Author

Topic: Critique my simple encrypted cold storage method (Read 1626 times)

full member
Activity: 287
Merit: 101
Or just use Amory offline ..... Its much easier and just as safe. The most advantage is you can spend any amount in your wallet and never have to keep going thro the process of sweeping.

Better solution would be a hardware wallet  (like Amory but works with any client) and just using to sign transaction. I would personally use this for everyday wallet, while keeping Amory for "saving" account.


I've installed Armory and messed around with it, and it just doesn't seem that easy to me. I'd also like to not be dependent on a company's software to be functional in the future and I like the idea of having a full understanding of how my bitcoin is stored. I probably should read up on signed transactions - perhaps that would help.
newbie
Activity: 4
Merit: 0
Just curious, I see the use of VMs in a lot of suggested lists of steps for handling keys. Is this primarily to obfuscate the keys in the VM's memory and vfs temporarily from an outside looking from the host OS to the VM process?

Regards,
full member
Activity: 216
Merit: 250
You have an excellent grasp of the steps there.  A couple extra suggestions: Use a strong BIP38 passphrase, especially if you're storing the paper wallets in multiple places which could ever be compromised.  The flipside to a strong passphrase is memorability, of course.  I recommend storing that somewhere completely different and preferably without a label pointing out what it is.

If you're interested, there's also a product (disclosure: mine) similar to a paper wallet, but made of metal, the Bitcoin Firesafe, which also keeps the cold storage safe from the various things that would threaten a valuable paper item.  With the Bitcoin Firesafe, I would recommend you perform the key import and sweep when redeeming funds on a software / local client instead of importing the key into any online service that would see the key, thereby retaining the secrecy of that key so you could place funds back on that Bitcoin Firesafe again later.
hero member
Activity: 658
Merit: 500
Or just use Amory offline ..... Its much easier and just as safe. The most advantage is you can spend any amount in your wallet and never have to keep going thro the process of sweeping.

Better solution would be a hardware wallet  (like Amory but works with any client) and just using to sign transaction. I would personally use this for everyday wallet, while keeping Amory for "saving" account.
hero member
Activity: 605
Merit: 634
Sounds good. A variant that I use, is to have a Linux OS on a flash drive (Ubuntu or Puppy). I install Truecrypt on it as well, and also put a Windows Truecrypt binary on there. Then you create a truecrypt container, and put both public/private keys there. You can keep the container/file backed up anywhere you like. It also can be a good idea to put glasses prescriptions, scans of ID and whatever personal important info you have. I have the date as part of the filename, to ease the problem of getting the various copies mixed up.  You can also install Electrum, to have a btc client/wallet as well, but not needed just for a secure backup.

In the non-encrypted portion of the drive I keep the public keys. This makes it quick to paste into a browser, or to send funds to it.

I always prefer to boot it to Linux, but having the Windows Truecrypt available means you could still access the encrypted file if you are unable to reboot the machine.

You can also use Tails Linux for USB, which has strong encryption on a persistent partition.

It's considered a best practice to not re-use a paper wallet, since once it has been swept, the private keys have touched the network.
full member
Activity: 287
Merit: 101
Thanks! Yeah, I am a bit torn between one wallet and multiple smaller ones since the whole sweeping the wallet every time seems like a risk. That was one surprising bit of knowledge about paper wallets that took me a bit to learn - if you don't take all of the coin off a paper wallet at once you lose the remaining as "change", and it is still unclear to me where the "change" goes. Seems like the block chain online wallet takes care of this for you when you scan in and decrypt your paper wallet, but I'm not positive.

The other thing I'm considering is saving out the decrypted private keys to a safety deposit box or something in the event that my BIP-38 decryption stops working for whatever reason (say the java script stops working on a newer version of the LiveCD browser or other browsers). Long shot, but if for whatever reason I couldn't get my private keys decrypted I'd always have the private keys somewhere without needing to decrypt them. I wouldn't even need to keep the public keys with them, so even if someone stole the private keys they couldn't do anything with them without the public keys? Or that is my understanding...
legendary
Activity: 4228
Merit: 1313
I agree.  Sounds well researched.

If you think you might only spend 10% (or whatever) of them at a time, you might consider doing multiple offline wallets - e.g. on bitaddress.org I think it will do 7 per page.  Then you can divide it into roughly 1/7s and then if you need to spend, you are only exposing part of your cold storage.  Depends on your usage pattern.
hero member
Activity: 898
Merit: 1000
Pretty well researched - sounds like you've got it covered  Smiley

You probably need both steps 3) and 4) when you come to spend your BTC.
full member
Activity: 287
Merit: 101
Hi all - new to bitcoins, acquired some, and now want to take them offline into cold storage. I've read up on my different options and want to keep it as simple as possible. Here is what I'm planning to do:

Creating and loading the wallet -

1) Save to my HD the bitaddress.org URL for generating BIP-38 encrypted paper wallets.
2) Create a LINUX LiveCD for booting from a flash drive for a fresh, offline OS.
3) Disconnect computer from the internet, boot into LiveCD, and generate my encrypted paper wallet via the bitaddress.ord URL (running standalone).
4) Save the wallet off as a PDF and also print multiple copies. Since it's encrypted, I can have a few copies and keep them multiple places and the PDF will also be available if the paper fades or is destroyed.
5) Reboot regular OS and head out to the exchange.
7) Send my bitcoin to the public key of my paper wallet, starting with a small amount and confirming it got there via blockchain.info.

Getting bitcoin back out of the wallet -

1) Using the block chain app on my android tablet, scan the encrypted private key of the paper wallet (I could also use the bitaddress.org code offline to decrypt it manually also).
2) The app will ask for the key I used to BIP-38 encrypt the private key - type in the password used to encrypt it and the wallet's bitcoin will be accessable.
3) Sweep the wallet into my blockchain online wallet (do I have to do this? or can I keep coin I don't want to spend in the existing wallet and just send whatever I need to the blockchain wallet?).
4) Send any bitcoin that I don't want to keep online into a new paper wallet, created in the same way I created the first one (might not be necessary - see 3).

Thoughts? What am I missing?

thanks!
dan
Jump to: