Topic: SEED storage on digital media. (Read 286 times)

Well, this is highly, highly unbelievable scenario to happen,  nevertheless I have took it seriously and to prevent it I will buy in the nearest future  USB tester to control voltage on D+ and D- lines. Have seen this stuff recently  on Amazon, the price around $50 is not to worry about. Thanks.

P.S. In this scenario applied to my setup, USB pens with Tails would get damage   first, rather than HW pgp keys.




Should USB replaced by new interface my private pgp key can be easily ported. HW is just a holder of that key.

BTW, two of my HW keys have NFC interface alongside with USB.  

Let's say a very bad case of bad luck and every time and every laptop you try to use to read any of those USB key it breaks them. What then? How confident would you feel when the second one is already broken and you still didn't manage to make more backups? Yes, I know, it's extreme... Still, I recommend some physical means too as backup.

We are in 2024. USB is still widely used, but various flavors tend to change the trend. I would not be surprised if in 10 years already the USB port will not look like now. I expect USBC, for example for the port. Plus: 25 years ago CD/DVD was a thing, now it's no more; are you sure your kids or nephews will know - when the time comes - what to do with an USB stick? Will you be sharp enough in 20-30 years to change the storage (from USB stick) to something that will be then "in trends"?

I will only add this Star Trek classic: https://www.youtube.com/watch?v=hShY6xZWVGE

Really intrigued because those keys are crucial for my guarding system.  What may be wrong with HW  keys that hold my pgp secret? Don't say about physical damage. Should this happens with any  key it can be easily replaced. In fact their quantity can be increased at any time but I don't see the need for keeping more than three keys  at the moment.



You can guess yourself  

While I don't fully agree with your trust in the USB keys (even if they're 3 of them), I do think that this "inheritance model" is better than the lock time approach.

Are we indeed talking about a significant amount that deserves the hassle of paid legal service, or are you talking about a hypothetical future scenario? (Clearly, you don't have to answer me on this, it's something you have to think/answer to yourself, you know..)

Lock-time transactions for inheritance is awkward stuff in my view as they required a constant renewal while you alive. Besides, any legitimate inheritance plan must contain the legal  strand.

In my case, the relevant flash drives, PIN to HW pgp keys and detailed instruction will be handed over to heir by me in person,  while he will get the envelope with those physical pgp keys  from representatives of the legal service I have contracted with.

I know you are very technical man, more than me, and I believe you knew about these risk very well. There are public cases like CEO of an exchange years ago suddenly died and he is the only one who control treasury of that exchange. Maybe more cases like this, I could not remember them all, from business level to family or individual level.

With individuals, they can learn from Hal Finney who has a chronic disease and prepare for his wife to inherit his Bitcoin private keys and bitcoins. You can do the same for ones you love, wife/ husbands, children, ...

[1] Crypto CEO dies holding the only passwords that can unlock millions in customer coins
[2] Quadriga CEO's widow speaks out over his death and the missing crypto millions
[3] Bitcoin and me (Hal Finney)
[4] Using Locktime for inheritance planning, backups or gifts

Yeah, I know that they can may break down. That is why I'm testing each of my cloned flash drive regularly on the month bases. It's highly unlikely that all three will fail simultaneously  because of poor workmanship, thus if  any of them  were noticed as corrupted it  could be replaced by other clone.



Agreed, this is the weakness of human being whose  memory is vulnerable to deceases, hard accidents and senility.

Thus, I'm in the process of development of the inheritance plan, just for above reason.

It's an interesting setup and I kinda like it. And 3 copies sounds good.

Still... flash drives can get corrupted a bit too easy for my liking. I mean I had to reformat or throw away at least 10 USB disks in the last 20 years... and we're talking about very long time here, right?
This is the issue with electronic devices. They can get broken easier than more physical stuff.


I will add that age or an accident or stroke can make you forget the passwords/PINs you've used there.


These are the weak spots I've seen.

For those who have the courage  to try my method I  share a trick on how to unite in friendship Kleopatra and hardware pgp keys that hold the same secret but have different ID.

The problem is that each HW pgp key has its own unique ID and by  keeping the last used ID in the cache  Kleopatra refuses to work with other clones of HW key.

The work around is the following.

• 1.  Before importing public pgp HW key into Kleopatra remove default keys which come with Tails distribution ( they are developers keys and    become not necessary for your purpose)
• 2.  Insert any HW key from your cloned set
• 3.  Import relevant public key
• 4.  When  being asked about certification choose Cancel
• 5.  Right click imported public key and select Change Trust
• 6.  Choose "It's my certificate"
• 7.  Proceed with your tasks involving inserted HW key: decryption, encryption, signing, verifying what ever you want.
• 8.  After completing your tasks remove you HW pgp key.
• 9.  Right click public key and select Remove
• 10.Close Kleopatra
• 11 .Next time when you open Tails you will have the   pure untouched Kleopatra that doesn't remember HW keys ID. So you can proceed with any key from your cloned set referring to 2 - 10 in this list.

Recently, i made a thread suggesting creating/importing seeds in wallets like Electrum or Sparrow, as they allow you to export encrypted digital backups.

Security tips for making encrypted backups of your seedphrase.

I completely support your idea!  Seed storage on digital media is a crucial topic, we definitely need more threads like this on the forum.

Mantra.

Never recommended by whom, by you?

 Then, don't use it.


Wise people use for this airgaped Tails which doesn't contain any malware including  keylogers , wooden headed folk utilize devices  and OS that have keyloggers.
Regarding,  IronKey Vault, all typing must be done on airgaped machine, it goes without saying, beside IronKey Vault has the build-in virtual keyboard.
Do you have any experience of working with Tails and/or airgapped machine?


Empty words in fact that tell nothing. Tell better how they can leak from my system.


Yeah, yeah , and better on the other planet, let's say on Mars for instance.
 
In fact digital form of storage should be a companion for primitive one, which in my case is a binary code hold on  titan washers .

---

Further on, any referring to primitive forms of SEED storage in this thread will be considered as offtopic. Tread is solely  for the discussion of best methods to store SEED on digital media.

I have shared my SEED protected by described way to close relatives (geographically distant by hundreds miles)  and don't afraid that they or any other folk can get my phrase. They have only flash drives with Tails but all  set of HW pgp  clones  is in my hand.

SEED phrases stored by primitive way can not be shared with other people without revealing them.

It is never recommended to store your seed phrases in any form of digital media, not even using PGP encryption. You never know, you may lost the secret key file and if you lose then you lose the pass phrase. You also is going to type the seed in the digital media, you will never know if there is a keylogger installed in your device. For any form of digital storage, you always have chance to leak your private key.

It's always better and recommended to store you seed in digital form and it needs to be a fireproof solution.

For not tech savvy people, like you, who wanna use digital media for storing sensitive info like SEED phrases, passwords, etc   I would advocate off-the-shelf products like those produced by Kingston.

I have their flash drive from IronKey Vault Privacy 50 Series and must confess that having AES 256 encryption as well as protections from both bad USB and brute force  it may be considered  as a good digital media stuff for storage  SEED phrases . The only drawback I see is that it is not friendly with Linux and works solely on either Windows or Mac OS machines.

My approach is a bit complicated as in fact it has three layers of protection which might  be looked as overkill.

I saw this notification on the bitcointalk supernotifier and it caught my attention because I have done a DIY Seed Storage on a soda can Inspired by Pmalek's Guide. I would have really loved to try this but I am not a tech savvy person. The only software I recognize there in the write up is Kleopatra which I used one time when I learning to sign a message courtesy of bitcoingirl.

With this contribution I'd like to share my latest "innovation": a method I've implemented  for storing my SEED phrases on digital media.

For this purpose, I use the bootable flash drive holding  Tails OS with  all communications drivers locked. Persistent volume of this OS is  secured with a compound password i.e part of this password is  stored in a hardware security key and enters unlocking field via its OTP interface , while other part is entered manually at unlocking volume. HW security key is aimed also for storage  my private ed25519 PGP key.

The persistent volume keeps   KeePassXC database, locked with a composite password that includes a segment stored in HW key. This password differs from that one safeguarding the Tails persistent volume.

The KeyPassXC database houses encrypted GPG messages corresponding to my SEED phrases. These messages are encrypted using my PGP hardware key (smart card in terms of Kleopatra), which is protected by a PIN code. Notably, only two incorrect PIN attempts are permitted; a third incorrect attempt will result in the blocking of access to the PGP key.

For anyone interested , I  provide ppg code for setting up hardware keys.



The corresponding public key is imported into Kleopatra key manager with database situated within the persistent Tails volume.



Consequently, by utilizing Kleopatra and a hardware key, one can decrypt/encrypt SEED phrases  and securely add  encrypted messages  to KeePassXC database.

In practice, I maintain three cloned Tails flash drives and three hardware keys, each serving as a backup for the others.

I welcome any constructive criticism regarding potential points of failure or unknown vulnerabilities in my system.

---

Picture shows my Tails flash drive (in the form of debit card, metal frame)  and pgp HW key