbeaa77b4286c74\",\"label\":\"Account #1 Transaction\",\"origin\":\"wpkh([d34db33f/84'/0'/1'])\"}",
+    "nonce": "deadbeefcafebabe12345678",
+    "expected": "4249505858580102040000000080000001000000028000000303800000548000000080000000032424c7f03a4b1ec573f64738c2a61ac0a9480750f6a641ff8dd1e85acf5b8008331aabbcc51126eeeaf8f870c92bdae98a5688af3a1d9ce71004980b7f6af6e96e5f3aab8b6dfe2f8c09da023a29f797d8333736fb7b7c64958d0ff4109ba93a01deadbeefcafebabe12345678fd9c03f6ebb8e2e9c02c5194e453edd274ec677e0dea5f18cda3e00f7cc4e8c8d4821bda377728eb2f6d2f69eef72070a2a7bc01cc720bb989346102076d475cab2802f1e3766526d2c0bfd257a8e424045cd91356e8789458d06aa055fe2ed0c42fb338b43ae394ae3f9807e1840171965708c89e3b42e68dc4bf84c51bcc8738475e8325e07398753327c1afa6a96032cf73b9387c0f4cb6825adf383c8135b63394b1372fb2752c5297a595099d91c59f25ad6e0d136013ce64d67a53fc88861bf1f558fc2c775644fba1bba9efd23f562f6edb9a2cb476c40cc2ae3f006d3f839a9607271b6eed6f58efcf435eb0cf79c12b5f3c4160f8c3de8e9e311c7698090be2c8e2a3ef702daf88612179e21ee4ac401cab342f7a1d1c141eed8f1a7c60d6dd34324ed6bd07e03ae596d7c04350698ce4592660b841aadf5c2a372b0fc57539094bc0af80febc92aa10578c0b35efd164f4c94217d2e0de72461bdea40d881858eb4b16f1c361fa98cfe0fcbc83787c492238ea745a84265e907c8a07d98852fef62a2a360b75c8b700b24d503a0e54260a1a94e0a980d69aa76e34ba8c304f85e0e7f4cfa3cf3c0c4ac8ddad1548bf20dabd4b316ed53903701677e78d3cfd46980acfe482110be8be64a27ce1dd4d7502338d087e9b86b7ca6144fc81a2a7b806a4e397dfb8d8ad9ea54130d9b46d2cd9002e372094399078e0bce1af9f2dfb5a69a16ec88e53ec9c6f34d784596afcece4d8abd33e937d9ea4ddf170088270cc4f59f68b978368833dc7713b0351da5f690991c841f17c42e7b4d89c35a821e110c4b2a9a1f0cfebd14cfb39d938569614ee62bb488049c6b7ed636dd90cfb00170dd80f4a6e6c9a45a3bed0fa1340ecddb538bb888fdaaa1680d711d6f94297a9f7ed3401cecb25b6779b4ba5415a343a95597cb85b074d8e19def182d8581fb7b4bc716ba887af1bd51a10c699f6ddfdb5439c7eac02d9220a0417489a79bbc6da4d10325317a6630da9303c433f261e0d36f977cea8113c7e4581e5d27f6607be0f9f7058fd6730d64377b7d1e70f4858974896e3ae9fbde9fb6eb66be4d0c36544cf8cfb80166875f1672f5aa4991951248414a54457e3f3bea0a2953d27de6d0a299cc06471d9f331ace87937b96547e7bcfa7ae972fd9e08cfa69fae42fe786f1cb1d5ee0bc3bbd9277f38b290eb2033f39dc65bfc963c60d3f01d493ab7546cd72504303f68bd5e376d2b6a2dc59d4c3cfbef490d1cdcb73065f756620528bb0bd92301a26f53f0c1ae61962416c746d1b3b38fd202",
+    "expected_base64": "QklQWFhYAQIEAAAAAIAAAAEAAAACgAAAAwOAAABUgAAAAIAAAAADJCTH8DpLHsVz9kc4wqYawKlIB1D2pkH/jdHoWs9bgAgzGqu8xREm7ur4+HDJK9rpilaIrzodnOcQBJgLf2r26W5fOquLbf4vjAnaAjop95fYMzc2+3t8ZJWND/QQm6k6Ad6tvu/K/rq+EjRWeP2cA/bruOLpwCxRlORT7dJ07Gd+DepfGM2j4A98xOjI1IIb2jd3KOsvbS9p7vcgcKKnvAHMcgu5iTRhAgdtR1yrKALx43ZlJtLAv9JXqOQkBFzZE1boeJRY0GqgVf4u0MQvszi0OuOUrj+YB+GEAXGWVwjInjtC5o3Ev4TFG8yHOEdegyXgc5h1MyfBr6apYDLPc7k4fA9MtoJa3zg8gTW2M5SxNy+ydSxSl6WVCZ2RxZ8lrW4NE2ATzmTWelP8iIYb8fVY/Cx3VkT7obup79I/Vi9u25ostHbEDMKuPwBtP4OalgcnG27tb1jvz0NesM95wStfPEFg+MPejp4xHHaYCQviyOKj73Atr4hhIXniHuSsQByrNC96HRwUHu2PGnxg1t00Mk7WvQfgOuWW18BDUGmM5FkmYLhBqt9cKjcrD8V1OQlLwK+A/rySqhBXjAs179Fk9MlCF9Lg3nJGG96kDYgYWOtLFvHDYfqYz+D8vIN4fEkiOOp0WoQmXpB8igfZiFL+9ioqNgt1yLcAsk1QOg5UJgoalOCpgNaap240uowwT4Xg5/TPo888DErI3a0VSL8g2r1LMW7VOQNwFnfnjTz9RpgKz+SCEQvovmSifOHdTXUCM40IfpuGt8phRPyBoqe4BqTjl9+42K2epUEw2bRtLNkALjcglDmQeOC84a+fLftaaaFuyI5T7JxvNNeEWWr87OTYq9M+k32epN3xcAiCcMxPWfaLl4Nogz3HcTsDUdpfaQmRyEHxfELntNicNagh4RDEsqmh8M/r0Uz7Odk4VpYU7mK7SIBJxrftY23ZDPsAFw3YD0pubJpFo77Q+hNA7N21OLuIj9qqFoDXEdb5Qpep9+00Ac7LJbZ3m0ulQVo0OpVZfLhbB02OGd7xgthYH7e0vHFrqIevG9UaEMaZ9t39tUOcfqwC2SIKBBdImnm7xtpNEDJTF6ZjDakwPEM/Jh4NNvl3zqgRPH5FgeXSf2YHvg+fcFj9ZzDWQ3e30ecPSFiXSJbjrp+96ftutmvk0MNlRM+M+4AWaHXxZy9apJkZUSSEFKVEV+PzvqCilT0n3m0KKZzAZHHZ8zGs6Hk3uWVH57z6euly/Z4Iz6afrkL+eG8csdXuC8O72Sd/OLKQ6yAz853GW/yWPGDT8B1JOrdUbNclBDA/aL1eN20rai3FnUw8++9JDRzctzBl91ZiBSi7C9kjAaJvU/DBrmGWJBbHRtGzs4/SAg=="
+  },
+  {
+    "description": "Single key, proprietary content (3 bytes)",
+    "version": 1,
+    "encryption": 1,
+    "content": "0204deadbeef",
+    "keys": [
+      "02e6642fd69bd211f93f7f1f36ca51a26a5290eb2dd1b0d8279a87bb0d480c8443"
+    ],
+    "derivation_paths": [],
+    "plaintext": "706c61696e74657874",
+    "nonce": "000102030405060708090a0b",
+    "expected": "424950585858010001ff34b3411f78127b71ca2e3cc60d0fd71350ee557c37d71f4d81fb913461ae0001000102030405060708090a0b2803da142accb6215cecfe50629224496c4d35cfc7ee64e906e77cc3398689748c325907c7d5dafef3",
+    "expected_base64": "QklQWFhYAQAB/zSzQR94Entxyi48xg0P1xNQ7lV8N9cfTYH7kTRhrgABAAECAwQFBgcICQoLKAPaFCrMtiFc7P5QYpIkSWxNNc/H7mTpBud8wzmGiXSMMlkHx9Xa/vM="
+  }
+]
\ No newline at end of file
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index c4d5c998e76f..910fa406b85e 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -559,4 +559,119 @@ util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& bas
     return DecodeEncryptedBackup(*decoded);
 }
 
+util::Result<EncryptedBackup> CreateEncryptedBackupWithNonce(
+    const std::vector<uint256>& keys,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths,
+    const std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE>& nonce,
+    bool allow_empty_derivation_paths)
+{
+    if (plaintext.empty()) {
+        return util::Error{Untranslated("Plaintext cannot be empty")};
+    }
+
+    if (keys.empty()) {
+        return util::Error{Untranslated("Keys cannot be empty")};
+    }
+
+    if (nonce == std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE>{}) {
+        return util::Error{Untranslated("Nonce cannot be zero")};
+    }
+
+    if (!allow_empty_derivation_paths && derivation_paths.empty()) {
+        return util::Error{Untranslated("Derivation paths cannot be empty")};
+    }
+
+    // Compute secrets
+    uint256 decryption_secret = ComputeDecryptionSecret(keys);
+    std::vector<uint256> individual_secrets = ComputeAllIndividualSecrets(decryption_secret, keys);
+
+    // Encode content prefix
+    auto content_encoded = EncodeContent(content);
+    if (!content_encoded) {
+        return util::Error{util::ErrorString(content_encoded)};
+    }
+
+    // Build payload: CONTENT || PLAINTEXT
+    std::vector<uint8_t> payload;
+    payload.insert(payload.end(), content_encoded->begin(), content_encoded->end());
+    payload.insert(payload.end(), plaintext.begin(), plaintext.end());
+
+    // Encrypt
+    std::vector<uint8_t> ciphertext = EncryptChaCha20Poly1305(payload, decryption_secret, nonce);
+
+    // Sort and deduplicate derivation paths (reference encoder uses a BTreeSet).
+    std::set<DerivationPath> unique_paths(derivation_paths.begin(), derivation_paths.end());
+
+    // Build result
+    EncryptedBackup backup;
+    backup.version = ENCRYPTED_BACKUP_V1;
+    backup.derivation_paths.assign(unique_paths.begin(), unique_paths.end());
+    backup.individual_secrets = std::move(individual_secrets);
+    backup.encryption = EncryptionAlgorithm::CHACHA20_POLY1305;
+    backup.nonce = nonce;
+    backup.ciphertext = std::move(ciphertext);
+
+    return backup;
+}
+
+util::Result<EncryptedBackup> CreateEncryptedBackup(
+    const std::vector<uint256>& keys,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths)
+{
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+    GetStrongRandBytes(nonce);
+    return CreateEncryptedBackupWithNonce(keys, plaintext, content, derivation_paths, nonce);
+}
+
+std::optional<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBackupWithKey(const EncryptedBackup& backup,
+                                                                                            const uint256& key)
+{
+    // Compute individual secret for this key
+    uint256 si = ComputeIndividualSecret(key);
+
+    // Try each individual secret in the backup
+    for (const auto& ci : backup.individual_secrets) {
+        // Reconstruct decryption secret: s = ci XOR si
+        uint256 reconstructed_secret = XorUint256(ci, si);
+
+        // Try to decrypt
+        auto result = DecryptChaCha20Poly1305(backup.ciphertext, reconstructed_secret, backup.nonce);
+        if (result) {
+            // Decryption succeeded - strip the content prefix and return plaintext.
+            // Per spec, content type 0x00 (reserved) and types >= 0x80 must be rejected;
+            // DecodeContent enforces this, so a decode failure means the backup is invalid.
+            auto content_result = DecodeContent(*result);
+            if (!content_result) continue;
+            size_t content_size = content_result->second;
+            if (content_size > result->size()) continue;
+            auto plaintext = std::vector<uint8_t>(result->begin() + content_size, result->end());
+            return std::make_pair(std::move(plaintext), content_result->first);
+        }
+    }
+
+    return std::nullopt;
+}
+
+util::Result<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBackupWithDescriptor(const EncryptedBackup& backup,
+                                                                                                  const std::string& descriptor)
+{
+    auto extract_result = ExtractKeysFromDescriptor(descriptor);
+    if (!extract_result) {
+        return util::Error{util::ErrorString(extract_result)};
+    }
+
+    for (const auto& key : extract_result->first) {
+        auto result = DecryptBackupWithKey(backup, key);
+        if (result) {
+            return *result;
+        }
+    }
+
+    return util::Error{Untranslated("No matching key found for decryption")};
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index fcc4066e49bd..7961a95d3cf1 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -256,6 +256,33 @@ std::optional<std::vector<uint8_t>> DecryptChaCha20Poly1305(std::span<const uint
                                                             const uint256& secret,
                                                             std::span<const uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce);
 
+/**
+ * Create an encrypted backup from public keys and plaintext payload.
+ *
+ * @param[in] keys Normalized x-only public keys (used to derive encryption key)
+ * @param[in] plaintext The data to encrypt (typically the descriptor itself or labels)
+ * @param[in] content Content type metadata
+ * @param[in] derivation_paths Optional derivation paths to include
+ * @return The encrypted backup structure, or error message
+ */
+util::Result<EncryptedBackup> CreateEncryptedBackup(
+    const std::vector<uint256>& keys,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths = {});
+
+/**
+ * Like CreateEncryptedBackup(), but uses a caller-supplied nonce instead of
+ * generating a random one. Intended for tests / test-vector verification.
+ */
+util::Result<EncryptedBackup> CreateEncryptedBackupWithNonce(
+    const std::vector<uint256>& keys,
+    std::span<const uint8_t> plaintext,
+    const EncryptedBackupContent& content,
+    const std::vector<DerivationPath>& derivation_paths,
+    const std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE>& nonce,
+    bool allow_empty_derivation_paths = false);
+
 /**
  * Encode an encrypted backup to binary format.
  *
@@ -288,6 +315,29 @@ util::Result<EncryptedBackup> DecodeEncryptedBackup(std::span<const uint8_t> dat
  */
 util::Result<EncryptedBackup> DecodeEncryptedBackupBase64(const std::string& base64_str);
 
+/**
+ * Attempt to decrypt an encrypted backup using a single public key.
+ *
+ * Tries to reconstruct the decryption secret using the individual secrets
+ * in the backup and the provided key.
+ *
+ * @param[in] backup The encrypted backup
+ * @param[in] key The normalized x-only public key to try
+ * @return Pair of (decrypted plaintext, content metadata), or nullopt if key doesn't match or decryption fails
+ */
+std::optional<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBackupWithKey(const EncryptedBackup& backup,
+                                                                                            const uint256& key);
+
+/**
+ * Attempt to decrypt an encrypted backup using any matching key from a descriptor.
+ *
+ * @param[in] backup The encrypted backup
+ * @param[in] descriptor A descriptor containing potential decryption keys
+ * @return Pair of (decrypted plaintext, content metadata), or error message
+ */
+util::Result<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBackupWithDescriptor(const EncryptedBackup& backup,
+                                                                                                  const std::string& descriptor);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index d38f3db9074c..7395ef802a6c 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -7,6 +7,7 @@
 #include <test/data/bip_encrypted_backup_chacha20poly1305_encryption.json.h>
 #include <test/data/bip_encrypted_backup_content_type.json.h>
 #include <test/data/bip_encrypted_backup_derivation_path.json.h>
+#include <test/data/bip_encrypted_backup_encrypted_backup.json.h>
 #include <test/data/bip_encrypted_backup_encryption_secret.json.h>
 #include <test/data/bip_encrypted_backup_individual_secrets.json.h>
 #include <test/data/bip_encrypted_backup_keys_types.json.h>
@@ -551,11 +552,9 @@ BOOST_AUTO_TEST_CASE(chacha20poly1305_vector_test)
         // enforce that rule; it lives at the CreateEncryptedBackup* layer, so
         // drive those cases through the high-level helper and assert failure.
         if (vec["ciphertext"].isNull()) {
-            std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
-            EncryptedBackupContent content;
-            content.type = ContentType::BIP_NUMBER;
-            content.bip_number = BIP_DESCRIPTORS;
-            auto result = CreateEncryptedBackupWithNonce(descriptor, plaintext, content, {}, nonce);
+            auto [dummy_keys, dummy_paths] = *ExtractKeysFromDescriptor("wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)");
+            auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+            auto result = CreateEncryptedBackupWithNonce(dummy_keys, plaintext, content, dummy_paths, nonce);
             BOOST_CHECK_MESSAGE(!result,
                 description << ": CreateEncryptedBackupWithNonce must reject this input");
             continue;
@@ -601,6 +600,354 @@ BOOST_AUTO_TEST_CASE(chacha_decrypt_corrupted_test)
     BOOST_CHECK(!DecryptChaCha20Poly1305(ct, secret, nonce).has_value());
 }
 
+BOOST_AUTO_TEST_CASE(full_backup_roundtrip_test)
+{
+    // Test full backup creation and decryption with a real descriptor
+    // Use testnet tpub since we're running on RegTest
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+
+    // Create backup
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+
+    auto backup_result = CreateEncryptedBackup(keys, plaintext, content, paths);
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Encode to binary
+    auto encoded = EncodeEncryptedBackup(*backup_result);
+    BOOST_REQUIRE_MESSAGE(encoded, util::ErrorString(encoded).original);
+    BOOST_CHECK(!encoded->empty());
+
+    // Check magic bytes
+    BOOST_CHECK_EQUAL((*encoded)[0], 'B');
+    BOOST_CHECK_EQUAL((*encoded)[1], 'I');
+    BOOST_CHECK_EQUAL((*encoded)[2], 'P');
+
+    // Decode back
+    auto decoded_result = DecodeEncryptedBackup(*encoded);
+    BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+
+    // Decrypt using the same descriptor
+    auto decrypted = DecryptBackupWithDescriptor(*decoded_result, descriptor);
+    BOOST_REQUIRE_MESSAGE(decrypted, util::ErrorString(decrypted).original);
+
+    // Verify plaintext matches
+    std::string decrypted_str(decrypted->first.begin(), decrypted->first.end());
+    BOOST_CHECK_EQUAL(decrypted_str, descriptor);
+}
+
+BOOST_AUTO_TEST_CASE(base64_encoding_test)
+{
+    // Test base64 encoding roundtrip
+    // Use testnet tpub since we're running on RegTest
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+
+    auto backup_result = CreateEncryptedBackup(keys, plaintext, content, paths);
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Encode to base64
+    auto base64_str = EncodeEncryptedBackupBase64(*backup_result);
+    BOOST_REQUIRE_MESSAGE(base64_str, util::ErrorString(base64_str).original);
+    BOOST_CHECK(!base64_str->empty());
+
+    // Decode from base64
+    auto decoded_result = DecodeEncryptedBackupBase64(*base64_str);
+    BOOST_REQUIRE_MESSAGE(decoded_result, util::ErrorString(decoded_result).original);
+
+    // Decrypt
+    auto decrypted = DecryptBackupWithDescriptor(*decoded_result, descriptor);
+    BOOST_REQUIRE_MESSAGE(decrypted, util::ErrorString(decrypted).original);
+
+    std::string decrypted_str(decrypted->first.begin(), decrypted->first.end());
+    BOOST_CHECK_EQUAL(decrypted_str, descriptor);
+}
+
+BOOST_AUTO_TEST_CASE(wrong_key_decryption_test)
+{
+    // Test that decryption fails with wrong key
+    // Use testnet tpub keys since we're running on RegTest
+    std::string descriptor1 = "wpkh([11111111/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    std::string descriptor2 = "wpkh([22222222/84h/1h/0h]tpubDCBEcmVKbfC9KfdydyLbJ2gfNL88grZu1XcWSW9ytTM6fitvaRmVyr8Ddf7SjZ2ZfMx9RicjYAXhuh3fmLiVLPodPEqnQQURUfrBKiiVZc8/0/*)";
+
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+
+    std::vector<uint8_t> plaintext(descriptor1.begin(), descriptor1.end());
+
+    // Create backup with descriptor1
+    auto [keys1, paths1] = *ExtractKeysFromDescriptor(descriptor1);
+    auto backup_result = CreateEncryptedBackup(keys1, plaintext, content, paths1);
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    // Try to decrypt with descriptor2 - should fail
+    auto decrypted = DecryptBackupWithDescriptor(*backup_result, descriptor2);
+    BOOST_CHECK_MESSAGE(!decrypted, "Decryption should fail with wrong key");
+}
+
+BOOST_AUTO_TEST_CASE(encrypted_backup_vector_test)
+{
+    UniValue vectors = read_json(json_tests::bip_encrypted_backup_encrypted_backup);
+
+    for (size_t i = 0; i < vectors.size(); ++i) {
+        const UniValue& vec = vectors[i];
+        std::string description = vec["description"].get_str();
+        BOOST_TEST_MESSAGE("Testing: " << description);
+
+        // Parse + normalize + sort keys.
+        std::vector<uint256> keys;
+        const UniValue& keys_arr = vec["keys"];
+        for (size_t j = 0; j < keys_arr.size(); ++j) {
+            auto bytes = ParseHex(keys_arr[j].get_str());
+            BOOST_REQUIRE_EQUAL(bytes.size(), 33u);
+            uint256 k;
+            std::memcpy(k.data(), bytes.data() + 1, 32);
+            keys.push_back(k);
+        }
+        std::sort(keys.begin(), keys.end());
+        keys.erase(std::unique(keys.begin(), keys.end()), keys.end());
+
+        // Derivation paths: sort + dedupe to match the reference encoder.
+        std::set<DerivationPath> path_set;
+        const UniValue& paths_arr = vec["derivation_paths"];
+        for (size_t j = 0; j < paths_arr.size(); ++j) {
+            auto p = ParseDerivationPath(paths_arr[j].get_str());
+            BOOST_REQUIRE(p);
+            path_set.insert(*p);
+        }
+        std::vector<DerivationPath> paths(path_set.begin(), path_set.end());
+
+        // Nonce.
+        auto nonce_bytes = ParseHex(vec["nonce"].get_str());
+        BOOST_REQUIRE_EQUAL(nonce_bytes.size(), AEADChaCha20Poly1305::NONCE_SIZE);
+        std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce;
+        std::memcpy(nonce.data(), nonce_bytes.data(), nonce.size());
+
+        // Build payload: pre-encoded content || raw plaintext (UTF-8 bytes).
+        auto content_bytes = ParseHex(vec["content"].get_str());
+        std::string plaintext_str = vec["plaintext"].get_str();
+        std::vector<uint8_t> payload;
+        payload.insert(payload.end(), content_bytes.begin(), content_bytes.end());
+        payload.insert(payload.end(), plaintext_str.begin(), plaintext_str.end());
+
+        // Compute secrets.
+        uint256 s = ComputeDecryptionSecret(keys);
+        auto individual_secrets = ComputeAllIndividualSecrets(s, keys);
+
+        // Encrypt.
+        auto ciphertext = EncryptChaCha20Poly1305(payload, s, nonce);
+
+        // Assemble and encode.
+        EncryptedBackup backup;
+        backup.version = static_cast<uint8_t>(vec["version"].getInt<int>());
+        backup.derivation_paths = paths;
+        backup.individual_secrets = individual_secrets;
+        backup.encryption = static_cast<EncryptionAlgorithm>(vec["encryption"].getInt<int>());
+        backup.nonce = nonce;
+        backup.ciphertext = std::move(ciphertext);
+
+        auto encoded = EncodeEncryptedBackup(backup);
+        BOOST_REQUIRE_MESSAGE(encoded, util::ErrorString(encoded).original);
+        std::string expected_hex = vec["expected"].get_str();
+        BOOST_CHECK_MESSAGE(HexStr(*encoded) == expected_hex,
+            description << ": encoded mismatch\n  got:      " << HexStr(*encoded)
+            << "\n  expected: " << expected_hex);
+
+        // Round-trip decode.
+        auto decoded = DecodeEncryptedBackup(*encoded);
+        BOOST_REQUIRE_MESSAGE(decoded, util::ErrorString(decoded).original);
+
+        // Trailing-byte tolerance.
+        if (!vec["trailing"].isNull()) {
+            auto trailing = ParseHex(vec["trailing"].get_str());
+            std::vector<uint8_t> with_trailing = *encoded;
+            with_trailing.insert(with_trailing.end(), trailing.begin(), trailing.end());
+            auto decoded2 = DecodeEncryptedBackup(with_trailing);
+            BOOST_CHECK_MESSAGE(static_cast<bool>(decoded2),
+                description << ": decoder must tolerate trailing bytes");
+        }
+
+        // Decrypt using first key and check content + plaintext match.
+        auto decrypted = DecryptBackupWithKey(*decoded, keys[0]);
+        BOOST_REQUIRE_MESSAGE(decrypted.has_value(),
+            description << ": DecryptBackupWithKey failed");
+        std::string dec_str(decrypted->first.begin(), decrypted->first.end());
+        BOOST_CHECK_EQUAL(dec_str, plaintext_str);
+    }
+}
+
+// ---------- High-level wire parsing: magic/version/encryption byte ----------
+
+BOOST_AUTO_TEST_CASE(decode_parse_magic_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt(descriptor.begin(), descriptor.end());
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE(backup);
+    auto bytes = EncodeEncryptedBackup(*backup);
+    BOOST_REQUIRE(bytes);
+    auto bad = *bytes;
+    bad[0] = 'B'; bad[1] = 'O'; bad[2] = 'B';
+    BOOST_CHECK(!DecodeEncryptedBackup(bad));
+}
+
+BOOST_AUTO_TEST_CASE(decode_parse_version_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt(descriptor.begin(), descriptor.end());
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE(backup);
+    auto bytes = EncodeEncryptedBackup(*backup);
+    BOOST_REQUIRE(bytes);
+    auto v0 = *bytes; v0[6] = 0x00;
+    BOOST_CHECK(!DecodeEncryptedBackup(v0));
+    auto v2 = *bytes; v2[6] = 0x02;
+    BOOST_CHECK(!DecodeEncryptedBackup(v2));
+}
+
+BOOST_AUTO_TEST_CASE(decode_parse_encryption_reserved_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt(descriptor.begin(), descriptor.end());
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE(backup);
+    auto bytes = EncodeEncryptedBackup(*backup);
+    BOOST_REQUIRE(bytes);
+    // Find encryption byte offset dynamically
+    auto decoded = DecodeEncryptedBackup(*bytes);
+    BOOST_REQUIRE(decoded);
+    auto paths_enc = EncodeDerivationPaths(decoded->derivation_paths);
+    BOOST_REQUIRE(paths_enc);
+    auto secrets_enc = EncodeIndividualSecrets(decoded->individual_secrets);
+    BOOST_REQUIRE(secrets_enc);
+    size_t enc_off = 6 + 1 + paths_enc->size() + secrets_enc->size();
+    BOOST_REQUIRE_EQUAL((*bytes)[enc_off], 0x01);
+    auto reserved = *bytes; reserved[enc_off] = 0x00;
+    BOOST_CHECK(!DecodeEncryptedBackup(reserved));
+    auto unknown = *bytes; unknown[enc_off] = 0x02;
+    BOOST_CHECK(!DecodeEncryptedBackup(unknown));
+}
+
+// ---------- High-level sanitizing ----------
+
+BOOST_AUTO_TEST_CASE(encrypt_sanitizing_empty_keys_test)
+{
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt{'x'};
+    BOOST_CHECK(!CreateEncryptedBackup({}, pt, content, {}));
+}
+
+BOOST_AUTO_TEST_CASE(encrypt_sanitizing_zero_nonce_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt{'x'};
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce{};
+    BOOST_CHECK(!CreateEncryptedBackupWithNonce(keys, pt, content, paths, nonce));
+}
+
+BOOST_AUTO_TEST_CASE(encrypt_sanitizing_empty_derivation_paths_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt{'x'};
+    BOOST_CHECK(!CreateEncryptedBackup(keys, pt, content, {}));
+}
+
+BOOST_AUTO_TEST_CASE(encrypt_sanitizing_too_many_paths_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, _] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt{'x'};
+    std::vector<DerivationPath> paths;
+    for (size_t i = 0; i < 256; ++i) {
+        paths.push_back(DerivationPath{static_cast<uint32_t>(i), 1u, 2u, 3u});
+    }
+    std::array<uint8_t, AEADChaCha20Poly1305::NONCE_SIZE> nonce{};
+    nonce.fill(1);
+    auto r = CreateEncryptedBackupWithNonce(keys, pt, content, paths, nonce);
+    BOOST_REQUIRE(r);
+    // Size is enforced at the wire-encoding layer.
+    BOOST_CHECK(!EncodeEncryptedBackup(*r));
+}
+
+BOOST_AUTO_TEST_CASE(multi_recipient_decrypt_test)
+{
+    std::string descriptor = "wsh(multi(1,"
+        "[d34db33f/48h/1h/0h/2h]tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x/0/*,"
+        "[11111111/48h/1h/0h/2h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*"
+        "))";
+
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> pt = {'h', 'e', 'l', 'l', 'o'};
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE_MESSAGE(backup, util::ErrorString(backup).original);
+    BOOST_CHECK_EQUAL(backup->individual_secrets.size(), 2u);
+
+    // Unrelated descriptor must fail to decrypt.
+    std::string other = "wpkh([22222222/84h/1h/0h]tpubDCBEcmVKbfC9KfdydyLbJ2gfNL88grZu1XcWSW9ytTM6fitvaRmVyr8Ddf7SjZ2ZfMx9RicjYAXhuh3fmLiVLPodPEqnQQURUfrBKiiVZc8/0/*)";
+    BOOST_CHECK(!DecryptBackupWithDescriptor(*backup, other));
+
+    auto r = DecryptBackupWithDescriptor(*backup, descriptor);
+    BOOST_REQUIRE(r);
+    BOOST_CHECK_EQUAL(std::string(r->first.begin(), r->first.end()), "hello");
+}
+
+// ---------- ExtractKeysFromDescriptor / CreateEncryptedBackup error cases ----------
+
+BOOST_AUTO_TEST_CASE(extract_keys_invalid_descriptor_test)
+{
+    BOOST_CHECK(!ExtractKeysFromDescriptor("not a descriptor"));
+    BOOST_CHECK(!ExtractKeysFromDescriptor(""));
+    BOOST_CHECK(!ExtractKeysFromDescriptor("wpkh()"));
+}
+
+BOOST_AUTO_TEST_CASE(extract_keys_nums_only_test)
+{
+    // tr(NUMS) is a valid descriptor whose sole key is the BIP341 NUMS point;
+    // ExtractKeysFromDescriptor must filter it out and return an error since
+    // no usable keys remain.
+    std::string nums_only = "tr(50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0)";
+    BOOST_CHECK(!ExtractKeysFromDescriptor(nums_only));
+}
+
+BOOST_AUTO_TEST_CASE(create_backup_empty_plaintext_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    BOOST_CHECK(!CreateEncryptedBackup(keys, std::span<const uint8_t>{}, content, paths));
+}
+
+BOOST_AUTO_TEST_CASE(decode_base64_invalid_test)
+{
+    BOOST_CHECK(!DecodeEncryptedBackupBase64("!!!not-base64!!!"));
+    BOOST_CHECK(!DecodeEncryptedBackupBase64(""));
+}
+
+BOOST_AUTO_TEST_CASE(decode_base64_valid_but_bad_payload_test)
+{
+    // Valid base64 of arbitrary bytes that don't match the backup format.
+    BOOST_CHECK(!DecodeEncryptedBackupBase64("aGVsbG8gd29ybGQ=")); // "hello world"
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet

From ff68bc8f57ae81657b9fb39ee89cd5509396ce93 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 23:59:17 -0400
Subject: [PATCH 14/21] rpc: add encryptdescriptor RPC

Stateless RPC that takes a descriptor string and returns a base64-
encoded BIP-XXXX encrypted backup. The encryption key is derived from
the public keys in the descriptor. No wallet is needed.
---
 src/wallet/rpc/backup.cpp                  | 81 +++++++++++++++++++
 src/wallet/rpc/wallet.cpp                  |  2 +
 test/functional/wallet_encrypted_backup.py | 91 ++++++++++++++++++++++
 3 files changed, 174 insertions(+)
 create mode 100755 test/functional/wallet_encrypted_backup.py

diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index a65bde083ab0..8c0d00a9c239 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -21,11 +21,13 @@
 #include <util/fs.h>
 #include <util/time.h>
 #include <util/translation.h>
+#include <wallet/encryptedbackup.h>
 #include <wallet/rpc/util.h>
 #include <wallet/wallet.h>
 
 #include <cstdint>
 #include <fstream>
+#include <optional>
 #include <tuple>
 #include <string>
 
@@ -639,4 +641,83 @@ RPCMethod restorewallet()
 },
     };
 }
+
+RPCMethod encryptdescriptor()
+{
+    return RPCMethod{
+        "encryptdescriptor",
+        "Encrypt a descriptor string using the BIP-XXXX encrypted backup format.\n"
+        "The encryption key is derived from the public keys in the descriptor.\n"
+        "Returns the encrypted backup as a base64-encoded string, or writes raw binary to backupfile if provided.\n",
+        {
+            {"descriptor", RPCArg::Type::STR, RPCArg::Optional::NO, "The descriptor string to encrypt (must include checksum)."},
+            {"backupfile", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "If provided, write the raw binary backup to this file instead of returning base64."},
+        },
+        {
+            RPCResult{"backupfile is not set",
+                RPCResult::Type::STR, "", "The encrypted backup as a base64 string"},
+            RPCResult{"backupfile is set",
+                RPCResult::Type::OBJ, "", "",
+                {
+                    {RPCResult::Type::STR, "filename", "The full path of the written backup file"},
+                }},
+        },
+        RPCExamples{
+            HelpExampleCli("encryptdescriptor", "\"wpkh([d34db33f/84h/0h/0h]tpub.../0/*)#checksum\"")
+            + HelpExampleCli("encryptdescriptor", "\"wpkh([d34db33f/84h/0h/0h]tpub.../0/*)#checksum\" \"backup.bin\"")
+            + HelpExampleRpc("encryptdescriptor", "\"wpkh([d34db33f/84h/0h/0h]tpub.../0/*)#checksum\"")
+        },
+        [](const RPCMethod& self, const JSONRPCRequest& request) -> UniValue
+{
+    const std::string descriptor = request.params[0].get_str();
+
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+    // ExtractKeysFromDescriptor will sanity-check the descriptor, no need for duplicate check
+    auto keys_and_paths = ExtractKeysFromDescriptor(descriptor);
+    if (!keys_and_paths) {
+        throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, strprintf("Invalid descriptor: %s", util::ErrorString(keys_and_paths).original));
+    }
+    auto& [encryption_keys, derivation_paths] = *keys_and_paths;
+
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+
+    auto backup = CreateEncryptedBackup(encryption_keys, plaintext, content, derivation_paths);
+    if (!backup) {
+        throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Failed to create encrypted backup: %s", util::ErrorString(backup).original));
+    }
+
+    if (!request.params[1].isNull()) {
+        const std::string filename = request.params[1].get_str();
+        fs::path out_path = fs::absolute(fs::PathFromString(filename));
+        if (fs::exists(out_path)) {
+            throw JSONRPCError(RPC_INVALID_PARAMETER, strprintf("File %s already exists.", fs::PathToString(out_path)));
+        }
+        auto binary_backup = EncodeEncryptedBackup(*backup);
+        if (!binary_backup) {
+            throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Error encoding backup: %s", util::ErrorString(binary_backup).original));
+        }
+        std::ofstream out_file(out_path.std_path(), std::ios::binary);
+        if (out_file.fail()) {
+            throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Unable to open %s for writing", fs::PathToString(out_path)));
+        }
+        out_file.write(reinterpret_cast<const char*>(binary_backup->data()), binary_backup->size());
+        if (out_file.fail()) {
+            throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Error writing backup to %s", fs::PathToString(out_path)));
+        }
+        UniValue result(UniValue::VOBJ);
+        result.pushKV("filename", fs::PathToString(out_path));
+        return result;
+    }
+
+    auto base64_backup = EncodeEncryptedBackupBase64(*backup);
+    if (!base64_backup) {
+        throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Error encoding backup: %s", util::ErrorString(base64_backup).original));
+    }
+
+    return *base64_backup;
+},
+    };
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/wallet.cpp b/src/wallet/rpc/wallet.cpp
index b6c9179d19db..a0c1dd139b2b 100644
--- a/src/wallet/rpc/wallet.cpp
+++ b/src/wallet/rpc/wallet.cpp
@@ -860,6 +860,7 @@ RPCMethod importdescriptors();
 RPCMethod listdescriptors();
 RPCMethod backupwallet();
 RPCMethod restorewallet();
+RPCMethod encryptdescriptor();
 
 // coins
 RPCMethod getreceivedbyaddress();
@@ -913,6 +914,7 @@ std::span<const CRPCCommand> GetWalletRPCCommands()
         {"wallet", &createwallet},
         {"wallet", &createwalletdescriptor},
         {"wallet", &restorewallet},
+        {"wallet", &encryptdescriptor},
         {"wallet", &encryptwallet},
         {"wallet", &getaddressesbylabel},
         {"wallet", &getaddressinfo},
diff --git a/test/functional/wallet_encrypted_backup.py b/test/functional/wallet_encrypted_backup.py
new file mode 100755
index 000000000000..ef056273d6b1
--- /dev/null
+++ b/test/functional/wallet_encrypted_backup.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+# Copyright (c) 2024-present The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+"""Test the encryptdescriptor, decryptdescriptor, importencrypteddescriptor, and inspectencrypteddescriptor RPCs."""
+
+import base64
+import os
+import re
+
+from test_framework.test_framework import BitcoinTestFramework
+from test_framework.util import assert_equal, assert_raises_rpc_error
+
+
+class WalletEncryptedBackupTest(BitcoinTestFramework):
+    def set_test_params(self):
+        self.num_nodes = 1
+
+    def skip_test_if_missing_module(self):
+        self.skip_if_no_wallet()
+
+    def test_encryptdescriptor(self):
+        self.log.info("Test encryptdescriptor RPC")
+
+        wallet = self.nodes[0].get_wallet_rpc(self.default_wallet_name)
+        descriptors = wallet.listdescriptors()["descriptors"]
+
+        # Pick a descriptor that contains a tpub/xpub (has derivation paths)
+        chosen_desc = None
+        xpub_match = None
+        for desc_obj in descriptors:
+            m = re.search(r'[tx]pub[A-Za-z0-9]+', desc_obj["desc"])
+            if m:
+                chosen_desc = desc_obj["desc"]
+                xpub_match = m
+                break
+        assert chosen_desc is not None, "Could not find a descriptor with tpub/xpub"
+        self.xpub = xpub_match.group(0)
+
+        # Encrypt via RPC
+        backup_base64 = self.nodes[0].encryptdescriptor(chosen_desc)
+
+        # Verify it's valid base64 with BIP magic
+        backup_bytes = base64.b64decode(backup_base64)
+        assert backup_bytes[:6] == b"BIPXXX", f"Expected magic 'BIPXXX', got: {backup_bytes[:6]}"
+
+        # Store for use by later tests
+        self.chosen_desc = chosen_desc
+        self.backup_base64 = backup_base64
+
+        # Test encrypt to file via backupfile
+        self.log.info("Testing encryptdescriptor with backupfile...")
+        backup_file = str(self.nodes[0].datadir_path / "rpc_backup.bin")
+        result = self.nodes[0].encryptdescriptor(chosen_desc, backup_file)
+        assert_equal(result["filename"], backup_file)
+
+        import os
+        raw_bytes = open(backup_file, "rb").read()
+        assert len(raw_bytes) > 0
+        assert_equal(raw_bytes[:6], b"BIPXXX")
+        self.backup_file = backup_file
+
+        self.log.info("encryptdescriptor RPC test passed!")
+
+    def test_encryptdescriptor_errors(self):
+        self.log.info("Test encryptdescriptor RPC error cases")
+        node = self.nodes[0]
+
+        # Invalid descriptor (unparseable string)
+        assert_raises_rpc_error(-5, "Invalid descriptor",
+                                node.encryptdescriptor, "this is not a descriptor")
+        # Descriptor with no extractable key
+        assert_raises_rpc_error(-5, "Invalid descriptor",
+                                node.encryptdescriptor, "wpkh()")
+        # Backup file already exists
+        existing_file = str(node.datadir_path / "rpc_existing.bin")
+        with open(existing_file, "wb") as f:
+            f.write(b"placeholder")
+        assert_raises_rpc_error(-8, "already exists",
+                                node.encryptdescriptor, self.chosen_desc, existing_file)
+        os.remove(existing_file)
+
+        self.log.info("encryptdescriptor RPC error cases passed!")
+
+    def run_test(self):
+        self.test_encryptdescriptor()
+        self.test_encryptdescriptor_errors()
+
+
+if __name__ == '__main__':
+    WalletEncryptedBackupTest(__file__).main()

From ba26860b783e3f7a5ccd0684b5dcecd3c0372ada Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Thu, 16 Apr 2026 00:00:19 -0400
Subject: [PATCH 15/21] rpc: add decryptdescriptor RPC

Stateless RPC that takes a base64-encoded BIP-XXXX encrypted backup
and an extended public key (xpub/tpub), then returns the decrypted
descriptor string. No wallet is needed.
---
 src/script/descriptor.cpp                  |  10 ++
 src/script/descriptor.h                    |   5 +
 src/wallet/encryptedbackup.cpp             |  24 +++++
 src/wallet/encryptedbackup.h               |  13 +++
 src/wallet/rpc/backup.cpp                  |  78 +++++++++++++++
 src/wallet/rpc/wallet.cpp                  |   2 +
 src/wallet/test/encrypted_backup_tests.cpp | 107 +++++++++++++++++++++
 test/functional/wallet_encrypted_backup.py |  64 ++++++++++++
 8 files changed, 303 insertions(+)

diff --git a/src/script/descriptor.cpp b/src/script/descriptor.cpp
index 6a5aafb0bd65..682b8b8c675c 100644
--- a/src/script/descriptor.cpp
+++ b/src/script/descriptor.cpp
@@ -2992,3 +2992,13 @@ ExtPubKeyMap DescriptorCache::GetCachedLastHardenedExtPubKeys() const
 {
     return m_last_hardened_xpubs;
 }
+
+std::optional<CExtPubKey> ParseExtPubKeyExpression(const std::string& str, std::string& error)
+{
+    FlatSigningProvider out;
+    uint32_t key_exp_index = 0;
+    const std::span<const char> sp{str.data(), str.size()};
+    auto providers = ParsePubkey(key_exp_index, sp, ParseScriptContext::P2WPKH, out, error);
+    if (providers.empty()) return std::nullopt;
+    return providers[0]->GetRootExtPubKey();
+}
diff --git a/src/script/descriptor.h b/src/script/descriptor.h
index 3ac748a1746e..da792f5ec66f 100644
--- a/src/script/descriptor.h
+++ b/src/script/descriptor.h
@@ -189,6 +189,11 @@ struct Descriptor {
     virtual size_t GetKeyCount() const = 0;
 };
 
+/** Parse a key expression (optionally with origin and derivation path) and return the extended public key.
+ * Accepts formats like: xpub..., [fingerprint/path]xpub..., [fingerprint/path]xpub.../0/wildcard
+ */
+std::optional<CExtPubKey> ParseExtPubKeyExpression(const std::string& str, std::string& error);
+
 /** Parse a `descriptor` string. Included private keys are put in `out`.
  *
  * If the descriptor has a checksum, it must be valid. If `require_checksum`
diff --git a/src/wallet/encryptedbackup.cpp b/src/wallet/encryptedbackup.cpp
index 910fa406b85e..dfb14644fd4c 100644
--- a/src/wallet/encryptedbackup.cpp
+++ b/src/wallet/encryptedbackup.cpp
@@ -674,4 +674,28 @@ util::Result<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBac
     return util::Error{Untranslated("No matching key found for decryption")};
 }
 
+util::Result<std::string> DecryptDescriptorWithXpub(const EncryptedBackup& backup,
+                                                    const std::string& xpub_str)
+{
+    std::string parse_error;
+    auto parsed = ParseExtPubKeyExpression(xpub_str, parse_error);
+    if (!parsed) {
+        return util::Error{Untranslated(strprintf("Invalid extended public key: %s", parse_error))};
+    }
+    CExtPubKey ext_pubkey = *parsed;
+
+    uint256 xonly_key = NormalizeToXOnly(ext_pubkey);
+
+    auto decrypted = DecryptBackupWithKey(backup, xonly_key);
+    if (!decrypted) {
+        return util::Error{Untranslated("Failed to decrypt backup: provided key does not match any participant.")};
+    }
+
+    if (decrypted->second != EncryptedBackupContent::Bip(BIP_DESCRIPTORS)) {
+        return util::Error{Untranslated("Invalid content type, BIP-0380 descriptor expected.")};
+    }
+
+    return std::string(decrypted->first.begin(), decrypted->first.end());
+}
+
 } // namespace wallet
diff --git a/src/wallet/encryptedbackup.h b/src/wallet/encryptedbackup.h
index 7961a95d3cf1..3c35db40c3a9 100644
--- a/src/wallet/encryptedbackup.h
+++ b/src/wallet/encryptedbackup.h
@@ -338,6 +338,19 @@ std::optional<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBa
 util::Result<std::pair<std::vector<uint8_t>, EncryptedBackupContent>> DecryptBackupWithDescriptor(const EncryptedBackup& backup,
                                                                                                   const std::string& descriptor);
 
+/**
+ * Validate an xpub string, then decrypt an encrypted backup using that key.
+ *
+ * Combines xpub parsing, normalization to x-only, decryption, content-type
+ * validation (BIP_DESCRIPTORS), and plaintext-to-string conversion.
+ *
+ * @param[in] backup    The already-decoded EncryptedBackup structure
+ * @param[in] xpub_str  The extended public key string (xpub/tpub)
+ * @return The decrypted descriptor string, or an error
+ */
+util::Result<std::string> DecryptDescriptorWithXpub(const EncryptedBackup& backup,
+                                                    const std::string& xpub_str);
+
 } // namespace wallet
 
 #endif // BITCOIN_WALLET_ENCRYPTEDBACKUP_H
diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index 8c0d00a9c239..20753480f535 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -2,6 +2,7 @@
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
+#include "rpc/protocol.h"
 #include <chain.h>
 #include <clientversion.h>
 #include <core_io.h>
@@ -720,4 +721,81 @@ RPCMethod encryptdescriptor()
     };
 }
 
+/** Read an encrypted backup from either a base64 string parameter or a binary file. */
+static util::Result<EncryptedBackup> ReadBackupFromRPCParam(const UniValue& backup_param, const UniValue& backupfile_param)
+{
+    if (!backupfile_param.isNull()) {
+        const std::string& filename = backupfile_param.get_str();
+        fs::path in_path = fs::absolute(fs::PathFromString(filename));
+        std::ifstream in_file(in_path.std_path(), std::ios::binary);
+        if (in_file.fail()) {
+            return util::Error{Untranslated(strprintf("Unable to open %s for reading", fs::PathToString(in_path)))};
+        }
+        std::vector<uint8_t> binary_input((std::istreambuf_iterator<char>(in_file)),
+                                          std::istreambuf_iterator<char>());
+        auto res = DecodeEncryptedBackup(binary_input);
+        if (!res) {
+            // try to fallback to base64 decoding
+            std::string str_input(binary_input.begin(), binary_input.end());
+            auto b64_res = DecodeEncryptedBackupBase64(str_input);
+            if (b64_res) return b64_res;
+        }
+        return res;
+    }
+    if (backup_param.isNull()) {
+        return util::Error{Untranslated("Either \"backup\" or \"backupfile\" must be provided.")};
+    }
+    return DecodeEncryptedBackupBase64(backup_param.get_str());
+}
+
+/** Validate that params follow the (backup, xpub, backupfile) convention. */
+static void ValidateBackupAndXpubParams(const UniValue& params)
+{
+    if (params[1].isNull()) {
+        throw JSONRPCError(RPC_INVALID_PARAMETER, "An extended public key (xpub) must be provided");
+    }
+    const bool has_backup = !params[0].isNull() && !params[0].get_str().empty();
+    const bool has_backupfile = !params[2].isNull() && !params[2].get_str().empty();
+    if (has_backup == has_backupfile) {
+        throw JSONRPCError(RPC_INVALID_PARAMETER, "Pass either backup or backupfile, but not both");
+    }
+}
+
+RPCMethod decryptdescriptor()
+{
+    return RPCMethod{
+        "decryptdescriptor",
+        "Decrypt a BIP-XXXX encrypted descriptor and return the descriptor string.\n"
+        "The backup can be provided as a base64 string or read from a binary file via backupfile.\n"
+        "No wallet is needed.\n",
+        {
+            {"backup", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "The base64-encoded encrypted backup (omit if using backupfile)."},
+            {"xpub", RPCArg::Type::STR, RPCArg::Optional::NO, "The extended public key (xpub/tpub) to decrypt with."},
+            {"backupfile", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "If provided, read the raw binary backup from this file instead of the backup parameter."},
+        },
+        RPCResult{RPCResult::Type::STR, "", "The decrypted descriptor string"},
+        RPCExamples{
+            HelpExampleCli("decryptdescriptor", "\"base64...\" \"tpub...\"")
+            + HelpExampleCli("decryptdescriptor", "\"\" \"tpub...\" \"backup.bin\"")
+            + HelpExampleRpc("decryptdescriptor", "\"base64...\", \"tpub...\"")
+        },
+        [](const RPCMethod& self, const JSONRPCRequest& request) -> UniValue
+{
+    ValidateBackupAndXpubParams(request.params);
+
+    auto backup_result = ReadBackupFromRPCParam(request.params[0], request.params[2]);
+    if (!backup_result) {
+        throw JSONRPCError(RPC_DESERIALIZATION_ERROR, strprintf("Failed to decode backup: %s", util::ErrorString(backup_result).original));
+    }
+
+    auto descriptor = DecryptDescriptorWithXpub(*backup_result, request.params[1].get_str());
+    if (!descriptor) {
+        throw JSONRPCError(RPC_WALLET_ERROR, util::ErrorString(descriptor).original);
+    }
+
+    return *descriptor;
+},
+    };
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/wallet.cpp b/src/wallet/rpc/wallet.cpp
index a0c1dd139b2b..3d40a1ccf88d 100644
--- a/src/wallet/rpc/wallet.cpp
+++ b/src/wallet/rpc/wallet.cpp
@@ -861,6 +861,7 @@ RPCMethod listdescriptors();
 RPCMethod backupwallet();
 RPCMethod restorewallet();
 RPCMethod encryptdescriptor();
+RPCMethod decryptdescriptor();
 
 // coins
 RPCMethod getreceivedbyaddress();
@@ -914,6 +915,7 @@ std::span<const CRPCCommand> GetWalletRPCCommands()
         {"wallet", &createwallet},
         {"wallet", &createwalletdescriptor},
         {"wallet", &restorewallet},
+        {"wallet", &decryptdescriptor},
         {"wallet", &encryptdescriptor},
         {"wallet", &encryptwallet},
         {"wallet", &getaddressesbylabel},
diff --git a/src/wallet/test/encrypted_backup_tests.cpp b/src/wallet/test/encrypted_backup_tests.cpp
index 7395ef802a6c..d199cac06c48 100644
--- a/src/wallet/test/encrypted_backup_tests.cpp
+++ b/src/wallet/test/encrypted_backup_tests.cpp
@@ -948,6 +948,113 @@ BOOST_AUTO_TEST_CASE(decode_base64_valid_but_bad_payload_test)
     BOOST_CHECK(!DecodeEncryptedBackupBase64("aGVsbG8gd29ybGQ=")); // "hello world"
 }
 
+BOOST_AUTO_TEST_CASE(decrypt_with_xpub_formats_test)
+{
+    // Test DecryptDescriptorWithXpub with various xpub input formats
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+
+    // Create and encode backup
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    auto backup_result = CreateEncryptedBackup(keys, plaintext, content, paths);
+    BOOST_REQUIRE_MESSAGE(backup_result, util::ErrorString(backup_result).original);
+
+    auto encoded = EncodeEncryptedBackup(*backup_result);
+    BOOST_REQUIRE_MESSAGE(encoded, util::ErrorString(encoded).original);
+
+    auto decoded = DecodeEncryptedBackup(*encoded);
+    BOOST_REQUIRE_MESSAGE(decoded, util::ErrorString(decoded).original);
+
+    // Bare tpub (no origin, no derivation path)
+    {
+        auto result = DecryptDescriptorWithXpub(*decoded,
+            "tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba");
+        BOOST_REQUIRE_MESSAGE(result, util::ErrorString(result).original);
+        BOOST_CHECK_EQUAL(*result, descriptor);
+    }
+
+    // With origin
+    {
+        auto result = DecryptDescriptorWithXpub(*decoded,
+            "[d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba");
+        BOOST_REQUIRE_MESSAGE(result, util::ErrorString(result).original);
+        BOOST_CHECK_EQUAL(*result, descriptor);
+    }
+
+    // With origin and derivation path
+    {
+        auto result = DecryptDescriptorWithXpub(*decoded,
+            "[d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*");
+        BOOST_REQUIRE_MESSAGE(result, util::ErrorString(result).original);
+        BOOST_CHECK_EQUAL(*result, descriptor);
+    }
+
+    // With derivation path only (no origin)
+    {
+        auto result = DecryptDescriptorWithXpub(*decoded,
+            "tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*");
+        BOOST_REQUIRE_MESSAGE(result, util::ErrorString(result).original);
+        BOOST_CHECK_EQUAL(*result, descriptor);
+    }
+
+    // Wrong xpub should fail
+    {
+        auto result = DecryptDescriptorWithXpub(*decoded,
+            "tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x");
+        BOOST_CHECK_MESSAGE(!result, "Decryption should fail with wrong xpub");
+    }
+
+    // Multipath derivation: encrypt a multipath descriptor and decrypt with the multipath xpub form
+    {
+        std::string multipath_descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/<0;1>/*)";
+        auto [mp_keys, mp_paths] = *ExtractKeysFromDescriptor(multipath_descriptor);
+        std::vector<uint8_t> mp_pt(multipath_descriptor.begin(), multipath_descriptor.end());
+        auto mp_backup = CreateEncryptedBackup(mp_keys, mp_pt, content, mp_paths);
+        BOOST_REQUIRE_MESSAGE(mp_backup, util::ErrorString(mp_backup).original);
+        auto mp_encoded = EncodeEncryptedBackup(*mp_backup);
+        BOOST_REQUIRE_MESSAGE(mp_encoded, util::ErrorString(mp_encoded).original);
+        auto mp_decoded = DecodeEncryptedBackup(*mp_encoded);
+        BOOST_REQUIRE_MESSAGE(mp_decoded, util::ErrorString(mp_decoded).original);
+
+        auto result = DecryptDescriptorWithXpub(*mp_decoded,
+            "tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/<0;1>/*");
+        BOOST_REQUIRE_MESSAGE(result, util::ErrorString(result).original);
+        BOOST_CHECK_EQUAL(*result, multipath_descriptor);
+    }
+}
+
+// ---------- DecryptDescriptorWithXpub error cases ----------
+
+BOOST_AUTO_TEST_CASE(decrypt_xpub_invalid_string_test)
+{
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    std::vector<uint8_t> pt(descriptor.begin(), descriptor.end());
+    auto content = EncryptedBackupContent::Bip(BIP_DESCRIPTORS);
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE(backup);
+
+    BOOST_CHECK(!DecryptDescriptorWithXpub(*backup, "not-an-xpub"));
+    BOOST_CHECK(!DecryptDescriptorWithXpub(*backup, ""));
+}
+
+BOOST_AUTO_TEST_CASE(decrypt_xpub_content_mismatch_test)
+{
+    // Encrypt with a non-BIP_DESCRIPTORS content type (BIP_LABELS) and verify
+    // DecryptDescriptorWithXpub rejects it because content type isn't descriptors.
+    std::string descriptor = "wpkh([d34db33f/84h/1h/0h]tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba/0/*)";
+    auto [keys, paths] = *ExtractKeysFromDescriptor(descriptor);
+    std::vector<uint8_t> pt{'l', 'a', 'b', 'e', 'l', 's'};
+    auto content = EncryptedBackupContent::Bip(BIP_LABELS);
+    auto backup = CreateEncryptedBackup(keys, pt, content, paths);
+    BOOST_REQUIRE(backup);
+
+    auto result = DecryptDescriptorWithXpub(*backup,
+        "tpubDC5FSnBiZDMmhiuCmWAYsLwgLYrrT9rAqvTySfuCCrgsWz8wxMXUS9Tb9iVMvcRbvFcAHGkMD5Kx8koh4GquNGNTfohfk7pgjhaPCdXpoba");
+    BOOST_CHECK_MESSAGE(!result, "Should fail with content type mismatch");
+}
+
 BOOST_AUTO_TEST_SUITE_END()
 
 } // namespace wallet
diff --git a/test/functional/wallet_encrypted_backup.py b/test/functional/wallet_encrypted_backup.py
index ef056273d6b1..d121a03f6ba1 100755
--- a/test/functional/wallet_encrypted_backup.py
+++ b/test/functional/wallet_encrypted_backup.py
@@ -82,9 +82,73 @@ def test_encryptdescriptor_errors(self):
 
         self.log.info("encryptdescriptor RPC error cases passed!")
 
+    def _xpub_format_variants(self):
+        """Return a list of (label, xpub_form) pairs derived from self.chosen_desc."""
+        m = re.match(r'^[a-z]+\(\[(?P<origin>[^\]]+)\](?P<xpub>[tx]pub[A-Za-z0-9]+)(?P<deriv>/[^)]*)?\)', self.chosen_desc)
+        assert m is not None, f"Failed to parse chosen_desc: {self.chosen_desc}"
+        origin = m.group("origin")
+        xpub = m.group("xpub")
+        deriv = m.group("deriv") or "/0/*"
+        return [
+            ("bare", xpub),
+            ("with_origin", f"[{origin}]{xpub}"),
+            ("with_deriv", f"{xpub}{deriv}"),
+            ("with_origin_and_deriv", f"[{origin}]{xpub}{deriv}"),
+            ("multipath", f"{xpub}/<0;1>/*"),
+        ]
+
+    def test_decryptdescriptor(self):
+        self.log.info("Test decryptdescriptor RPC")
+
+        # Decrypt from base64
+        decrypted = self.nodes[0].decryptdescriptor(self.backup_base64, self.xpub)
+        assert_equal(decrypted, self.chosen_desc)
+
+        # Decrypt from file
+        decrypted_from_file = self.nodes[0].decryptdescriptor("", self.xpub, self.backup_file)
+        assert_equal(decrypted_from_file, self.chosen_desc)
+
+        self.log.info("decryptdescriptor RPC test passed!")
+
+    def test_decryptdescriptor_xpub_formats(self):
+        self.log.info("Test decryptdescriptor xpub format coverage")
+        node = self.nodes[0]
+        for label, x in self._xpub_format_variants():
+            result = node.decryptdescriptor(self.backup_base64, x)
+            assert_equal(result, self.chosen_desc)
+            self.log.info(f"  decryptdescriptor with {label} xpub: OK")
+
+    def test_decryptdescriptor_errors(self):
+        self.log.info("Test decryptdescriptor RPC error cases")
+        node = self.nodes[0]
+        bad_b64 = "not!valid!base64!"
+        valid_b64_bad_payload = base64.b64encode(b"hello world").decode()
+        nonexistent_file = str(node.datadir_path / "does_not_exist.bin")
+        wrong_xpub = "tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x"
+
+        assert_raises_rpc_error(-22, "Failed to decode backup",
+                                node.decryptdescriptor, bad_b64, self.xpub)
+        assert_raises_rpc_error(-22, "Failed to decode backup",
+                                node.decryptdescriptor, valid_b64_bad_payload, self.xpub)
+        assert_raises_rpc_error(-4, "Failed to decrypt",
+                                node.decryptdescriptor, self.backup_base64, wrong_xpub)
+        assert_raises_rpc_error(-4, "Invalid extended public key",
+                                node.decryptdescriptor, self.backup_base64, "garbage-xpub")
+        assert_raises_rpc_error(-8, "Pass either backup or backupfile, but not both",
+                                node.decryptdescriptor, self.backup_base64, self.xpub, self.backup_file)
+        assert_raises_rpc_error(-8, "Pass either backup or backupfile, but not both",
+                                node.decryptdescriptor, "", self.xpub)
+        assert_raises_rpc_error(-22, "Unable to open",
+                                node.decryptdescriptor, "", self.xpub, nonexistent_file)
+
+        self.log.info("decryptdescriptor RPC error cases passed!")
+
     def run_test(self):
         self.test_encryptdescriptor()
         self.test_encryptdescriptor_errors()
+        self.test_decryptdescriptor()
+        self.test_decryptdescriptor_xpub_formats()
+        self.test_decryptdescriptor_errors()
 
 
 if __name__ == '__main__':

From c096923f80152050d78c9d72d398f36c81e64508 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Thu, 16 Apr 2026 00:01:20 -0400
Subject: [PATCH 16/21] rpc: add importencrypteddescriptor RPC

Decrypt a BIP-XXXX encrypted backup and import the descriptor into the
loaded wallet. Requires -rpcwallet. Takes a base64 backup and an
extended public key (xpub/tpub).
---
 src/wallet/rpc/backup.cpp                  | 66 ++++++++++++++++++++++
 src/wallet/rpc/wallet.cpp                  |  2 +
 test/functional/wallet_encrypted_backup.py | 64 +++++++++++++++++++++
 3 files changed, 132 insertions(+)

diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index 20753480f535..719b194236c1 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -798,4 +798,70 @@ RPCMethod decryptdescriptor()
     };
 }
 
+RPCMethod importencrypteddescriptor()
+{
+    return RPCMethod{
+        "importencrypteddescriptor",
+        "Decrypt a BIP-XXXX encrypted backup and import the descriptor into the wallet.\n"
+        "The backup can be provided as a base64 string or read from a binary file via backupfile.\n",
+        {
+            {"backup", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "The base64-encoded encrypted backup (omit if using backupfile)."},
+            {"xpub", RPCArg::Type::STR, RPCArg::Optional::NO, "The extended public key (xpub/tpub) to decrypt with."},
+            {"backupfile", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "If provided, read the raw binary backup from this file instead of the backup parameter."},
+        },
+        RPCResult{RPCResult::Type::STR, "", "The imported descriptor string"},
+        RPCExamples{
+            HelpExampleCli("importencrypteddescriptor", "\"base64...\" \"tpub...\"")
+            + HelpExampleCli("importencrypteddescriptor", "\"\" \"tpub...\" \"backup.bin\"")
+            + HelpExampleRpc("importencrypteddescriptor", "\"base64...\", \"tpub...\"")
+        },
+        [](const RPCMethod& self, const JSONRPCRequest& request) -> UniValue
+{
+    std::shared_ptr<CWallet> const pwallet = GetWalletForJSONRPCRequest(request);
+    if (!pwallet) return UniValue::VNULL;
+
+    ValidateBackupAndXpubParams(request.params);
+
+    // Decode and decrypt
+    auto backup_result = ReadBackupFromRPCParam(request.params[0], request.params[2]);
+    if (!backup_result) {
+        throw JSONRPCError(RPC_DESERIALIZATION_ERROR, strprintf("Failed to decode backup: %s", util::ErrorString(backup_result).original));
+    }
+
+    auto descriptor_result = DecryptDescriptorWithXpub(*backup_result, request.params[1].get_str());
+    if (!descriptor_result) {
+        throw JSONRPCError(RPC_WALLET_ERROR, util::ErrorString(descriptor_result).original);
+    }
+
+    // Parse descriptor
+    std::string descriptor(*descriptor_result);
+    FlatSigningProvider keys;
+    std::string error;
+    auto parsed_descs = Parse(descriptor, keys, error, /*require_checksum=*/true);
+    if (parsed_descs.empty()) {
+        throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, strprintf("Invalid descriptor in backup: %s", error));
+    }
+
+    LOCK(pwallet->cs_wallet);
+
+    for (size_t j = 0; j < parsed_descs.size(); ++j) {
+        auto& parsed_desc = parsed_descs[j];
+        const bool is_range = parsed_desc->IsRange();
+        int64_t range_start = 0;
+        int64_t range_end = is_range ? pwallet->m_keypool_size : 0;
+
+        WalletDescriptor w_desc(std::move(parsed_desc), /*creation_time=*/1, range_start, range_end, /*next_index=*/0);
+
+        bool internal = (parsed_descs.size() == 2 && j == 1);
+        auto spk_manager_res = pwallet->AddWalletDescriptor(w_desc, keys, /*label=*/"", internal);
+        if (!spk_manager_res) {
+            throw JSONRPCError(RPC_WALLET_ERROR, strprintf("Failed to import descriptor: %s", util::ErrorString(spk_manager_res).original));
+        }
+    }
+
+    return UniValue(descriptor);
+},
+    };
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/wallet.cpp b/src/wallet/rpc/wallet.cpp
index 3d40a1ccf88d..18daf7cab1c6 100644
--- a/src/wallet/rpc/wallet.cpp
+++ b/src/wallet/rpc/wallet.cpp
@@ -862,6 +862,7 @@ RPCMethod backupwallet();
 RPCMethod restorewallet();
 RPCMethod encryptdescriptor();
 RPCMethod decryptdescriptor();
+RPCMethod importencrypteddescriptor();
 
 // coins
 RPCMethod getreceivedbyaddress();
@@ -930,6 +931,7 @@ std::span<const CRPCCommand> GetWalletRPCCommands()
         {"wallet", &getbalances},
         {"wallet", &getwalletinfo},
         {"wallet", &importdescriptors},
+        {"wallet", &importencrypteddescriptor},
         {"wallet", &importprunedfunds},
         {"wallet", &keypoolrefill},
         {"wallet", &listaddressgroupings},
diff --git a/test/functional/wallet_encrypted_backup.py b/test/functional/wallet_encrypted_backup.py
index d121a03f6ba1..b397bcb40cc9 100755
--- a/test/functional/wallet_encrypted_backup.py
+++ b/test/functional/wallet_encrypted_backup.py
@@ -143,12 +143,76 @@ def test_decryptdescriptor_errors(self):
 
         self.log.info("decryptdescriptor RPC error cases passed!")
 
+    def test_importencrypteddescriptor(self):
+        self.log.info("Test importencrypteddescriptor RPC")
+
+        # Create a blank wallet to import into
+        import_wallet_name = "import_test_wallet"
+        self.nodes[0].createwallet(import_wallet_name, disable_private_keys=True, blank=True)
+        import_wallet = self.nodes[0].get_wallet_rpc(import_wallet_name)
+
+        # Import from base64
+        import_wallet.importencrypteddescriptor(self.backup_base64, self.xpub)
+
+        imported_desc_strs = [d["desc"] for d in import_wallet.listdescriptors()["descriptors"]]
+        assert self.chosen_desc in imported_desc_strs, \
+            f"Descriptor not found in imported wallet. Got: {imported_desc_strs}"
+
+        self.nodes[0].unloadwallet(import_wallet_name)
+
+        # Import from file into another blank wallet
+        import_wallet_name2 = "import_test_wallet_file"
+        self.nodes[0].createwallet(import_wallet_name2, disable_private_keys=True, blank=True)
+        import_wallet2 = self.nodes[0].get_wallet_rpc(import_wallet_name2)
+
+        import_wallet2.importencrypteddescriptor("", self.xpub, self.backup_file)
+
+        imported_desc_strs2 = [d["desc"] for d in import_wallet2.listdescriptors()["descriptors"]]
+        assert self.chosen_desc in imported_desc_strs2
+
+        self.nodes[0].unloadwallet(import_wallet_name2)
+
+        self.log.info("importencrypteddescriptor RPC test passed!")
+
+    def test_importencrypteddescriptor_xpub_formats(self):
+        self.log.info("Test importencrypteddescriptor xpub format coverage")
+        node = self.nodes[0]
+        for i, (label, x) in enumerate(self._xpub_format_variants()):
+            wname = f"xpub_fmt_wallet_{i}"
+            node.createwallet(wname, disable_private_keys=True, blank=True)
+            w = node.get_wallet_rpc(wname)
+            w.importencrypteddescriptor(self.backup_base64, x)
+            descs = [d["desc"] for d in w.listdescriptors()["descriptors"]]
+            assert self.chosen_desc in descs, \
+                f"importencrypteddescriptor with {label} xpub did not import. Got: {descs}"
+            node.unloadwallet(wname)
+            self.log.info(f"  importencrypteddescriptor with {label} xpub: OK")
+
+    def test_importencrypteddescriptor_errors(self):
+        self.log.info("Test importencrypteddescriptor RPC error cases")
+        node = self.nodes[0]
+        bad_b64 = "not!valid!base64!"
+        wrong_xpub = "tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x"
+
+        node.createwallet("import_error_test_wallet", disable_private_keys=True, blank=True)
+        err_wallet = node.get_wallet_rpc("import_error_test_wallet")
+        assert_raises_rpc_error(-4, "Failed to decrypt",
+                                err_wallet.importencrypteddescriptor, self.backup_base64, wrong_xpub)
+        assert_raises_rpc_error(-22, "Failed to decode backup",
+                                err_wallet.importencrypteddescriptor, bad_b64, self.xpub)
+        node.unloadwallet("import_error_test_wallet")
+
+        self.log.info("importencrypteddescriptor RPC error cases passed!")
+
     def run_test(self):
         self.test_encryptdescriptor()
         self.test_encryptdescriptor_errors()
         self.test_decryptdescriptor()
         self.test_decryptdescriptor_xpub_formats()
         self.test_decryptdescriptor_errors()
+        self.test_importencrypteddescriptor()
+        self.test_importencrypteddescriptor_xpub_formats()
+        self.test_importencrypteddescriptor_errors()
 
 
 if __name__ == '__main__':

From 9318afa7f43d5b1a691abe595b9196b50fe2450d Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Thu, 16 Apr 2026 00:02:18 -0400
Subject: [PATCH 17/21] rpc: add inspectencryptedbackup RPC

---
 src/wallet/rpc/backup.cpp                  | 57 ++++++++++++++++++++++
 src/wallet/rpc/wallet.cpp                  |  2 +
 test/functional/wallet_encrypted_backup.py | 34 ++++++++++++-
 3 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/src/wallet/rpc/backup.cpp b/src/wallet/rpc/backup.cpp
index 719b194236c1..a87c98b97477 100644
--- a/src/wallet/rpc/backup.cpp
+++ b/src/wallet/rpc/backup.cpp
@@ -864,4 +864,61 @@ RPCMethod importencrypteddescriptor()
     };
 }
 
+RPCMethod inspectencryptedbackup()
+{
+    return RPCMethod{
+        "inspectencryptedbackup",
+        "Show metadata from a BIP-XXXX encrypted descriptor.\n"
+        "The backup can be provided as a base64 string or read from a binary file via backupfile.\n"
+        "No wallet is needed.\n",
+        {
+            {"backup", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "The base64-encoded encrypted backup (omit if using backupfile)."},
+            {"backupfile", RPCArg::Type::STR, RPCArg::Optional::OMITTED, "If provided, read the raw binary backup from this file instead of the backup parameter."},
+        },
+        RPCResult{RPCResult::Type::OBJ, "", "",
+        {
+            {RPCResult::Type::NUM, "version", "Backup format version"},
+            {RPCResult::Type::NUM, "keys", "Number of keys"},
+            {RPCResult::Type::STR, "encryption", "Encryption algorithm"},
+            {RPCResult::Type::ARR, "derivation_paths", "Derivation paths stored in the backup",
+            {
+                {RPCResult::Type::STR, "", "A derivation path"},
+            }},
+        }},
+        RPCExamples{
+            HelpExampleCli("inspectencryptedbackup", "\"base64...\"")
+            + HelpExampleCli("inspectencryptedbackup", "\"\" \"backup.bin\"")
+            + HelpExampleRpc("inspectencryptedbackup", "\"base64...\"")
+        },
+        [](const RPCMethod& self, const JSONRPCRequest& request) -> UniValue
+{
+    auto backup_result = ReadBackupFromRPCParam(request.params[0], request.params[1]);
+    if (!backup_result) {
+        throw JSONRPCError(RPC_DESERIALIZATION_ERROR, strprintf("Failed to decode backup: %s", util::ErrorString(backup_result).original));
+    }
+
+    const EncryptedBackup& backup = *backup_result;
+
+    UniValue result(UniValue::VOBJ);
+    result.pushKV("version", backup.version);
+    result.pushKV("keys", static_cast<int>(backup.individual_secrets.size()));
+
+    std::string enc_str;
+    switch (backup.encryption) {
+        case EncryptionAlgorithm::CHACHA20_POLY1305: enc_str = "ChaCha20-Poly1305"; break;
+        default: enc_str = "unknown"; break;
+    }
+    result.pushKV("encryption", enc_str);
+
+    UniValue paths_arr(UniValue::VARR);
+    for (const auto& path : backup.derivation_paths) {
+        paths_arr.push_back(WriteHDKeypath(path, /*apostrophe=*/true));
+    }
+    result.pushKV("derivation_paths", paths_arr);
+
+    return result;
+},
+    };
+}
+
 } // namespace wallet
diff --git a/src/wallet/rpc/wallet.cpp b/src/wallet/rpc/wallet.cpp
index 18daf7cab1c6..20304b6a2be8 100644
--- a/src/wallet/rpc/wallet.cpp
+++ b/src/wallet/rpc/wallet.cpp
@@ -863,6 +863,7 @@ RPCMethod restorewallet();
 RPCMethod encryptdescriptor();
 RPCMethod decryptdescriptor();
 RPCMethod importencrypteddescriptor();
+RPCMethod inspectencryptedbackup();
 
 // coins
 RPCMethod getreceivedbyaddress();
@@ -933,6 +934,7 @@ std::span<const CRPCCommand> GetWalletRPCCommands()
         {"wallet", &importdescriptors},
         {"wallet", &importencrypteddescriptor},
         {"wallet", &importprunedfunds},
+        {"wallet", &inspectencryptedbackup},
         {"wallet", &keypoolrefill},
         {"wallet", &listaddressgroupings},
         {"wallet", &listdescriptors},
diff --git a/test/functional/wallet_encrypted_backup.py b/test/functional/wallet_encrypted_backup.py
index b397bcb40cc9..bd3822f56fac 100755
--- a/test/functional/wallet_encrypted_backup.py
+++ b/test/functional/wallet_encrypted_backup.py
@@ -2,7 +2,7 @@
 # Copyright (c) 2024-present The Bitcoin Core developers
 # Distributed under the MIT software license, see the accompanying
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
-"""Test the encryptdescriptor, decryptdescriptor, importencrypteddescriptor, and inspectencrypteddescriptor RPCs."""
+"""Test the encryptdescriptor, decryptdescriptor, importencrypteddescriptor, and inspectencryptedbackup RPCs."""
 
 import base64
 import os
@@ -204,6 +204,36 @@ def test_importencrypteddescriptor_errors(self):
 
         self.log.info("importencrypteddescriptor RPC error cases passed!")
 
+    def test_inspectencryptedbackup(self):
+        self.log.info("Test inspectencryptedbackup RPC")
+
+        # Inspect from base64
+        metadata = self.nodes[0].inspectencryptedbackup(self.backup_base64)
+        assert_equal(metadata["version"], 1)
+        assert_equal(metadata["encryption"], "ChaCha20-Poly1305")
+        assert metadata["keys"] >= 1
+
+        # Inspect from file
+        metadata_from_file = self.nodes[0].inspectencryptedbackup("", self.backup_file)
+        assert_equal(metadata_from_file["version"], 1)
+        assert_equal(metadata_from_file["encryption"], "ChaCha20-Poly1305")
+        assert metadata_from_file["keys"] >= 1
+
+        self.log.info("inspectencryptedbackup RPC test passed!")
+
+    def test_inspectencryptedbackup_errors(self):
+        self.log.info("Test inspectencryptedbackup RPC error cases")
+        node = self.nodes[0]
+        bad_b64 = "not!valid!base64!"
+        nonexistent_file = str(node.datadir_path / "does_not_exist.bin")
+
+        assert_raises_rpc_error(-22, "Failed to decode backup",
+                                node.inspectencryptedbackup, bad_b64)
+        assert_raises_rpc_error(-22, "Unable to open",
+                                node.inspectencryptedbackup, "", nonexistent_file)
+
+        self.log.info("inspectencryptedbackup RPC error cases passed!")
+
     def run_test(self):
         self.test_encryptdescriptor()
         self.test_encryptdescriptor_errors()
@@ -213,6 +243,8 @@ def run_test(self):
         self.test_importencrypteddescriptor()
         self.test_importencrypteddescriptor_xpub_formats()
         self.test_importencrypteddescriptor_errors()
+        self.test_inspectencryptedbackup()
+        self.test_inspectencryptedbackup_errors()
 
 
 if __name__ == '__main__':

From 364ba88771691114134d3fd948b93a99f2ab4e8d Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 23:30:41 -0400
Subject: [PATCH 18/21] wallet-tool: add encryptdescriptor command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Stateless command that takes a descriptor string via -descriptor and
encrypts it using the BIP-XXXX encrypted backup format. The plaintext
is the raw descriptor string bytes.

Output is base64 to stdout by default, or raw binary to -backupfile.
No wallet file is loaded — the encryption key is derived from the
public keys in the descriptor itself.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/bitcoin-wallet.cpp         |  3 ++
 src/wallet/wallettool.cpp      | 79 ++++++++++++++++++++++++++++
 test/functional/tool_wallet.py | 95 ++++++++++++++++++++++++++++++++++
 3 files changed, 177 insertions(+)

diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index 9b0136da4c48..941328939611 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -40,11 +40,14 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-dumpfile=<file name>", "When used with 'dump', writes out the records to this file. When used with 'createfromdump', loads the records into a new wallet.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
     argsman.AddArg("-debug=<category>", "Output debugging information (default: 0).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
+    argsman.AddArg("-descriptor=<descriptor>", "Descriptor string to encrypt (with checksum)", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
+    argsman.AddArg("-backupfile=<file name>", "When used with 'encryptdescriptor', writes the raw binary backup to this file (no base64). When used with 'decryptdescriptor' or 'inspectencrypteddescriptor', reads the raw binary backup from this file.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
     argsman.AddCommand("create", "Create a new descriptor wallet file");
     argsman.AddCommand("dump", "Print out all of the wallet key-value records");
     argsman.AddCommand("createfromdump", "Create new wallet file from dumped records");
+    argsman.AddCommand("encryptdescriptor", "Encrypt a descriptor string (outputs base64 to stdout, or raw binary to -backupfile)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index 7c24c0e1c6ad..1634c320c140 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -5,10 +5,13 @@
 #include <wallet/wallettool.h>
 
 #include <common/args.h>
+#include <fstream>
+#include <script/descriptor.h>
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/translation.h>
 #include <wallet/dump.h>
+#include <wallet/encryptedbackup.h>
 #include <wallet/wallet.h>
 #include <wallet/walletutil.h>
 
@@ -97,6 +100,10 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         tfm::format(std::cerr, "The -dumpfile option can only be used with the \"dump\" and \"createfromdump\" commands.\n");
         return false;
     }
+    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor") {
+        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\" command.\n");
+        return false;
+    }
     if ((command == "create" || command == "createfromdump") && !args.IsArgSet("-wallet")) {
         tfm::format(std::cerr, "Wallet name must be provided when creating a new wallet.\n");
         return false;
@@ -163,6 +170,78 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
             tfm::format(std::cerr, "%s\n", error.original);
         }
         return ret;
+    } else if (command == "encryptdescriptor") {
+        // Encrypt a descriptor string using BIP-XXXX encrypted backup format
+        if (!args.IsArgSet("-descriptor")) {
+            tfm::format(std::cerr, "Descriptor string must be provided via -descriptor for encryptdescriptor.\n");
+            return false;
+        }
+        const std::string descriptor = args.GetArg("-descriptor", "");
+
+        // Validate the descriptor parses and has a checksum
+        FlatSigningProvider keys;
+        std::string parse_error;
+        auto parsed = Parse(descriptor, keys, parse_error, /*require_checksum=*/true);
+        if (parsed.empty()) {
+            tfm::format(std::cerr, "Invalid descriptor: %s\n", parse_error);
+            return false;
+        }
+
+        // Plaintext is the raw descriptor string
+        std::vector<uint8_t> plaintext(descriptor.begin(), descriptor.end());
+
+        auto extract_result = ExtractKeysFromDescriptor(descriptor);
+        if (!extract_result) {
+            tfm::format(std::cerr, "Failed to extract keys: %s\n",
+                        util::ErrorString(extract_result).original);
+            return false;
+        }
+        auto& [encryption_keys, derivation_paths] = *extract_result;
+
+        // Create backup content metadata
+        EncryptedBackupContent content;
+        content.type = ContentType::BIP_NUMBER;
+        content.bip_number = BIP_DESCRIPTORS;
+
+        // Create the encrypted backup
+        auto backup_result = CreateEncryptedBackup(encryption_keys, plaintext, content, derivation_paths);
+        if (!backup_result) {
+            tfm::format(std::cerr, "Failed to create encrypted backup: %s\n",
+                        util::ErrorString(backup_result).original);
+            return false;
+        }
+
+        // If -backupfile is set, write raw binary backup to that file. Otherwise output base64 to stdout.
+        const std::string backup_filename = args.GetArg("-backupfile", "");
+        if (!backup_filename.empty()) {
+            fs::path out_path = fs::absolute(fs::PathFromString(backup_filename));
+            if (fs::exists(out_path)) {
+                tfm::format(std::cerr, "File %s already exists. If you are sure this is what you want, move it out of the way first.\n", fs::PathToString(out_path));
+                return false;
+            }
+            auto binary_backup = EncodeEncryptedBackup(*backup_result);
+            if (!binary_backup) {
+                tfm::format(std::cerr, "Error encoding backup: %s\n", util::ErrorString(binary_backup).original);
+                return false;
+            }
+            std::ofstream out_file(out_path.std_path(), std::ios::binary);
+            if (out_file.fail()) {
+                tfm::format(std::cerr, "Unable to open %s for writing\n", fs::PathToString(out_path));
+                return false;
+            }
+            out_file.write(reinterpret_cast<const char*>(binary_backup->data()), binary_backup->size());
+            if (out_file.fail()) {
+                tfm::format(std::cerr, "Error writing backup to %s\n", fs::PathToString(out_path));
+                return false;
+            }
+        } else {
+            auto base64_backup = EncodeEncryptedBackupBase64(*backup_result);
+            if (!base64_backup) {
+                tfm::format(std::cerr, "Error encoding backup: %s\n", util::ErrorString(base64_backup).original);
+                return false;
+            }
+            tfm::format(std::cout, "%s\n", *base64_backup);
+        }
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index 737aaf54d166..79e4249caf5a 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -431,6 +431,99 @@ def test_no_create_unnamed(self):
         self.assert_raises_tool_error("Wallet name cannot be empty", "-wallet=", "-dumpfile=wallet.dump", "createfromdump")
         assert not (self.nodes[0].wallets_path / "wallet.dat").exists()
 
+    def test_encrypt_descriptor(self):
+        """Test encryptdescriptor command."""
+        self.log.info("Test encryptdescriptor")
+
+        # Create a test wallet to get a descriptor from listdescriptors
+        self.start_node(0)
+        wallet_name = "backup_test_wallet"
+        self.nodes[0].createwallet(wallet_name)
+        wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+
+        # Pick one descriptor to encrypt
+        original_descriptors = wallet.listdescriptors()["descriptors"]
+        chosen_desc = original_descriptors[0]["desc"]
+
+        self.nodes[0].unloadwallet(wallet_name)
+        self.stop_node(0)
+
+        # Encrypt the chosen descriptor
+        self.log.info("Encrypting descriptor...")
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", "encryptdescriptor")
+        backup_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        assert_equal(stderr, "")
+        backup_base64 = backup_output.strip()
+
+        # Verify it's base64 and starts with expected magic when decoded
+        import base64
+        backup_bytes = base64.b64decode(backup_base64)
+        assert backup_bytes[:3] == b"BIP", f"Expected magic 'BIP', got: {backup_bytes[:3]}"
+
+        # Test raw binary backup file roundtrip via -backupfile
+        self.log.info("Testing raw binary backup via -backupfile...")
+        backup_file = self.nodes[0].datadir_path / "backup.bin"
+        assert not backup_file.exists()
+
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", f"-backupfile={backup_file}", "encryptdescriptor")
+        _, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        assert_equal(stderr, "")
+        assert backup_file.exists()
+
+        # Verify file is raw binary (starts with magic, not base64)
+        raw_bytes = backup_file.read_bytes()
+        assert len(raw_bytes) > 0
+        assert_equal(raw_bytes[:3], b"BIP")
+
+        # Refuse to overwrite existing file
+        self.assert_raises_tool_error(
+            "already exists",
+            f"-descriptor={chosen_desc}", f"-backupfile={backup_file}", "encryptdescriptor",
+        )
+
+        backup_file.unlink()
+
+        self.log.info("encryptdescriptor test passed!")
+
+    def _setup_for_encrypted_backup_errors(self, suffix):
+        """Get a real descriptor + xpub from a fresh wallet, plus a real backup."""
+        import re
+        self.start_node(0)
+        wallet_name = f"err_src_wallet_{suffix}"
+        self.nodes[0].createwallet(wallet_name)
+        wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+        chosen_desc = wallet.listdescriptors()["descriptors"][0]["desc"]
+        xpub = re.search(r'tpub[A-Za-z0-9]+', chosen_desc).group(0)
+        self.nodes[0].unloadwallet(wallet_name)
+        self.stop_node(0)
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", "encryptdescriptor")
+        backup_output, _ = p.communicate()
+        assert_equal(p.poll(), 0)
+        return chosen_desc, xpub, backup_output.strip()
+
+    def test_encrypt_descriptor_errors(self):
+        """Test wallet-tool encryptdescriptor error paths."""
+        self.log.info("Test wallet-tool encryptdescriptor error cases")
+        chosen_desc, _, _ = self._setup_for_encrypted_backup_errors("enc")
+
+        # Missing -descriptor
+        self.assert_raises_tool_error("Descriptor string must be provided", "encryptdescriptor")
+        # Invalid/unparseable descriptor
+        self.assert_raises_tool_error("Invalid descriptor",
+                                     "-descriptor=this is not a descriptor", "encryptdescriptor")
+        # File already exists
+        backup_file = self.nodes[0].datadir_path / "err_existing.bin"
+        backup_file.write_bytes(b"placeholder")
+        self.assert_raises_tool_error(
+            "already exists",
+            f"-descriptor={chosen_desc}", f"-backupfile={backup_file}", "encryptdescriptor",
+        )
+        backup_file.unlink()
+
+        self.log.info("wallet-tool encryptdescriptor error cases passed!")
+
     def run_test(self):
         self.wallet_path = self.nodes[0].wallets_path / self.default_wallet_name / self.wallet_data_filename
         self.test_invalid_tool_commands_and_args()
@@ -444,6 +537,8 @@ def run_test(self):
         self.test_dump_very_large_records()
         self.test_no_create_legacy()
         self.test_no_create_unnamed()
+        self.test_encrypt_descriptor()
+        self.test_encrypt_descriptor_errors()
 
 
 if __name__ == '__main__':

From 1d32e682b52256b58fe6c1ec6926cec63b0178f0 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 23:32:19 -0400
Subject: [PATCH 19/21] wallet-tool: add decryptdescriptor command

Stateless command that takes an encrypted backup (base64 on stdin or
raw binary via -backupfile) and a -pubkey (xpub/tpub), then outputs
the decrypted descriptor string to stdout. No wallet file is loaded.

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/bitcoin-wallet.cpp         |   2 +
 src/wallet/wallettool.cpp      |  52 ++++++++++++-
 test/functional/tool_wallet.py | 130 +++++++++++++++++++++++++++++++++
 3 files changed, 182 insertions(+), 2 deletions(-)

diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index 941328939611..fdb05792c953 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -41,6 +41,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-debug=<category>", "Output debugging information (default: 0).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-descriptor=<descriptor>", "Descriptor string to encrypt (with checksum)", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
+    argsman.AddArg("-xpub=<key>", "Extended public key (xpub/tpub) for decrypting a backup", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
     argsman.AddArg("-backupfile=<file name>", "When used with 'encryptdescriptor', writes the raw binary backup to this file (no base64). When used with 'decryptdescriptor' or 'inspectencrypteddescriptor', reads the raw binary backup from this file.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
@@ -48,6 +49,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddCommand("dump", "Print out all of the wallet key-value records");
     argsman.AddCommand("createfromdump", "Create new wallet file from dumped records");
     argsman.AddCommand("encryptdescriptor", "Encrypt a descriptor string (outputs base64 to stdout, or raw binary to -backupfile)");
+    argsman.AddCommand("decryptdescriptor", "Decrypt an encrypted backup and output the descriptor string (reads base64 from stdin or raw binary from -backupfile, requires -xpub)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index 1634c320c140..e771f9c32479 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -18,6 +18,45 @@
 namespace wallet {
 namespace WalletTool {
 
+static util::Result<EncryptedBackup> ReadBackupFromArgsOrStdin(const ArgsManager& args)
+{
+    const std::string backup_filename = args.GetArg("-backupfile", "");
+    if (!backup_filename.empty()) {
+        fs::path in_path = fs::absolute(fs::PathFromString(backup_filename));
+        std::ifstream in_file(in_path.std_path(), std::ios::binary);
+        if (in_file.fail()) {
+            return util::Error{Untranslated(strprintf("Unable to open %s for reading", fs::PathToString(in_path)))};
+        }
+        std::vector<uint8_t> binary_input((std::istreambuf_iterator<char>(in_file)),
+                                          std::istreambuf_iterator<char>());
+        if (binary_input.empty()) {
+            return util::Error{Untranslated(strprintf("Backup file %s is empty.", fs::PathToString(in_path)))};
+        }
+        return DecodeEncryptedBackup(binary_input);
+    }
+    std::string base64_input;
+    std::getline(std::cin, base64_input);
+    if (base64_input.empty()) {
+        return util::Error{Untranslated("No backup data provided on stdin.")};
+    }
+    return DecodeEncryptedBackupBase64(base64_input);
+}
+
+static util::Result<std::string> ReadAndDecryptBackup(const ArgsManager& args)
+{
+    if (!args.IsArgSet("-xpub")) {
+        return util::Error{Untranslated("Extended public key must be provided via -xpub.")};
+    }
+
+    auto backup_result = ReadBackupFromArgsOrStdin(args);
+    if (!backup_result) {
+        return util::Error{util::ErrorString(backup_result)};
+    }
+
+    return DecryptDescriptorWithXpub(*backup_result, args.GetArg("-xpub", ""));
+}
+
+
 // The standard wallet deleter function blocks on the validation interface
 // queue, which doesn't exist for the bitcoin-wallet. Define our own
 // deleter here.
@@ -100,8 +139,8 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         tfm::format(std::cerr, "The -dumpfile option can only be used with the \"dump\" and \"createfromdump\" commands.\n");
         return false;
     }
-    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor") {
-        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\" command.\n");
+    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor" && command != "decryptdescriptor") {
+        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\" and \"decryptdescriptor\" commands.\n");
         return false;
     }
     if ((command == "create" || command == "createfromdump") && !args.IsArgSet("-wallet")) {
@@ -242,6 +281,15 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
             }
             tfm::format(std::cout, "%s\n", *base64_backup);
         }
+    } else if (command == "decryptdescriptor") {
+        // Decrypt an encrypted backup using a provided extended public key
+        auto descriptor = ReadAndDecryptBackup(args);
+        if (!descriptor) {
+            tfm::format(std::cerr, "%s\n", util::ErrorString(descriptor).original);
+            return false;
+        }
+
+        tfm::format(std::cout, "%s\n", *descriptor);
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index 79e4249caf5a..c365959fab45 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -524,6 +524,133 @@ def test_encrypt_descriptor_errors(self):
 
         self.log.info("wallet-tool encryptdescriptor error cases passed!")
 
+    def test_decrypt_descriptor(self):
+        """Test decryptdescriptor command."""
+        self.log.info("Test decryptdescriptor")
+
+        # Create a test wallet to get a descriptor
+        self.start_node(0)
+        wallet_name = "decrypt_test_wallet"
+        self.nodes[0].createwallet(wallet_name)
+        wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+
+        # Pick one descriptor to encrypt then decrypt
+        original_descriptors = wallet.listdescriptors()["descriptors"]
+        chosen_desc = original_descriptors[0]["desc"]
+
+        # Extract an xpub from the descriptor for decryption
+        import re
+        xpub_match = re.search(r'tpub[A-Za-z0-9]+', chosen_desc)
+        assert xpub_match, "Could not find tpub in descriptor"
+        xpub_for_decrypt = xpub_match.group(0)
+
+        self.nodes[0].unloadwallet(wallet_name)
+        self.stop_node(0)
+
+        # Encrypt
+        self.log.info("Encrypting descriptor...")
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", "encryptdescriptor")
+        backup_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        backup_base64 = backup_output.strip()
+
+        # Decrypt using xpub
+        self.log.info("Decrypting backup using xpub...")
+        p = self.bitcoin_wallet_process(f"-xpub={xpub_for_decrypt}", "decryptdescriptor")
+        decrypted_output, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 0)
+
+        # Output should be the raw descriptor string
+        decrypted_desc = decrypted_output.strip()
+        assert_equal(decrypted_desc, chosen_desc)
+
+        # Test decrypt from -backupfile
+        self.log.info("Testing decrypt from -backupfile...")
+        backup_file = self.nodes[0].datadir_path / "decrypt_test.bin"
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", f"-backupfile={backup_file}", "encryptdescriptor")
+        p.communicate()
+        assert_equal(p.poll(), 0)
+
+        p = self.bitcoin_wallet_process(f"-xpub={xpub_for_decrypt}", f"-backupfile={backup_file}", "decryptdescriptor")
+        decrypted_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        assert_equal(decrypted_output.strip(), chosen_desc)
+
+        backup_file.unlink()
+
+        self.log.info("decryptdescriptor test passed!")
+
+    def test_decrypt_descriptor_xpub_formats(self):
+        """Verify wallet-tool decryptdescriptor accepts each xpub form."""
+        import re
+        self.log.info("Test wallet-tool decryptdescriptor xpub format coverage")
+
+        self.start_node(0)
+        wallet_name = "xpub_fmt_src_wallet"
+        self.nodes[0].createwallet(wallet_name)
+        wallet = self.nodes[0].get_wallet_rpc(wallet_name)
+        chosen_desc = wallet.listdescriptors()["descriptors"][0]["desc"]
+        self.nodes[0].unloadwallet(wallet_name)
+        self.stop_node(0)
+
+        m = re.match(r'^[a-z]+\(\[(?P<origin>[^\]]+)\](?P<xpub>[tx]pub[A-Za-z0-9]+)(?P<deriv>/[^)]*)?\)', chosen_desc)
+        assert m is not None, f"Failed to parse chosen_desc: {chosen_desc}"
+        origin = m.group("origin")
+        xpub = m.group("xpub")
+        deriv = m.group("deriv") or "/0/*"
+
+        forms = {
+            "bare": xpub,
+            "with_origin": f"[{origin}]{xpub}",
+            "with_deriv": f"{xpub}{deriv}",
+            "with_origin_and_deriv": f"[{origin}]{xpub}{deriv}",
+            "multipath": f"{xpub}/<0;1>/*",
+        }
+
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", "encryptdescriptor")
+        backup_output, _ = p.communicate()
+        assert_equal(p.poll(), 0)
+        backup_base64 = backup_output.strip()
+
+        for label, x in forms.items():
+            p = self.bitcoin_wallet_process(f"-xpub={x}", "decryptdescriptor")
+            out, _ = p.communicate(input=backup_base64)
+            assert_equal(p.poll(), 0)
+            assert_equal(out.strip(), chosen_desc)
+            self.log.info(f"  decryptdescriptor with {label} xpub: OK")
+
+    def test_decrypt_descriptor_errors(self):
+        """Test wallet-tool decryptdescriptor error paths."""
+        self.log.info("Test wallet-tool decryptdescriptor error cases")
+        _, xpub, backup_base64 = self._setup_for_encrypted_backup_errors("dec")
+        wrong_xpub = "tpubDDxT9mkZzWwkKwpGT5fY6iiM9muYTPkTx6Eig8dpHR7TChuGGCWYAHVmpW1ciido5RiFWwjzYsF1GZHkEHg2nrYp3zNtx3QQRkznyLhQ77x"
+
+        # Missing -xpub
+        p = self.bitcoin_wallet_process("decryptdescriptor")
+        _, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 1)
+        assert "Extended public key must be provided" in stderr
+
+        # Wrong xpub
+        p = self.bitcoin_wallet_process(f"-xpub={wrong_xpub}", "decryptdescriptor")
+        _, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 1)
+        assert "Failed to decrypt" in stderr
+
+        # Empty stdin
+        p = self.bitcoin_wallet_process(f"-xpub={xpub}", "decryptdescriptor")
+        _, stderr = p.communicate(input="")
+        assert_equal(p.poll(), 1)
+        assert "No backup data provided on stdin" in stderr
+
+        # Garbage stdin (not base64)
+        p = self.bitcoin_wallet_process(f"-xpub={xpub}", "decryptdescriptor")
+        _, stderr = p.communicate(input="not-valid-base64!!!")
+        assert_equal(p.poll(), 1)
+        assert stderr.strip() != ""
+
+        self.log.info("wallet-tool decryptdescriptor error cases passed!")
+
     def run_test(self):
         self.wallet_path = self.nodes[0].wallets_path / self.default_wallet_name / self.wallet_data_filename
         self.test_invalid_tool_commands_and_args()
@@ -539,6 +666,9 @@ def run_test(self):
         self.test_no_create_unnamed()
         self.test_encrypt_descriptor()
         self.test_encrypt_descriptor_errors()
+        self.test_decrypt_descriptor()
+        self.test_decrypt_descriptor_xpub_formats()
+        self.test_decrypt_descriptor_errors()
 
 
 if __name__ == '__main__':

From b9ede35252105c7a151a95ad788331a460bee2b3 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 15 Apr 2026 23:34:08 -0400
Subject: [PATCH 20/21] wallet-tool: add importencrypteddescriptor command

Decrypt an encrypted backup and import the descriptor into an existing
wallet file. Requires -wallet, -pubkey, and backup data (base64 on
stdin or raw binary via -backupfile).

Also extracts ReadBackupFromArgsOrStdin() helper to avoid duplicating
the backup-reading logic across decrypt/import/inspect commands.
---
 src/bitcoin-wallet.cpp         |  1 +
 src/wallet/wallettool.cpp      | 61 ++++++++++++++++++++++--
 test/functional/tool_wallet.py | 85 ++++++++++++++++++++++++++++++++++
 3 files changed, 144 insertions(+), 3 deletions(-)

diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index fdb05792c953..ab5c42851fdf 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -50,6 +50,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddCommand("createfromdump", "Create new wallet file from dumped records");
     argsman.AddCommand("encryptdescriptor", "Encrypt a descriptor string (outputs base64 to stdout, or raw binary to -backupfile)");
     argsman.AddCommand("decryptdescriptor", "Decrypt an encrypted backup and output the descriptor string (reads base64 from stdin or raw binary from -backupfile, requires -xpub)");
+    argsman.AddCommand("importencrypteddescriptor", "Decrypt an encrypted backup and import the descriptor into a wallet (requires -wallet, -xpub; reads base64 from stdin or raw binary from -backupfile)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index e771f9c32479..58ff8da0c6aa 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -56,7 +56,6 @@ static util::Result<std::string> ReadAndDecryptBackup(const ArgsManager& args)
     return DecryptDescriptorWithXpub(*backup_result, args.GetArg("-xpub", ""));
 }
 
-
 // The standard wallet deleter function blocks on the validation interface
 // queue, which doesn't exist for the bitcoin-wallet. Define our own
 // deleter here.
@@ -139,8 +138,8 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         tfm::format(std::cerr, "The -dumpfile option can only be used with the \"dump\" and \"createfromdump\" commands.\n");
         return false;
     }
-    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor" && command != "decryptdescriptor") {
-        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\" and \"decryptdescriptor\" commands.\n");
+    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor" && command != "decryptdescriptor" && command != "importencrypteddescriptor") {
+        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\", \"decryptdescriptor\" and \"importencrypteddescriptor\" commands.\n");
         return false;
     }
     if ((command == "create" || command == "createfromdump") && !args.IsArgSet("-wallet")) {
@@ -290,6 +289,62 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         }
 
         tfm::format(std::cout, "%s\n", *descriptor);
+    } else if (command == "importencrypteddescriptor") {
+        // Decrypt an encrypted backup and import the descriptor into a wallet
+        if (!args.IsArgSet("-wallet")) {
+            tfm::format(std::cerr, "Wallet name must be provided for importencrypteddescriptor.\n");
+            return false;
+        }
+
+        auto descriptor_result = ReadAndDecryptBackup(args);
+        if (!descriptor_result) {
+            tfm::format(std::cerr, "%s\n", util::ErrorString(descriptor_result).original);
+            return false;
+        }
+
+        // Parse the decrypted descriptor string
+        std::string descriptor(*descriptor_result);
+        FlatSigningProvider keys;
+        std::string parse_error;
+        auto parsed_descs = Parse(descriptor, keys, parse_error, /*require_checksum=*/true);
+        if (parsed_descs.empty()) {
+            tfm::format(std::cerr, "Invalid descriptor in backup: %s\n", parse_error);
+            return false;
+        }
+
+        // Load the target wallet
+        DatabaseOptions options;
+        ReadDatabaseArgs(args, options);
+        options.require_existing = true;
+        const std::shared_ptr<CWallet> wallet_instance = MakeWallet(name, path, options);
+        if (!wallet_instance) {
+            tfm::format(std::cerr, "Unable to load wallet \"%s\" for importencrypteddescriptor.\n", name);
+            return false;
+        }
+
+        LOCK(wallet_instance->cs_wallet);
+
+        // Import each sub-descriptor (multipath descriptors may produce multiple)
+        for (size_t j = 0; j < parsed_descs.size(); ++j) {
+            auto& parsed_desc = parsed_descs[j];
+            const bool is_range = parsed_desc->IsRange();
+            int64_t range_start = 0;
+            int64_t range_end = is_range ? wallet_instance->m_keypool_size : 0;
+
+            WalletDescriptor w_desc(std::move(parsed_desc), /*creation_time=*/1, range_start, range_end, /*next_index=*/0);
+
+            bool internal = (parsed_descs.size() == 2 && j == 1);
+            auto spk_manager_res = wallet_instance->AddWalletDescriptor(w_desc, keys, /*label=*/"", internal);
+            if (!spk_manager_res) {
+                tfm::format(std::cerr, "Failed to import descriptor: %s\n",
+                            util::ErrorString(spk_manager_res).original);
+                wallet_instance->Close();
+                return false;
+            }
+        }
+
+        tfm::format(std::cout, "Descriptor imported successfully into wallet \"%s\".\n", name);
+        wallet_instance->Close();
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index c365959fab45..e8979d13e327 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -651,6 +651,89 @@ def test_decrypt_descriptor_errors(self):
 
         self.log.info("wallet-tool decryptdescriptor error cases passed!")
 
+    def test_import_encrypted_descriptor(self):
+        """Test importencrypteddescriptor command."""
+        self.log.info("Test importencrypteddescriptor")
+
+        # Create a source wallet and pick a descriptor
+        self.start_node(0)
+        src_wallet_name = "import_src_wallet"
+        self.nodes[0].createwallet(src_wallet_name)
+        src_wallet = self.nodes[0].get_wallet_rpc(src_wallet_name)
+
+        original_descriptors = src_wallet.listdescriptors()["descriptors"]
+        chosen_desc = original_descriptors[0]["desc"]
+
+        import re
+        xpub_match = re.search(r'tpub[A-Za-z0-9]+', chosen_desc)
+        assert xpub_match, "Could not find tpub in descriptor"
+        xpub_for_decrypt = xpub_match.group(0)
+
+        self.nodes[0].unloadwallet(src_wallet_name)
+        self.stop_node(0)
+
+        # Encrypt the descriptor
+        p = self.bitcoin_wallet_process(f"-descriptor={chosen_desc}", "encryptdescriptor")
+        backup_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        backup_base64 = backup_output.strip()
+
+        # Create a blank wallet to import into
+        import_wallet_name = "import_dest_wallet"
+        self.bitcoin_wallet_process(f"-wallet={import_wallet_name}", "create").communicate()
+
+        # Import via importencrypteddescriptor
+        self.log.info("Importing encrypted descriptor into wallet...")
+        p = self.bitcoin_wallet_process(
+            f"-wallet={import_wallet_name}", f"-xpub={xpub_for_decrypt}",
+            "importencrypteddescriptor")
+        import_output, stderr = p.communicate(input=backup_base64)
+        if p.poll() != 0:
+            self.log.error(f"importencrypteddescriptor failed: stderr={stderr}, stdout={import_output}")
+        assert_equal(p.poll(), 0)
+        assert "imported successfully" in import_output
+
+        # Verify the descriptor was imported
+        self.start_node(0)
+        self.nodes[0].loadwallet(import_wallet_name)
+        imported_wallet = self.nodes[0].get_wallet_rpc(import_wallet_name)
+        imported_descriptors = imported_wallet.listdescriptors()["descriptors"]
+        imported_desc_strs = [d["desc"] for d in imported_descriptors]
+
+        assert chosen_desc in imported_desc_strs, \
+            f"Descriptor {chosen_desc} not found in imported wallet. Got: {imported_desc_strs}"
+
+        self.nodes[0].unloadwallet(import_wallet_name)
+        self.stop_node(0)
+
+        self.log.info("importencrypteddescriptor test passed!")
+
+    def test_import_encrypted_descriptor_errors(self):
+        """Test wallet-tool importencrypteddescriptor error paths."""
+        self.log.info("Test wallet-tool importencrypteddescriptor error cases")
+        _, xpub, backup_base64 = self._setup_for_encrypted_backup_errors("imp")
+
+        # Missing -wallet
+        p = self.bitcoin_wallet_process(f"-xpub={xpub}", "importencrypteddescriptor")
+        _, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 1)
+        assert "Wallet name must be provided" in stderr
+
+        # Missing -xpub
+        p = self.bitcoin_wallet_process("-wallet=nonexistent_wallet", "importencrypteddescriptor")
+        _, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 1)
+        assert "Extended public key must be provided" in stderr
+
+        # Nonexistent wallet
+        p = self.bitcoin_wallet_process(
+            "-wallet=nonexistent_wallet_xyz", f"-xpub={xpub}", "importencrypteddescriptor")
+        _, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 1)
+        assert stderr.strip() != ""
+
+        self.log.info("wallet-tool importencrypteddescriptor error cases passed!")
+
     def run_test(self):
         self.wallet_path = self.nodes[0].wallets_path / self.default_wallet_name / self.wallet_data_filename
         self.test_invalid_tool_commands_and_args()
@@ -669,6 +752,8 @@ def run_test(self):
         self.test_decrypt_descriptor()
         self.test_decrypt_descriptor_xpub_formats()
         self.test_decrypt_descriptor_errors()
+        self.test_import_encrypted_descriptor()
+        self.test_import_encrypted_descriptor_errors()
 
 
 if __name__ == '__main__':

From 10fa834ee8c553213a4e2d476dc42f561b6abcd2 Mon Sep 17 00:00:00 2001
From: pythcoiner <pythcoiner@proton.me>
Date: Wed, 14 Jan 2026 15:36:16 +0100
Subject: [PATCH 21/21] wallet-tool: add inspectencryptedbackup command

Co-authored-by: Sjors Provoost <sjors@sprovoost.nl>
---
 src/CMakeLists.txt             |  2 ++
 src/bitcoin-wallet.cpp         |  3 ++-
 src/wallet/wallettool.cpp      | 38 +++++++++++++++++++++++++++++++--
 test/functional/tool_wallet.py | 39 ++++++++++++++++++++++++++++++++++
 4 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index b37f3c8ca5cf..3ecbaf8693ec 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -168,6 +168,8 @@ if(ENABLE_WALLET)
       bitcoin_wallet
       bitcoin_common
       bitcoin_util
+      univalue
+      Boost::headers
     )
     install_binary_component(bitcoin-wallet HAS_MANPAGE)
   endif()
diff --git a/src/bitcoin-wallet.cpp b/src/bitcoin-wallet.cpp
index ab5c42851fdf..01201b87726b 100644
--- a/src/bitcoin-wallet.cpp
+++ b/src/bitcoin-wallet.cpp
@@ -42,7 +42,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddArg("-printtoconsole", "Send trace/debug info to console (default: 1 when no -debug is true, 0 otherwise).", ArgsManager::ALLOW_ANY, OptionsCategory::DEBUG_TEST);
     argsman.AddArg("-descriptor=<descriptor>", "Descriptor string to encrypt (with checksum)", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
     argsman.AddArg("-xpub=<key>", "Extended public key (xpub/tpub) for decrypting a backup", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
-    argsman.AddArg("-backupfile=<file name>", "When used with 'encryptdescriptor', writes the raw binary backup to this file (no base64). When used with 'decryptdescriptor' or 'inspectencrypteddescriptor', reads the raw binary backup from this file.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
+    argsman.AddArg("-backupfile=<file name>", "When used with 'encryptdescriptor', writes the raw binary backup to this file (no base64). When used with 'decryptdescriptor' or 'inspectencryptedbackup', reads the raw binary backup from this file.", ArgsManager::ALLOW_ANY | ArgsManager::DISALLOW_NEGATION, OptionsCategory::OPTIONS);
 
     argsman.AddCommand("info", "Get wallet info");
     argsman.AddCommand("create", "Create a new descriptor wallet file");
@@ -51,6 +51,7 @@ static void SetupWalletToolArgs(ArgsManager& argsman)
     argsman.AddCommand("encryptdescriptor", "Encrypt a descriptor string (outputs base64 to stdout, or raw binary to -backupfile)");
     argsman.AddCommand("decryptdescriptor", "Decrypt an encrypted backup and output the descriptor string (reads base64 from stdin or raw binary from -backupfile, requires -xpub)");
     argsman.AddCommand("importencrypteddescriptor", "Decrypt an encrypted backup and import the descriptor into a wallet (requires -wallet, -xpub; reads base64 from stdin or raw binary from -backupfile)");
+    argsman.AddCommand("inspectencryptedbackup", "Show metadata from an encrypted backup (reads base64 from stdin or raw binary from -backupfile)");
 }
 
 static std::optional<int> WalletAppInit(ArgsManager& args, int argc, char* argv[])
diff --git a/src/wallet/wallettool.cpp b/src/wallet/wallettool.cpp
index 58ff8da0c6aa..2541ea076864 100644
--- a/src/wallet/wallettool.cpp
+++ b/src/wallet/wallettool.cpp
@@ -7,6 +7,8 @@
 #include <common/args.h>
 #include <fstream>
 #include <script/descriptor.h>
+#include <univalue.h>
+#include <util/bip32.h>
 #include <util/check.h>
 #include <util/fs.h>
 #include <util/translation.h>
@@ -138,8 +140,8 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
         tfm::format(std::cerr, "The -dumpfile option can only be used with the \"dump\" and \"createfromdump\" commands.\n");
         return false;
     }
-    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor" && command != "decryptdescriptor" && command != "importencrypteddescriptor") {
-        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\", \"decryptdescriptor\" and \"importencrypteddescriptor\" commands.\n");
+    if (args.IsArgSet("-backupfile") && command != "encryptdescriptor" && command != "decryptdescriptor" && command != "importencrypteddescriptor" && command != "inspectencryptedbackup") {
+        tfm::format(std::cerr, "The -backupfile option can only be used with the \"encryptdescriptor\", \"decryptdescriptor\", \"importencrypteddescriptor\", and \"inspectencryptedbackup\" commands.\n");
         return false;
     }
     if ((command == "create" || command == "createfromdump") && !args.IsArgSet("-wallet")) {
@@ -345,6 +347,38 @@ bool ExecuteWalletToolFunc(const ArgsManager& args, const std::string& command)
 
         tfm::format(std::cout, "Descriptor imported successfully into wallet \"%s\".\n", name);
         wallet_instance->Close();
+    } else if (command == "inspectencryptedbackup") {
+        // Show unencrypted metadata from a backup
+        auto backup_result = ReadBackupFromArgsOrStdin(args);
+        if (!backup_result) {
+            tfm::format(std::cerr, "Failed to decode backup: %s\n",
+                        util::ErrorString(backup_result).original);
+            return false;
+        }
+
+        const EncryptedBackup& backup = *backup_result;
+
+        // Output metadata as JSON (only unencrypted header fields)
+        UniValue result(UniValue::VOBJ);
+        result.pushKV("version", backup.version);
+        result.pushKV("keys", static_cast<int>(backup.individual_secrets.size()));
+
+        // Encryption algorithm
+        std::string enc_str;
+        switch (backup.encryption) {
+            case EncryptionAlgorithm::CHACHA20_POLY1305: enc_str = "ChaCha20-Poly1305"; break;
+            default: enc_str = "unknown"; break;
+        }
+        result.pushKV("encryption", enc_str);
+
+        // Derivation paths
+        UniValue paths_arr(UniValue::VARR);
+        for (const auto& path : backup.derivation_paths) {
+            paths_arr.push_back(WriteHDKeypath(path, /*apostrophe=*/true));
+        }
+        result.pushKV("derivation_paths", paths_arr);
+
+        tfm::format(std::cout, "%s\n", result.write(2));
     } else {
         tfm::format(std::cerr, "Invalid command: %s\n", command);
         return false;
diff --git a/test/functional/tool_wallet.py b/test/functional/tool_wallet.py
index e8979d13e327..9889f766656a 100755
--- a/test/functional/tool_wallet.py
+++ b/test/functional/tool_wallet.py
@@ -461,6 +461,17 @@ def test_encrypt_descriptor(self):
         backup_bytes = base64.b64decode(backup_base64)
         assert backup_bytes[:3] == b"BIP", f"Expected magic 'BIP', got: {backup_bytes[:3]}"
 
+        # Test inspectencryptedbackup on the base64 backup
+        self.log.info("Testing inspectencryptedbackup command...")
+        import json
+        p = self.bitcoin_wallet_process("inspectencryptedbackup")
+        inspect_output, stderr = p.communicate(input=backup_base64)
+        assert_equal(p.poll(), 0)
+        metadata = json.loads(inspect_output)
+        assert_equal(metadata["version"], 1)
+        assert_equal(metadata["encryption"], "ChaCha20-Poly1305")
+        assert metadata["keys"] >= 1
+
         # Test raw binary backup file roundtrip via -backupfile
         self.log.info("Testing raw binary backup via -backupfile...")
         backup_file = self.nodes[0].datadir_path / "backup.bin"
@@ -483,6 +494,15 @@ def test_encrypt_descriptor(self):
             f"-descriptor={chosen_desc}", f"-backupfile={backup_file}", "encryptdescriptor",
         )
 
+        # Inspect from file using -backupfile
+        p = self.bitcoin_wallet_process(f"-backupfile={backup_file}", "inspectencryptedbackup")
+        inspect_output, stderr = p.communicate()
+        assert_equal(p.poll(), 0)
+        metadata_from_file = json.loads(inspect_output)
+        assert_equal(metadata_from_file["version"], 1)
+        assert_equal(metadata_from_file["encryption"], "ChaCha20-Poly1305")
+        assert metadata_from_file["keys"] >= 1
+
         backup_file.unlink()
 
         self.log.info("encryptdescriptor test passed!")
@@ -734,6 +754,24 @@ def test_import_encrypted_descriptor_errors(self):
 
         self.log.info("wallet-tool importencrypteddescriptor error cases passed!")
 
+    def test_inspect_encrypted_backup_errors(self):
+        """Test wallet-tool inspectencryptedbackup error paths."""
+        self.log.info("Test wallet-tool inspectencryptedbackup error cases")
+
+        # Empty stdin
+        p = self.bitcoin_wallet_process("inspectencryptedbackup")
+        _, stderr = p.communicate(input="")
+        assert_equal(p.poll(), 1)
+        assert "No backup data provided on stdin" in stderr
+
+        # Garbage stdin
+        p = self.bitcoin_wallet_process("inspectencryptedbackup")
+        _, stderr = p.communicate(input="not-valid-base64!!!")
+        assert_equal(p.poll(), 1)
+        assert stderr.strip() != ""
+
+        self.log.info("wallet-tool inspectencryptedbackup error cases passed!")
+
     def run_test(self):
         self.wallet_path = self.nodes[0].wallets_path / self.default_wallet_name / self.wallet_data_filename
         self.test_invalid_tool_commands_and_args()
@@ -754,6 +792,7 @@ def run_test(self):
         self.test_decrypt_descriptor_errors()
         self.test_import_encrypted_descriptor()
         self.test_import_encrypted_descriptor_errors()
+        self.test_inspect_encrypted_backup_errors()
 
 
 if __name__ == '__main__':