Topic: Electrum multisig for long-term cold storage (Read 538 times)
I would try to avoid whenever possible (sometimes it's unfortunately not) security by obscurity setups. Obscurity hasn't proven to be superior over transparency. Security by transparency is more likely to reveal flaws than by obscurity. And don't try encryption in some home-brewed way because there's too much that will go wrong. Leave decent encryption design and algorithms to encryption experts.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
This should be true in theory, simply because attack vector for airgapped hardware wallets is usually smaller than for general purpose computers/laptops.And there is big advantage that hardware wallets can be almost fully open source, that is something very hard to achieve for laptops, but it's not impossible.
I don't see any reason why we can't use both devices and combine them in some good multisig setup.
When we make a general comparison, encryption increases your security, so you cannot say the opposite or the same.
Not all encryptions are always good, and sometimes they can damage your security.Telegram claims their are encrypting something, but nobody can verify their claims, and we know many examples of broken encryption in past.
I also remember a case of ''encrypted'' phones used by criminals and create by three letter government agency.
An airgapped computer with full disk encryption still has its weak spots: the bootsector and bootloader are not encrypted, an attacker with physical access could inject some password stealing malware there. Probably an easier attack vector than passing barriers of an airgapped hardware wallet or hardware wallet in general.
There are plenty of mitigations against this, such as UEFI secure boot. And even without these, an attacker would need to know exactly what they are looking for and would need access to your device undetected on multiple occasions, which should be easily prevented. If someone is willing to break in to your house more than once to do this, then they are probably also willing to just hit you with a $5 wrench.Also, there have been many physical attacks demonstrated against a variety of hardware wallets, which only require access to the device once and while still technical probably require less expertise than compromising the bootloader on a fully encrypted device. One such example: https://blog.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Exactly.Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
Who knows what three letter agencies are putting in the chips being supplied to hardware wallet manufacturers?
I think we diagress a little bit off the topic here. I want to add a few bits of opinion. An airgapped computer with full disk encryption still has its weak spots: the bootsector and bootloader are not encrypted, an attacker with physical access could inject some password stealing malware there. Probably an easier attack vector than passing barriers of an airgapped hardware wallet or hardware wallet in general.
This would be a very targeted attack, kind of an evil maid thing to gain access to the disk encryption passphrase.
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Next bad thing in computers are the Intel ME and whatever it's called on AMD platforms. My knowledge ist limited here, but AFAIR the ME is kind of a separate computer (or microcontroler) in a computer. To my knowledge beyond the control of the main OS.
Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
This would be a very targeted attack, kind of an evil maid thing to gain access to the disk encryption passphrase.
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Next bad thing in computers are the Intel ME and whatever it's called on AMD platforms. My knowledge ist limited here, but AFAIR the ME is kind of a separate computer (or microcontroler) in a computer. To my knowledge beyond the control of the main OS.
Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
When we make a general comparison, encryption increases your security, so you cannot say the opposite or the same.The air gapped system depends on how well you know how to create it properly and use the proper wallet. If you use a closed source wallet inside it, it's like you've done nothing. If you implement it correctly, all you have to worry about is device failure, forgotten seeds/passwords, and physical attacks. Adding a layer of encryption will enhance your security in terms of physical attacks, all you have to do is make sure the seeds are saved correctly and use a multi-signature wallet to reduce the risk of you losing a seed.
Almost maximum security is an encrypted air gapped system with a multi-signature electrum wallet, one of those signatures is a hardware wallet and good seed distribution.
I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
It depends on the hardware wallet. If you are using a permanently airgapped device like a Passport, then maybe. If you are using a device which connects to an internet enabled computer like a Trezor or a Ledger, then no.It also depends on your threat model. Against remote electronic attacks, the security might be similar. Against physical attacks, an airapped laptop is superior. There have been multiple attacks against multiple hardware wallets which have demonstrated seed extraction. I'm not aware of a single successful attack at extracting data from a drive running full disk encryption done properly. If an attacker sees a hardware wallet, they know you have coins worth stealing. If they see an encrypted laptop, they have no idea what is on it. I can even use hidden volumes to decrypt it to decoy "sensitive" data.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
Same security compared to what exactly?
I had software hot wallets on a system that wasn't used for anything else. Strictly reduced to the minimum, not used for daily stuff. I was aware that this isn't safe but I'm able to keep my machines at home safe enough, past has proven, no issues with viruses, malware or other nasty things. (I think I'm not yet overconfident, I hope. It's just practice and knowledge of security related computer stuff. Don't be reckless and question crazy offers...)
But I knew, I shouldn't keep it that way. I experimented first with a PiTrezor I assembled myself. Just to get a feel to use a hardware wallet. Then I bought a "real" open-source hardware wallet. Still in the play & experiment phase but getting more and more familiar with it. Until I have my "secure" setup, I moved my wallets to an air-gapped encrypted laptop (yes, I know, that doesn't make them cold, but they're less exposed for sure).
I still need to figure out how I want to deal best with some of my important to me points of my risk assessment. Don't want to go too crazy, but don't want to go too easy either. Still reading books like what's available at https://smartcustody.com.
I had software hot wallets on a system that wasn't used for anything else. Strictly reduced to the minimum, not used for daily stuff. I was aware that this isn't safe but I'm able to keep my machines at home safe enough, past has proven, no issues with viruses, malware or other nasty things. (I think I'm not yet overconfident, I hope. It's just practice and knowledge of security related computer stuff. Don't be reckless and question crazy offers...)
But I knew, I shouldn't keep it that way. I experimented first with a PiTrezor I assembled myself. Just to get a feel to use a hardware wallet. Then I bought a "real" open-source hardware wallet. Still in the play & experiment phase but getting more and more familiar with it. Until I have my "secure" setup, I moved my wallets to an air-gapped encrypted laptop (yes, I know, that doesn't make them cold, but they're less exposed for sure).
I still need to figure out how I want to deal best with some of my important to me points of my risk assessment. Don't want to go too crazy, but don't want to go too easy either. Still reading books like what's available at https://smartcustody.com.
Interesting. The way I see it, if you're storing coins on a multisig setup with open source hardware wallets, this should offer the same security (maybe more secure?).
Do you keep your private keys on hardware wallets, or are they stored on your hard drive? My wallet files are watch only, but with the master fingerprints so that I can use them to sign from an air gapped device.
I use a combination.I have small amounts of coins in hot wallets on both mobile and desktop. I used to use a number of different hardware wallets, but given the number of hardware wallets over the last few years that have been shown to have critical vulnerabilities, data leaksm horrendous privacy features such as implementing KYC exchanges or supporting AOPP, horrendous security features such as online back up, and so on, I've pretty much abandoned them all. The vast majority of my coins are stored in permanently airgapped devices using full disk encryption.
I use my wallets on a Linux system with full disk encryption. Stealing the device should prevent an attacker to gain access to the filesystem. I do wallet password protection even for watch wallets, just a habit I don't want to break with. I only make an exception if I do something with a test wallet which doesn't control any worth.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Do you keep your private keys on hardware wallets, or are they stored on your hard drive? My wallet files are watch only, but with the master fingerprints so that I can use them to sign from an air gapped device.
I use my wallets on a Linux system with full disk encryption.
I also use this on all my drives, but of course remember that this only protects the disk at rest. If the drive is in use, such as it would be if you are running Core, then it is obviously decrypted and susceptible to physical or electronic intrusion. This is why, like you, I still password protect/encrypt all my individual wallet files as well.
I use my wallets on a Linux system with full disk encryption. Stealing the device should prevent an attacker to gain access to the filesystem. I do wallet password protection even for watch wallets, just a habit I don't want to break with. I only make an exception if I do something with a test wallet which doesn't control any worth.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
Although some VPNs bundle some anti-malware capabilities, VPNs shouldn't be relied on to prevent your computer being hacked or targeted with malware. If you want to do other bitcoin related things on that computer which you don't want your ISP to know about, such as use this forum, use block explorers, check fees, etc., then a VPN might be worthwhile, although Tor would probably still be better.None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
I see. In that case the concern is a privacy one, rather than a security one. If someone hacked your device or physically accessed your device, password protection on your Sparrow wallets might prevent them from viewing your wallets, addresses, transactions, etc. (This could of course directly lead to a security risk if the attacker then decides you own enough bitcoin to make you a target for further attacks.) Personally, I password protect/encrypt everything, even watch only wallets.
Thanks for the reply.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
Thanks for this.
Quote
No, it wouldn't make any meaningful difference if you are already doing everything over Tor.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
Quote
The descriptors that Sparrow creates only contain xpubs, and therefore are watch only and cannot be used to sign anything. You should definitely still password protect your wallet files which contain your seed phrases/private keys.
None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
Quote
That's right. The descriptor file will contain the xpubs for all your co-signers. Personally, I would still back up the xpubs alongside each seed phrase back up though, in the manner I describe here which maintains your privacy at the same time: https://bitcointalksearch.org/topic/m.62443533
Thanks for this.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
No, it wouldn't make any meaningful difference if you are already doing everything over Tor.2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
The descriptors that Sparrow creates only contain xpubs, and therefore are watch only and cannot be used to sign anything. You should definitely still password protect your wallet files which contain your seed phrases/private keys.3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
That's right. The descriptor file will contain the xpubs for all your co-signers. Personally, I would still back up the xpubs alongside each seed phrase back up though, in the manner I describe here which maintains your privacy at the same time: https://bitcointalksearch.org/topic/m.62443533
I'm revisiting this topic as last night I had a major issue with Casa. Their servers went down, and the only way I was able to sign was with the setup I recreated in Sparrow. It brought home how vulnerable I was in relying on a third party, and how antithetical it is to the whole point of bitcoin.
So, I'm going to fully self custody from this point on. I am pretty confident in my ability to manage multisig via Sparrow, having kicked the tires on it over the past 6 months. I want to ensure I run the setup in the safest possible way, however.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
Thanks!
So, I'm going to fully self custody from this point on. I am pretty confident in my ability to manage multisig via Sparrow, having kicked the tires on it over the past 6 months. I want to ensure I run the setup in the safest possible way, however.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
Thanks!
Thank you both. That confirmed what I had been thinking. I have been playing around with paper multisig in Electrum for a while now - I always make sure to note the derivation paths.
I am going to establish a hardware multisig setup using open source wallets - 2 coldards and 1 passport. I'll probably stress test it and play around with it first before I migrate from Casa.
I am going to establish a hardware multisig setup using open source wallets - 2 coldards and 1 passport. I'll probably stress test it and play around with it first before I migrate from Casa.
However, I had always thought that, so long as I have all seed phrases to fulfil a quorum, it doesn't matter whether the vendors create changes that disrupt the devices' multisig capabilities?
That's correct. The hardware wallets are simply storing the seed phrases and private keys, and interacting with the wallet software you are using. Should a hardware wallet manufacturer accidentally break the way they interact with your software, then you can simply take the seed phrase back up and import it somewhere else which is still working as intended.The biggest potential issue here (outside of importing seed phrases in to pieces of software and therefore risking exposing them) would be knowing which derivation path your hardware wallets have used for your multi-sig wallet.
Just thinking about this again after watching Jameson Lopp's interview with Peter McCormack. He makes the point that Casa help protect against "breakable changes" that could happen if wallet vendors make a bad update to their software. However, I had always thought that, so long as I have all seed phrases to fulfil a quorum, it doesn't matter whether the vendors create changes that disrupt the devices' multisig capabilities.
Isn't Casa just a multi-sig platform where they hold one of your keys and allows you to add more keys/switch devices later on? I don't think you need Casa to protect you from malfunctioning hardware as long as you have the backup. You can replace Casa with another multisig device and you would still be fine. Not to mention you need to pay to use their multisig service.You can check out their hot it works page[1] and replace the "hardware lost" with "broken hardware" and the graph will look the same. He is not wrong when he said Casa can protect their users from bad updates, but Casa is not the only option. A user can also wait for reviews before deciding to upgrade their software, or just use an open-source HW wallet where they can modify it whenever they want to. As long as they keep the backups they should be fine. CMIIW.
[1] https://keys.casa/how-it-works/
Jump to: