Author

Topic: Cold storage security vs paper backups? (Read 960 times)

hero member
Activity: 490
Merit: 500
May 17, 2013, 05:03:51 PM
#6
Okay, thanks for clarifying everyone.  I've had enough hard drives fail due to viruses by now that I feel almost dumb to say that my flash drive won't do the same.  It's not as likely to fail as my hard drive, but that doesn't mean it's impossible.
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
At least the paper will survive through water,
Unless you use an inkjet printer.

Quote
heating below 451 F,
With all respect for Bradbury, I doubt that this temperature is particularly significant :-)

Even ink will stain the paper well enough that your'e almost guaranteed to be able to recover it.   You might not be able to identify it by eye, but someone with some tools will be able to read it.  And you only need to do it once to get your coins back.

As for 451 F -- yeah, I just meant "close to fire" but not directly set on fire.  Like if you keep your Paper/USB in a metal box that comes in contact with fire when the house burns down, the paper still has a good chance to survive.  I'm pretty sure most USB keys and CDs would start to melt and electronics overheat ,etc.

It's not an exact science, I'm just trying to dispel the myth that paper is somehow inferior to other options.  I think it's a great option, and easily "upgradeable" to a better option (like putting it in something fire proof).
hero member
Activity: 547
Merit: 500
Decor in numeris
At least the paper will survive through water,
Unless you use an inkjet printer.

Quote
heating below 451 F,
With all respect for Bradbury, I doubt that this temperature is particularly significant :-)
legendary
Activity: 1428
Merit: 1093
Core Armory Developer
I guess I don't really understand the huge appeal of the paper backups.  Part of the appeal of bitcoin to me is that it's, well, digital. 

My Armory security scheme: I manually copied my private keys onto my flash drive.  I don't have a cold storage computer, but I can always move them back when I want to spend them.  It's unencrypted...for now, but when I start actually using bitcoin seriously, I plan on GPG encrypting the private keys just to be sure.

So, is there any real advantage from a wallet security standpoint of this kind of setup over a paper backup?  It seems to me that my only risk with this system is that my flash drive gets corrupted and I lose the private keys.  Assuming that doesn't happens, the only way I'd lose my bitcoins is if I happen to have a virus on my computer that is somehow smart enough to wait for me to move my private keys back on to my computer and then spend them before I get a chance to do so myself.  Not too likely, in my opinion.

Unfortunately, it's very likely.  Malware doesn't just get onto your system and leave.  It sits there and does its things.  One of those things could be checking for wallet files periodically.  Or maybe whenever any Bitcoin software is started.   Just because the wallet isn't there when the first malware was acquired, doesn't mean that it will just leave in frustration and never come back again.  It's very easy for it to look for wallet files every time removable media is inserted, etc.

And that doesn't take into account the fact that the malware may not even be looking for wallet files, because they're encrypted anyway and it can't do anything with it.  It just waits for you to open Armory and unlock your wallet, then it pulls your private keys out of RAM (or pulls your passphrase out of RAM and takes your wallet file with it).  In this case, it doesn't matter whether your wallet isn't on the filesystem 99.9% of the time, because the malware doesn't do anything until it detects Bitcoin activity.

The hardware wallets (that don't exist yet), offer superior advantage over a flash drive, because they require a physical keypress, and do not allow download of private wallet data.  The signing is done on the device and it only emits signatures, not private keys.  The attacker can steal the passphrase, but they can't press the buttons on the device to get it to sign things.

And you assume your USB device will work in a couple years.  It might.  It probably will.  But why even take that chance when paper works 100% of the time.  Just about anything that destroys paper will also break your USB key (direct fire, shredding, etc).  At least the paper will survive through water, heating below 451 F, and mass bending/stretching/tearing/deformation.

The downsides of unencrypted paper are mostly resolved by the M-of-N stuff I'm going to be releasing soon.  Though, the backup system will allow you to save some fragments on paper, some on removeable media.  However you prefer it.
hero member
Activity: 547
Merit: 500
Decor in numeris
It seems to me that my only risk with this system is that my flash drive gets corrupted and I lose the private keys.  Assuming that doesn't happens, .....

Why would you assume that doesn't happen?  Flash drives are notoriously unreliable, even if you don't loose them or wash them with the laundry (which, btw, they often survive).

A few years back, I almost lost my GPG key.  I only had four backups, and the first three failed (mostly due to age, one of them was a 3.5 inch floppy!)
hero member
Activity: 490
Merit: 500
I guess I don't really understand the huge appeal of the paper backups.  Part of the appeal of bitcoin to me is that it's, well, digital. 

My Armory security scheme: I manually copied my private keys onto my flash drive.  I don't have a cold storage computer, but I can always move them back when I want to spend them.  It's unencrypted...for now, but when I start actually using bitcoin seriously, I plan on GPG encrypting the private keys just to be sure.

So, is there any real advantage from a wallet security standpoint of this kind of setup over a paper backup?  It seems to me that my only risk with this system is that my flash drive gets corrupted and I lose the private keys.  Assuming that doesn't happens, the only way I'd lose my bitcoins is if I happen to have a virus on my computer that is somehow smart enough to wait for me to move my private keys back on to my computer and then spend them before I get a chance to do so myself.  Not too likely, in my opinion.
Jump to: