encrypting seed phrase with a password - page 2.

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

Quote from: alexeyneu on June 16, 2024, 01:55:34 PM

truecrypt is better. reputation approved by news like "fbi cracked truecrypt smth". Authors even made a request to waybackmachine to exclude their site from where binaries can be found.

But isn't veracrypt a fork of truecrypt and truecrypt discontinued?

I was unable to use truecrypt on Windows, I made a post about it on my local board.

alexeyneu

member

Activity: 351

Merit: 37

truecrypt is better. reputation approved by news like "fbi cracked truecrypt smth". Authors even made a request to waybackmachine to exclude their site from where binaries can be found.

Saint-loup

legendary

Activity: 2604

Merit: 2353

You must be sure to be able to find and use the same software with the same version, even in several years when you will need to decipher your seed phrase otherwise you won't be able to access it. That's why it's better to use a very standardized algorithm to encrypt your seed phrase. And to try several different softwares using it to decipher your secret, to be sure there is no bug into the encryption program.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Cricktor on June 07, 2024, 07:28:34 AM

Quote from: satscraper on June 06, 2024, 02:09:55 AM

You can also think about Kingston IronKey Vault Privacy flash USB to store your encrypted SEED phrase. It has the build-in AES 256 encryption for all custom data, ...

It didn't take long to find this Wired article where Unciphered's team found a way to be able to infinitely brute-force the Ironkey's encryption passphrase bypassing the data erase after 10 wrong entries.

Yeah, I know about Unciphered's team endeavor, that story was overgrown with moss, but if you read it carefully you would noticed that they had a physical access to the " giblets" of the old model of IronKey. Modern Ironkey products, such as IronKey Keypad 200 Series USB flash is complaint to FIPS 140-3 Level 3 security which means any physical access to its "entrails" is impossible. So, you always have the option to advance yourself to more sophisticated IronKey product if necessary.

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: satscraper on June 06, 2024, 02:09:55 AM

You can also think about Kingston IronKey Vault Privacy flash USB to store your encrypted SEED phrase. It has the build-in AES 256 encryption for all custom data, ...

It didn't take long to find this Wired article where Unciphered's team found a way to be able to infinitely brute-force the Ironkey's encryption passphrase bypassing the data erase after 10 wrong entries. So, don't think an Ironkey is a no-matter-what secure vault.
(Not much detail there and I didn't try to dig up other IronKey hacking sources. Don't rely on every marketing BS from companies like Kingston who picture an unbreakable product. Hacker's are very creative...)

Who knows what's possible to break into such devices when you have the skills and tech to perform sophisticated fault injection attacks. It's all a matter of how much value is at stake and skilled hacking teams with enough and proper ressources.

And devices with built-in keypad can even be worse if not implemented properly. I've seen and read about some funny failures in the past (sorry, no sources for those as I'm only marginally interested in such devices and it's been a while that I've seen articles about it which caught my security interests).

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Forsyth Jones on June 06, 2024, 02:05:10 PM

Quote from: satscraper on June 06, 2024, 02:09:55 AM

Quote from: acme89 on June 05, 2024, 02:14:58 PM

OK thanks. I'll look more into GPG and OpenSSL AES.

You can also think about Kingston IronKey Vault Privacy flash USB to store your encrypted SEED phrase. It has the build-in AES 256 encryption for all custom data, thus ,by using it, you will have at least two layers of protection for your SEED. One of them is provided by IronKey while the other - by scheme of encryption chosen by you.

It seems very attractive, as an alternative, I can have a common pen drive and use veracrypt on it or other well-known and equally secure encryption tools.

Sure a common pen drive plus veracrypt software is a cost effective solution but advantage of IronKey is in the build-in protection against both BadUSB and bruteforce attacks. Besides it's waterproofed (up to 1.2 m) and I suspect that the quality of the memory cells used in IronKey is much better than in common pen drives as Kingston includes 5 years long warranty for their product.

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

Quote from: satscraper on June 06, 2024, 02:09:55 AM

Quote from: acme89 on June 05, 2024, 02:14:58 PM

OK thanks. I'll look more into GPG and OpenSSL AES.

You can also think about Kingston IronKey Vault Privacy flash USB to store your encrypted SEED phrase. It has the build-in AES 256 encryption for all custom data, thus ,by using it, you will have at least two layers of protection for your SEED. One of them is provided by IronKey while the other - by scheme of encryption chosen by you.

It seems very attractive, as an alternative, I can have a common pen drive and use veracrypt on it or other well-known and equally secure encryption tools.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

You should always add a salt to the data and then hash it before you encrypt the data in order to avoid Rainbow Table attacks which are very fast.

OWASP says Argon2id is the strongest available hash available. Failing that, you can use scrypt, or PBKDF2 with 600,000 iterations.

It doesn't really matter whether you are trying to encrypt a seed phrase or an entire wallet, the rule still applies for security purposes.

Quote from: Charles-Tim on June 04, 2024, 05:53:45 PM

I do not know about that tool but I do not need it as long as I am dealing with bitcoin. Passphrase is enough for me to extend the wallet which is also like wallet encryption.

Another is the wallet file encryption. These two are enough for me because the more I make the security complicated, the closer I am getting closer to lose the coins.

Yeah, generally you do not need to encrypt the seed phrase itself, just the wallet file, and then if you want you can extend the seed phrase with a passphrase.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: acme89 on June 05, 2024, 02:14:58 PM

OK thanks. I'll look more into GPG and OpenSSL AES.

You can also think about Kingston IronKey Vault Privacy flash USB to store your encrypted SEED phrase. It has the build-in AES 256 encryption for all custom data, thus ,by using it, you will have at least two layers of protection for your SEED. One of them is provided by IronKey while the other - by scheme of encryption chosen by you.

acme89

newbie

Activity: 17

Merit: 1

Quote from: Forsyth Jones on June 05, 2024, 10:18:49 AM

After I started using the BIP39 passphrase extension, I no longer see the use of using encryption tools such as AES, GPG, but you can use it responsibly, regarding this tool on github, I'd be careful, as in addition to not being very well known, who guarantees that it will be available to you in the future? Remember that the backup process is long term.

If you insist on encrypting your seed, better learn to use GPG, you can encrypt symmetrically (just a password). Another alternative is OPENSSL AES 256 CBC which is available natively on Linux.

Maybe it's worth taking a look at seed-otp where another seed (decoy) is generated, this decoy seed is literally your encrypted seed.

The sparrow wallet allows you to export encrypted backups, I covered this in my topic.

OK thanks. I'll look more into GPG and OpenSSL AES.

acme89

newbie

Activity: 17

Merit: 1

Quote from: ABCbits on June 05, 2024, 06:12:37 AM

Quote from: acme89 on June 04, 2024, 05:41:10 PM

I've found one tool on github (the link is below) for encrypting and decrypting text with password, but I am curious how secure that method of encrypting is, and are there any stronger algorithms for encrypting and decrypting text with a password?

https://github.com/blws/text-encrypt

I did quick check and it seems they use SHA-256 and AES, which is generally considered secure.

Code:

author https://github.com/blws/text-encrypt/blob/master/index.html#L2419-L2421
//encrypt text
//hashing password / key with SHA256
//encrypting - AES
function enc(){
  var pass = document.getElementById("pass").value;
  var passHash = CryptoJS.SHA256(pass).toString();
  var dtext = document.getElementById("dtext").value
;//.replace(/(?:\r\n|\r|\n)/g, '');
  document.getElementById("etext").value =
    CryptoJS.AES.encrypt(dtext, passHash).toString();
}

But i don't know whether they use CryptoJS library securely and whether CryptoJS implement both SHA-256 and AES securely. If you insist to encrypt your seed phrase, you better use more popular and open-source encryption software which is more likely to be secure.

Thanks for the reply. By the way, I've found this site, but it doesn't work offline. I've saved the whole web page on my hard drive, but when I try to use it offline nothing happens.
https://www.gillmeister-software.com/online-tools/text/encrypt-decrypt-text.aspx

I'll try to find more tools for offline encryption.

Forsyth Jones

hero member

Activity: 1120

Merit: 540

Duelbits - Play for Free | Win for Real

After I started using the BIP39 passphrase extension, I no longer see the use of using encryption tools such as AES, GPG, but you can use it responsibly, regarding this tool on github, I'd be careful, as in addition to not being very well known, who guarantees that it will be available to you in the future? Remember that the backup process is long term.

If you insist on encrypting your seed, better learn to use GPG, you can encrypt symmetrically (just a password). Another alternative is OPENSSL AES 256 CBC which is available natively on Linux.

Maybe it's worth taking a look at seed-otp where another seed (decoy) is generated, this decoy seed is literally your encrypted seed.

The sparrow wallet allows you to export encrypted backups, I covered this in my topic.

satscraper

hero member

Activity: 714

Merit: 1298

Quote from: Cricktor on June 05, 2024, 07:34:23 AM

don't forget that flash storage has a limited retention time if not used regularly; retention time varies with quality, temperature and used flash cell technology)

Commonly retention time is around 10 years, thus it would be fine for him to rewrite data on his flash storage at least once per year. Not too much work, i think. I'm using flash media (both pen drives and SD cards) to keep my SEED phrase , though the guarding scheme I use is more sophisticated than that one proposed by OP, but approach in fact is the same - data encryption on the digital media .

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

As others have stated it your protection scheme looks like overcomplicating things. You create also multiple failure points. What if your USB stick fails after some time (at least use multiple ones and don't forget that flash storage has a limited retention time if not used regularly; retention time varies with quality, temperature and used flash cell technology)?

As you use partially uncommon software, what if those disappear? Do you backup every used piece of software in your scheme?

You need to properly backup all your used passwords and document all steps of your encryption scheme or you will inevitably sooner or later forget something essential and then you're screwed. Passwords backup should be offline and analog so that malware can't reach it.

Why not use analog offline backups for your mnemonic recovery words alone? Do you need a protection layer from theft of your offline backups?

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: acme89 on June 04, 2024, 05:41:10 PM

I've found one tool on github (the link is below) for encrypting and decrypting text with password, but I am curious how secure that method of encrypting is, and are there any stronger algorithms for encrypting and decrypting text with a password?

https://github.com/blws/text-encrypt

I did quick check and it seems they use SHA-256 and AES, which is generally considered secure.

Code:

author https://github.com/blws/text-encrypt/blob/master/index.html#L2419-L2421
//encrypt text
//hashing password / key with SHA256
//encrypting - AES
function enc(){
  var pass = document.getElementById("pass").value;
  var passHash = CryptoJS.SHA256(pass).toString();
  var dtext = document.getElementById("dtext").value
;//.replace(/(?:\r\n|\r|\n)/g, '');
  document.getElementById("etext").value =
    CryptoJS.AES.encrypt(dtext, passHash).toString();
}

But i don't know whether they use CryptoJS library securely and whether CryptoJS implement both SHA-256 and AES securely. If you insist to encrypt your seed phrase, you better use more popular and open-source encryption software which is more likely to be secure.

promise444c5

full member

Activity: 364

Merit: 218

Keep Promises !

I don't know why you're giving yourself the stress of multi encryption which you can't store any where apart from a cloud (HOT) or a USB stick (cold) u prefer the cold storage but you have forgotten the it could get corrupted and with multi encryption there's high probability of loosing your wallet just keep your keys safe and cold no one is coming after it so far it safe with and it remains in a cold format ...
You're the first bridge to your wallet, you determine how you keep it safe but don't make it complicated for yourself

Z-tight

hero member

Activity: 854

Merit: 1031

Only BTC

Quote from: acme89 on June 04, 2024, 06:17:33 PM

One problem is that Metamask and some other wallets do not support passphrases (i.e. seed phrases with 13 or 25 words), so I am considering seed encryption as a solution for such wallets.

You can start by telling us the coins you hold, have you checked if wallets like Unstoppable supports the coins that you hold, if they do, then you can switch to the wallet and extend your seed phrase with a passphrase, instead of trying a tool or software that you aren't sure if it is recommended. Unstoppable wallet is also open source and it is a recommended wallet, but mainly for altcoins.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

Quote from: acme89 on June 04, 2024, 06:17:33 PM

One problem is that Metamask and some other wallets do not support passphrases (i.e. seed phrases with 13 or 25 words), so I am considering seed encryption as a solution for such wallets.

Wallet like Unstoppable supports passphrase but it is not supporting some mainnet coins. It is a good wallet to use for the coins and tokens it is supporting. But it has some synching issues in the past which I guess they have been solved, especially bitcoin synching issue.

As for other wallets that do not have passphrase, I do not know much about that.

BitMaxz

legendary

Activity: 3360

Merit: 3094

BTC price road to $80k

I agree with the above posts having multiple encryptions will make you confuse in the future when you are trying to recover your wallet that's not a good idea and another thing is you just randomly using an encryption tool from GitHub that we do not know if it would still be available in the future or not.

The added passphrase for BIP39 should be enough since in case you mess up or if you forgot a few characters in your passphrase there are some tools that can recover missing or wrong characters.
And for me, you don't need them since you already generated it from an offline device just make sure that you never connect that device or the USB drive into an online device.
Unless you want to do it because you don't want someone, family, friends or anyone living in the same house to see your backup wallet.
If I'm right and you think encrypting your text backup is the solution you know that can protect against them then I suggest try PGP encryption that is way more secure than choosing a random software from github.

acme89

newbie

Activity: 17

Merit: 1

Quote from: Stalker22 on June 04, 2024, 05:54:04 PM

Quote from: acme89 on June 04, 2024, 05:41:10 PM

I have an idea how to protect my seed phrases.

Wasnt the BIP39 passphrase invented for this very reason? Look, multiple layers of encryption sound good in theory, but you are just adding complexity and failure points. If you forget a password, mess up the encryption, or lose a USB stick, you are screwed. BIP39 phrases are strong enough on their own if you write them down on paper, split them up securely, and keep them safe. This feels like overthinking it and inviting trouble.

Besides, I cant think of a single advantage why it would be better to store a seed phrase on an electronic device like a USB stick rather than written on a physical medium like paper or a steel plate.

One problem is that Metamask and some other wallets do not support passphrases (i.e. seed phrases with 13 or 25 words), so I am considering seed encryption as a solution for such wallets.

Topic: encrypting seed phrase with a password - page 2. (Read 586 times)