Encrypted Paper Backups | Bitcointalksearch.org

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

Quote from: rocks on November 07, 2013, 08:35:18 PM

Quote from: cp1 on November 07, 2013, 11:57:42 AM

It just takes two seconds to encrypt your recovery key, there's no need for this in armory. Just do it yourself if you want that.

Agreed, this is very easy to do.

The issue is it is error prone when done manually. For every 100 times I've done the above manually there is 1 time where something went wrong. If I have a cold wallet that I come back to in 2020 and BTC is priced to the moon, I don't want that to be the time my manual encryption effort screwed up somehow.

The advantage of automation is it eliminates manual mistakes.

There's nothing manual about it, it's just one command. You can even check your work with diff.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: rocks on November 07, 2013, 08:35:18 PM

Quote from: cp1 on November 07, 2013, 11:57:42 AM

It just takes two seconds to encrypt your recovery key, there's no need for this in armory. Just do it yourself if you want that.

Agreed, this is very easy to do.

The issue is it is error prone when done manually. For every 100 times I've done the above manually there is 1 time where something went wrong. If I have a cold wallet that I come back to in 2020 and BTC is priced to the moon, I don't want that to be the time my manual encryption effort screwed up somehow.

The advantage of automation is it eliminates manual mistakes.

You're going to remember the password you chose today, 7 years from now? Either you re-use passwords way more than you technically should, or your memory is epic. I'd be much more concerned about the number of things that can go wrong in 7 years that make that backup useless.

rocks

legendary

Activity: 1153

Merit: 1000

Quote from: cp1 on November 07, 2013, 11:57:42 AM

It just takes two seconds to encrypt your recovery key, there's no need for this in armory. Just do it yourself if you want that.

Agreed, this is very easy to do.

The issue is it is error prone when done manually. For every 100 times I've done the above manually there is 1 time where something went wrong. If I have a cold wallet that I come back to in 2020 and BTC is priced to the moon, I don't want that to be the time my manual encryption effort screwed up somehow.

The advantage of automation is it eliminates manual mistakes.

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

It just takes two seconds to encrypt your recovery key, there's no need for this in armory. Just do it yourself if you want that.

rocks

legendary

Activity: 1153

Merit: 1000

Quote from: Melbustus on November 06, 2013, 03:08:54 PM

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

I just want to reiterate my position on this -- I have outlined in the past why I don't want to support directly-encrypted backups. Not everyone agrees with the reasoning, but I'm sticking to it because the ability to recover your wallet is higher priority than having the extra physical security.

Instead, this is being addressed with the fragmented backups. It is a perfect mix of redundancy and security, and can be used very similarly to an encrypted backup without the same risks. Fragmented backups have already been merged into my development branch, and will be part of the next release along with the the RAM reduction.

This stance is the one thing keeping me from using (and recommending) Armory predominantly. I do understand your reasoning and position, but for my personal use-case, I want encrypted backups. I simply am not comfortable with paper wallets due to potential theft, loss, destruction. I very specifically *want* my coins to be unlockable by my brain only. And the last thing I want to worry about is keeping some slip (or M slips) of paper physically secure.

But obviously Armory has lots of great features, so that essentially leaves me to implement my own encrypted Armory backup process which will be MUCH more error-prone than if the feature existed natively in the client.

I really hope you change your mind.

Agreed,

The option already exists to make encrypted digital backups. So I don't really understand the logic behind not supporting the feature. Many users only create digital backups and brainwallet those, so they are already in the exact situation etotheipi says he want to avoid.

All that is being asked for is to provide the same functionality for paper backups as for digital backups.

Melbustus

legendary

Activity: 1722

Merit: 1004

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

I just want to reiterate my position on this -- I have outlined in the past why I don't want to support directly-encrypted backups. Not everyone agrees with the reasoning, but I'm sticking to it because the ability to recover your wallet is higher priority than having the extra physical security.

Instead, this is being addressed with the fragmented backups. It is a perfect mix of redundancy and security, and can be used very similarly to an encrypted backup without the same risks. Fragmented backups have already been merged into my development branch, and will be part of the next release along with the the RAM reduction.

This stance is the one thing keeping me from using (and recommending) Armory predominantly. I do understand your reasoning and position, but for my personal use-case, I want encrypted backups. I simply am not comfortable with paper wallets due to potential theft, loss, destruction. I very specifically *want* my coins to be unlockable by my brain only. And the last thing I want to worry about is keeping some slip (or M slips) of paper physically secure.

But obviously Armory has lots of great features, so that essentially leaves me to implement my own encrypted Armory backup process which will be MUCH more error-prone than if the feature existed natively in the client.

I really hope you change your mind.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: Jan on September 17, 2013, 12:56:45 PM

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

I just want to reiterate my position on this -- I have outlined in the past why I don't want to support directly-encrypted backups. Not everyone agrees with the reasoning, but I'm sticking to it because the ability to recover your wallet is higher priority than having the extra physical security.

+1

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

Instead, this is being addressed with the fragmented backups. It is a perfect mix of redundancy and security, and can be used very similarly to an encrypted backup without the same risks. Fragmented backups have already been merged into my development branch, and will be part of the next release along with the the RAM reduction.

Can you elaborate what you mean by fragmented backups?
Do you mean Shamir's secret sharing scheme, encryption with a computer generated passphrase, or something else entirely?

For the Mycelium wallet I am leaning towards private key export using BIP38 with a computer generated passphrase which is only displayed on screen (and written on paper by hand). The encrypted backup turned into a JPG image containing the encrypted bits are base58 encoded as text and a QR-code. The JPG is shared by whatever means your phone supports. If you combine this with import verification I'd say you are pretty well off.

Yes, I'm talking about Shamir's Secret Sharing. I have developed a full interface around it and will be releasing it along with the RAM-reduced version of Armory.

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

I just want to reiterate my position on this -- I have outlined in the past why I don't want to support directly-encrypted backups. Not everyone agrees with the reasoning, but I'm sticking to it because the ability to recover your wallet is higher priority than having the extra physical security.

+1

Quote from: etotheipi on September 17, 2013, 12:37:30 PM

Instead, this is being addressed with the fragmented backups. It is a perfect mix of redundancy and security, and can be used very similarly to an encrypted backup without the same risks. Fragmented backups have already been merged into my development branch, and will be part of the next release along with the the RAM reduction.

Can you elaborate what you mean by fragmented backups?
Do you mean Shamir's secret sharing scheme, encryption with a computer generated passphrase, or something else entirely?

For the Mycelium wallet I am leaning towards private key export using BIP38 with a computer generated passphrase which is only displayed on screen (and written on paper by hand). The encrypted backup turned into a JPG image containing the encrypted bits are base58 encoded as text and a QR-code. The JPG is shared by whatever means your phone supports. If you combine this with import verification I'd say you are pretty well off.

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

I just want to reiterate my position on this -- I have outlined in the past why I don't want to support directly-encrypted backups. Not everyone agrees with the reasoning, but I'm sticking to it because the ability to recover your wallet is higher priority than having the extra physical security.

Instead, this is being addressed with the fragmented backups. It is a perfect mix of redundancy and security, and can be used very similarly to an encrypted backup without the same risks. Fragmented backups have already been merged into my development branch, and will be part of the next release along with the the RAM reduction.

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

As Rahl said, you can use gpg to encrypt it to an ascii phrase that you can print out:

gpg -ac armory_backup_phrase.txt

adamas

legendary

Activity: 1017

Merit: 1003

VIS ET LIBERTAS

I saved my priv keys on a pendrive, put it in a waterproof box and buried it here: http://www.geocaching.com/geocache/GC242VT_this-is-it
After hiding the box, I disabled this (geo)cache.

dserrano5

legendary

Activity: 1974

Merit: 1030

Quote from: rahl on September 17, 2013, 02:13:10 AM

use a really complicated pass-phrase you also have to write down

Quote from: Jan on September 17, 2013, 02:55:15 AM

Brainwallets are generally a bad idea because the passphrases that normal people can remember are not strong enough to withstand a brute-force attack. If the passphrase is complex enough you have to write it down, and you might as well have written down the private key in the first place.

Yeah but rahl was already talking about writing down stuff. I guess we have a hybrid paper/brain wallet, in which you write down a really long and/or complex piece of text unable to be reliably memorized and impossible to brute force.

rahl

full member

Activity: 140

Merit: 100

How much space does plausible deniability add?
Like if you have one key that decrypts it to a naughty sex letter and another to the bitcoin key...

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: dserrano5 on September 17, 2013, 02:43:54 AM

Quote from: rahl on September 17, 2013, 02:13:10 AM

Copy paste the paper into PGP/GPG. Encrypt. Print it and the private key ... use a really complicated pass-phrase you also have to write down to be able to remember or it will be too easy to use the copy of your private key? Store in 3 places .... ehh

But if you're going to use a complicated passphrase anyway, why go through the GPG step? Just use a complicated passphrase (or a whole paragraph) as a brain wallet and store the funds in the related address.

Because brainwallets can be brute-forced just by looking at the blockchain (observe an address with funds + use a huge dictionary to find a passphrase that generates a key which matches the address). This has happened multiple times. If you want to brute force an encrypted paper backup you first have to get access to the paper.

Brainwallets are generally a bad idea because the passphrases that normal people can remember are not strong enough to withstand a brute-force attack. If the passphrase is complex enough you have to write it down, and you might as well have written down the private key in the first place.

dserrano5

legendary

Activity: 1974

Merit: 1030

Quote from: rahl on September 17, 2013, 02:13:10 AM

Copy paste the paper into PGP/GPG. Encrypt. Print it and the private key ... use a really complicated pass-phrase you also have to write down to be able to remember or it will be too easy to use the copy of your private key? Store in 3 places .... ehh

But if you're going to use a complicated passphrase anyway, why go through the GPG step? Just use a complicated passphrase (or a whole paragraph) as a brain wallet and store the funds in the related address.

rahl

full member

Activity: 140

Merit: 100

Copy paste the paper into PGP/GPG. Encrypt. Print it and the private key ... use a really complicated pass-phrase you also have to write down to be able to remember or it will be too easy to use the copy of your private key? Store in 3 places .... ehh

Doesn't it really come down to security by obscurity no matter how you do if you want to keep it all analogue?

LogicalUnit

sr. member

Activity: 299

Merit: 250

Why not just print the paper wallet to PDF and encrypt it with TrueCrypt?

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: etotheipi on June 27, 2013, 02:09:37 PM

Quote from: Jan on June 27, 2013, 05:02:30 AM

Sorry for reviving this thread...

Quote from: ErebusBat on February 07, 2013, 08:22:00 AM

You could also display a code/sentence on the screen rather than having the user select one. This more or less forces them to record it somewhere (and as you said, most people would record it on the paper). If you did this then you would probably want to have the user re-enter for accuracy.

I am not fond of brain wallets for many reasons (users are notoriously bad at choosing strong passwords, they are easily forgotten, you can attempt a brute force once the address hits the network, etc...)

However, I like ErebusBat's idea of letting software pick a strong password to be displayed in addition to print out an encrypted secret on paper:
- The password wil be strong
- The user has no choice but to write it down, but can choose to write it down on a separate sheet.
- Unlike brain wallets, it is not feasible to brute force until you have the secret stored on paper

I would however still let the user choose to store the secret in plain on paper, and have this as an alternative option.

Oh you mean like this?

(it was part of a demo at the Bitcoin conference in May, and will be part of one of the next two major Armory upgrades)

Yes

I was at the Mycelium booth just on the other side of the aisle all three days of the conference and didn't get a chance to see it. I guess that's my own fault.
Here it how it is currently done with the Mycelium Bitcoin Wallet (in beta): http://www.youtube.com/watch?v=W7V2myIwAuE
Since it is on a smartphone I prefer to use QR-codes. I'll probably add the option to request a device generated password. Do you have a spec for how the armory wallet backup is generated?

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: Jan on June 27, 2013, 05:02:30 AM

Sorry for reviving this thread...

Quote from: ErebusBat on February 07, 2013, 08:22:00 AM

You could also display a code/sentence on the screen rather than having the user select one. This more or less forces them to record it somewhere (and as you said, most people would record it on the paper). If you did this then you would probably want to have the user re-enter for accuracy.

I am not fond of brain wallets for many reasons (users are notoriously bad at choosing strong passwords, they are easily forgotten, you can attempt a brute force once the address hits the network, etc...)

However, I like ErebusBat's idea of letting software pick a strong password to be displayed in addition to print out an encrypted secret on paper:
- The password wil be strong
- The user has no choice but to write it down, but can choose to write it down on a separate sheet.
- Unlike brain wallets, it is not feasible to brute force until you have the secret stored on paper

I would however still let the user choose to store the secret in plain on paper, and have this as an alternative option.

Oh you mean like this?

(it was part of a demo at the Bitcoin conference in May, and will be part of one of the next two major Armory upgrades)

Jan

legendary

Activity: 1043

Merit: 1002

Sorry for reviving this thread...

Quote from: ErebusBat on February 07, 2013, 08:22:00 AM

You could also display a code/sentence on the screen rather than having the user select one. This more or less forces them to record it somewhere (and as you said, most people would record it on the paper). If you did this then you would probably want to have the user re-enter for accuracy.

I am not fond of brain wallets for many reasons (users are notoriously bad at choosing strong passwords, they are easily forgotten, you can attempt a brute force once the address hits the network, etc...)

However, I like ErebusBat's idea of letting software pick a strong password to be displayed in addition to print out an encrypted secret on paper:
- The password wil be strong
- The user has no choice but to write it down, but can choose to write it down on a separate sheet.
- Unlike brain wallets, it is not feasible to brute force until you have the secret stored on paper

I would however still let the user choose to store the secret in plain on paper, and have this as an alternative option.

Topic: Encrypted Paper Backups (Read 3797 times)