Topic: Can non-techies keep their Bitcoin secure easily? (Read 1623 times)

You need download fciv from Microsoft website

When I typed cmd /K "cd /d c:\WINDOWS\" into the Command Prompt and C:\Users\username> changed into C:\Windows> in the Command Prompt. However, typing all those recommended commands fciv gpg4win-2.2.1.exe -sha1 and fciv gpg4win-2.2.1.exe -md5 yielded the same error message as before; "fciv is not recognized as an internal or external command, operable program or batch file."

I use the Android Wallet by Andreas Schildbach, it's open source, and I think it's pretty easy to use, and quite secure.

Consider the tutorial posted earlier on running an offline Ubuntu LiveCD from a USB drive or disc.
http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

Nothing to buy, firewall easily enabled (terminal command for default enable: "sudo ufw enable"), clamTK anti-virus is free and pretty solid. Most viruses target Windows, despite the fact that most servers run on Linux -- something to keep in mind when considering which OS to keep your wallet on (if you keep it on a computer, especially an online computer). Linux/Unix has stronger security generally by limiting permissions beyond the root user... and anything downloaded from browser is not executable by default -- it must be granted permissions to be made executable.

Anyway.... something to consider....  Happy bitcoining!

In this case, there are two reasons to do this.

1) To confirm that you are downloading what you think you are downloading. In this case, the Electrum developers released the client, and you want to make sure that you are installing the original, unmodified version that you were intended to get. It's good to be in this habit to avoid malicious downloads.

At http://electrum.org/download.html you can see that they have provided an md5 hash of your download to ensure its integrity, and a .asc -- the files release signature -- so that you can ensure that you are receiving the original, unmodified version from the developers.

2) To be able to encrypt and decrypt files. For example, with Electrum, and others I think, only private keys are encrypted when you set a pass phrase. Encrypting your wallet file(s) adds another layer of protection and opaqueness. You have to understand that no security measure is enough to stop a well-armed attack. It's all about deterrence. A pass phrase that encrypts your private keys only means that in an unencrypted directory, your public keys are saying "I'm a bitcoin wallet. Right here!"

As always -- this may be overkill depending on your potential holdings and how you value them. You don't need to encrypt your wallet files beyond the encryption of your private keys by setting a pass phrase. Many people don't.

But it is good to be in the habit of knowing how to recognize a trusted download from an untrusted one.

Wallet.dat referred to the Bitcoin QT client. Sorry, I'm not too familiar with Electrum. Consider checking out the Electrum subforum: https://bitcointalk.org/index.php?board=98.0

I see now that you are using Electrum. They appear to use md5 checksum, not sha1. So you would replace "-sha1" with "-md5".

If fciv is in C:\Windows, you can run it from anywhere. In that case,
fciv [____.exe] -sha1 --> Will run fciv on the file in question (____.exe = full file path)

If not,
cmd /K "cd /d c:\WINDOWS\" --> Will create a cmd window at the C:\Windows directory (replace c:\windows with the folder housing gpg4win-2.2.1)

fciv gpg4win-2.2.1.exe -sha1

I just downloaded AVG Basic; the full package costs $54.99.

AVG Basic has anti virus and anti spyware function, but no firewall function.

Typing "cd" doesn't do anything either; I type "cd", hit enter and the same  C:\Users\username> appears right below it.


Yeah, it's just that others have suggested I get another, dedicated computer for this, and the printer he suggested is $200 USD. All I'm saying is that I can't afford to buy new hardware for this; not yet atleast.


My trial Norton Antivirus expired a few weeks ago; I just removed it today and started using Windows Defender. I ran a full computer scan and it said my computers safe. I don't know if they have/had "two way firewall" functions. I'll look into those other services you suggested.

Do you have antivirus software installed? Do you have a two-way firewall installed? If not then consider your computer as insecure and don't use it for anything important or valuable. If you don't know then consider it insecure.

Good, free, easy to use software packages are AVG anti-virus and ZoneAlarm firewall. Other products are available.

OK, if you want to get into Bitcoin now, can you afford to lose that $30-40? Why not start with a simple wallet and only $3-4 dollars, that way if you lose it no serious damage is done. As you gain in experience you will find things that seem horrendously complicated now become clearer.

You have to navigate to the correct folder/directory first. Your prompt probably appears as C:\Users\username>. You will to use the 'cd' command.

I really cannot buy any extra equipment or hardware for this. Right now, I can only afford to invest like $30 or $40 USD into this, and ideally, I would like this to be all in Bitcoin; buying any gear would wipe out any money for Bitcoin thereafter.

The Piper paper wallet printer might be a good option for someone who is non-techie.  It's a completely offline printer that will print paper Bitcoin and Litecoin wallets.  It will even let you plug in a usb and backup the keys to that as well.  The website is piper.pw.

I successfully got up to this stage; I downloaded fciv.exe and when I tried to click on it, the black box with white text that kinda looks like really old MSDOS pops up for a few milliseconds and the box closes automatically.

The next part I can't figure out


Windows 8 doesn't have Accessories; you have to click on Search on the right side of the screen type Command Prompt.

I pull up the Command Prompt; it's another black box with white text that kinda looks like MSDOS and I type "fciv.exe." Nothing happens; it says "fciv.exe is not recognized as an internal or external command, operable program or batch file."

I'm not sure, most of us don't even know what we have installed that could be dangerous.

We could try and make a fake file called wallet.dat that is 2GB and trick the virus, furthermore, we would know if it is trying to upload the wallet as your internet connection would be very slow.

Currently downloading Gpg4win; just before I continue, what exactly is this going to do? I'm not sure I understand why I've got to do this.

Because I already have passwords for my Electrum wallet, and the wallet names I was assigned seem pretty complex. Is this whole process just going to add another layer of passwords around the software, the file or both?



I actually cannot find a wallet.dat file; I did a full hard drive search. It's not on my USB drive either; all that appears on my USB is the Electrum program; and yet there appears to be Wallet ID's under the received tab.

Sorry in advance for the book. As I thought about it, it felt easier just to go through the motions of thinking about why this is important and how it works.

OK, on PGP. Yes, it is complicated, but I doubt it is beyond your skill set. Simply a new process to learn. Before thinking about encryption, it would be good practice now to consider learning how to ensure that what you think you are downloading is what you are actually downloading. This is especially important when dealing with software that could potentially target your wallet(s).

This is a taste of what it means to verify the integrity of and to authenticate certificates for files downloaded. In turn, that will necessitate creating a PGP keypair, and may prime you for working with PGP keys to encrypt your files.

So, a Windows user would go to http://gpg4win.org/ and download the full version. You can google the site for its web reputation. You can verify the integrity of the download using Microsoft's fciv utility found here: http://support.microsoft.com/kb/841290

When you unzip fciv, drop fciv.exe into C:\Windows. That way you can pull up Command Prompt (Accessories) and run fciv.exe from any location. So to verify the integrity of your gpg4win download, pull up Command Prompt, and enter "fciv [____.exe] -sha1" where [] = the exact file location of the gpg4win binary. This should produce a sha1 checksum that you can compare with the checksum found here: http://gpg4win.org/package-integrity.html

If your binary downloaded properly, these sums should match. That is about the extent of due diligence you can do prior to using encryption/decryption. Now that you have verified the integrity of the download, install gpg4win and run Kleopatra. You can now authenticate the download from gpg4win. You would create a new certificate, select PGP keypair, and input your desired user information and password. Once the certificate has been created, back it up and keep your information safe. You can now use this certificate to certify the earlier download.

You do this by downloading (and subsequently verifying) the release signature of the download, found next to the file you downloaded, here: http://gpg4win.org/package-integrity.html Download the corresponding .sig file into the same folder as the original download.

As stated, the signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key (Key ID: EC70B1B8) -- if you go to that source, you can scroll down to "Intevation-Distribution-Key" and download it (it is an .asc file). Then you "import certificate" and select that file. Verify that the fingeprints match, then you can certify it with your own key.

Now, you can go to File | Decrypt/Verify. Select the .sig file that you downloaded (you'll see that it corresponds to the .exe file in the same folder) and verify. You should now be able to validate the certificate -- giving you confidence that you have the original and unmodified file and not some malicious replacement.

......So now you know how to verify the integrity of your downloads and create a PGP certificate to authenticate those downloads.

Now, encrypting files with PGP is very easy and only one step away. But before encrypting anything -- make sure that your keypair is backed up and your password is SAFE and will not be lost. (It would be tragic to encrypt the directory housing your wallet without realizing the importance your PGP password in decrypting it later on.) Also, when encrypting, remember to encrypt to your own certificate  -- otherwise your private key is useless to decrypt it.

Here is a straight-forward tutorial on signing and encrypting files in Kleopatra: http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html

Again, I know it is a lot to take in. But if you are going to be holding an amount of money significant to you on your machine, another layer of encryption can provide great peace of mind.
You can set up cold storage on a USB drive, sure. With QT, for instance, just back up the wallet.dat file on the USB -- preferably, the wallet should be generated initially offline, the wallet should be encrypted before stored, and all files on the drive encrypted.

Yes, I would recommend playing around with this a bit. Don't risk much when playing around with cold storage for the first time -- make sure that you are confident in your ability to retrieve your coins from storage before sending much.

Once you have transacted back and forth a few times and feel more confident, I would start over with a newly generated cold storage wallet that has never made outputs before.

I just installed Electrum on my USB drive. There's a tab that says "Receive" and there are 5 BTC Addresses (or what look like Bitcoin addresses) underneath. Are these my offline, USB addresses?

Not encrypting your wallet and keeping it on a computer is suicide. You could always tell your parents or somebody you trust with your password.

Apparently on the Armory wallet you can split your wallet into three parts and you only need two of the parts to retrieve your balance, but I need to read in to that more, but sounds pretty cool.