Topic: Hardware wallets vs paper wallets (Read 380 times)

https://twitter.com/0xCygaar/status/1614742237690171394
"A big misconception I've seen is people believe that hardware wallets keep coins/NFTs in cold storage and offline.
This is not true.
Hardware wallets keep KEYS in cold storage, not the assets. These devices are "secure" because the keys aren't revealed anywhere else."

https://twitter.com/0xCygaar/status/1614742239074455552
"The reason your assets are considered safe in hardware wallets is because even if your computer is hacked, the private keys needed to transfer your assets are never exposed. The keys only live on the devices themselves, they're never seen by your computer."

https://twitter.com/0xCygaar/status/1614742240143998977
"However, if you take the seed phrase from a hardware wallet and import it to your computer, you've effectively rendered your hardware wallet useless because there are now multiple places where your private keys are stored.
Your cold wallet has now become a hot wallet."

https://twitter.com/0xCygaar/status/1614742241226162176
"To be safe, NEVER take the seed phrase (which is used to generate your private keys) from your cold wallet and upload it anywhere else.

Remember, a cold wallet is only cold if the keys to that wallet are stored only on a physical device not connected to the internet."

Thank you all. I have acquired lot of knowledge discussing with you here. I had underestimated the power of airgaped devices.

I hadn't realised that they could store the keys and only be used to sign transactions.

Furthermore, I have learnt how to use watch-only wallets. Now I can watch my hardware wallet's balance and transactions without risking exposing the private keys.

Finally, I have realised that what I have tried to implement is good for learning and educating myself, but in fact, it is not useful. There are too many options out there and after all, being secure requires proper education, which I have been lucky enough to obtain thanks to you all.

Brilliant people in this forum!

The thing is, when you make one shortcut, it might lead you to make a second or a third one in the future. That way you are only making your setup less and less secure.

Some time ago, I asked why is everyone recommending using Linux distros on airgapped systems when your computer won't go online anyway? It was maybe o_e_l_e_o who explained it. There are far more attack vectors and backdoors on Windows than on Linux. Windows is a close-source OS with a wider market share than Linux. More people that can be attacked and more incentive to come up with different ways to break its defenses.

If you start making shortcuts and say I am just going to use Windows, the next thing that might happen is you deciding not to remove the WIFI or network cards to make it easier for yourself. While you at it, you might want to save yourself some time and not format your OS and install a clean version on it. After all, you are not going to connect it to the internet. One day you could decide to connect your "airgapped" computer to the internet just for a little bit because you need to check something, and it's quicker than turning on your other computer.

To avoid all that, you should respect all the recommendations or not do it at all and go for the next best thing - a hardware wallet.

Which is a far riskier way of doing things.

The complicated part of generating a paper wallet is setting up an airgapped computer with a clean install of a reputable open source Linux distro. Once you've done that, you still need to download, verify, and transfer to this computer the software you are going to use. This is the same for either Bitcoin Core or bitaddress. Then the only difference after that is whether you load a piece of software or whether you load an HTML file. It really is not that much more complicated to use Bitcoin Core than it is to use bitaddress.

Further, given the huge number of people who have lost coins from websites generating insecure paper wallets (even when offline), and that bitaddresses uses javascript which is a very poor choice when it comes to generating entropy, I would strongly suggest not using any website to generate a paper wallet.

This is a very good but complicated way. If you really just want to give 10 USD with of bitcoin to a friend, you can also create on with this website: https://www.bitaddress.org The website should be used in an offline mode and the computer should be a fresh install that was never connected to the internet.

Correct. You would create what is called a watch only wallet on your online computer, which contains only your addresses but no private keys. This wallet can be used to watch your addresses, balances, transactions, etc., but cannot be used to actually sign any transaction or send any coins, since it contains no private keys. You use this watch only wallet to create an unsigned transaction, and then either display that unsigned transaction as a QR code on the screen, or export it to a text file. Then with your airgapped computer with your cold Electrum wallet, you either scan this QR code or transfer over the text file using a USB drive or similar, and use your cold wallet to sign the unsigned transaction. Then reverse the process to move the signed transaction back to your online computer and broadcast it to the network.

If you want an classical single key paper wallet, then I would simply use Core on an airgapped computer to generate a private key and then copy the private key and address to a piece of paper to be printed with a dumb printer. I prefer to use seed phrases to generate HD wallets, though, rather than individual key pairs. For this I would either use Electrum, or generate the seed phrase manually by flipping a coin. Write that seed phrase down, and then use Electrum to derive the relevant addresses from that seed phrase to either also be written down/printed off, or transferred over to an online machine via QR code. Once you have the seed phrase written down and some addresses to send coins to (and double checked everything!), you can wipe all traces from your airgapped computer.

So I am guessing that electrum provides you with something like a QR code and you use your device to read it and sign it. Like the seedsigner device, which I absolutely love. Correct ?


So, speaking of paper wallets, how did you generate them? The whole point of this thread and the fact that I tried to develop something is that I didn't trust bitaddress for example.

That's OK. When Electrum is used in an offline/airgapped environment, you don't have to fear that your private keys will leak. Assuming, of course, the computer you use is clean and malware free. The device should also be formatted and not be connected to the internet after a clean install of the OS ever. Most people recommend using Linux, but this is your choice. It's also recommended to remove ethernet and wireless cards from the motherboard so no one can try any tricks. Full drive encryption is another noteworthy step.

After that is done, you use the offline machine only for constructing and signing your transactions. The broadcasting takes place on a different online computer. The signed and unbroadcasted transaction can be transferred for signing using a USB drive or via QR codes.       

I meant hot wallets. OK so I totally understood how you can use them. In fact I used to own a Trezor wallet which I think also Connects to electrum.


Yes, my confusion was that I thought those wallets could be used only as hot wallets. I knew they are software wallets but it never occurred to me that I could use them "offline"

Are you trying to say hot wallets or maybe software wallets? They are, yes. However, Electrum can be both a hot and cold wallet, meaning you can use it on an internet-connected computer or a permanently airgapped device. Bitcoin Core is a full-node client, which needs internet connection to update and sync the newest blocks. Electrum being a light client that doesn't require downloading the whole blockchain to work is easy to take offline. I think it's still doable with Bitcoin Core, and I could swear I saw an old guide for it in the past. But it's not user-friendly having a full client that is offline.   

What do you mean by "host storage" wallets? With both Core and Electrum, you generate your own private keys and you are the only one who can access them. This is generally referred to as "self custody" or "non-custodial", to differentiate from web wallets or exchanges where a third party holds your private keys for you.

Both Core and Electrum can be used as a simple hot wallet on an online device, which is the least secure way to use them. Similarly, both can also be used as a cold wallet on a permanently airgapped device, which is a much more secure way to use them. And if you are using them on an airgapped machine, you can also use them to generate key pairs or seed phrases that you then print out or write down to create paper wallets.

Yes, exactly that. I have a small amount of "daily spending" bitcoin which I carry on a mobile wallet. Insecure, but very convenient, and only ever an amount I can easily afford to lose. The vast majority of my coins are in a variety of more secure wallets, including hardware wallets, airgapped cold storage, paper wallets, and some multi-sig wallets involving a combination of these things. All my wallets are synced from my own node to minimize any privacy leaks.

That's great. Two questions though:

1. Bitcoin core and electrum are in fact host storage wallets, so it is kind of strange that people refer to them as the best wallets.

2. I know that this is private, so feel free not to answer it, but when it comes to you, where do you store the keys to your coins? Do you have a combination of hot storage and cold storage? Personally I use blue wallet, cold card and I am trying to create one on my own but as you said the majority of people who have tried in the past have lost money this way

Depends on the wallet. But there are plenty of wallets in the past which have generated insecure entropy and users have ended up losing coins, and plenty of people who have tried to come up with their own solutions and ended up losing coins. By far the safest thing to do is to stick to some tried and tested, open source, and verified software, such as Bitcoin Core or Electrum.

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

You can read more in the code here:
https://github.com/bitcoin/bitcoin/blob/master/src/random.h
https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp

Thanks! Of course it is interesting. In fact, the whole entropy generation idea is fascinating. I keep realising that nothing is truly random

There is a great thread created about two years ago by webtricks that you might find interesting > [Full Guide+Code]Seed Phrase & The Process of Deriving Bitcoin Addresses from It.
It tells you about generating entropy with coin flips, how to create the checksum, how to derive the recovery phrase from the number sequences, etc. I am sure you will find it interesting.

Alright, that's obviously wrong by my side. I could ask them to flip a coin and enter the result. However, what do professional wallets do to create entropy ? If they don't use SecureRandom, what do they do ?

You are asking a human to enter a sequence of characters on the keyboard. Even although you are asking them to enter something random, many won't. They'll use a name, a date, a reused password, a song lyric, something like that. Your own example even uses your username. Further, humans are not capable of being truly random. Even when you think you are being random, you aren't. Human chosen "entropy" is never random, and as such, is weak. There is a reason that no good piece of software uses human chosen strings to seed a wallet.

I thought that in a brainwallet you need to remember a phrase. The reason why I get the user to input a random sequence of characters is to simply immitate the mouse-movement entropy. I just tell the user to randomly press anything they want in the keyboard and of course, not to remember it.



Yes, my english may not be very good, but I understand what you say and that's what I wanted to say actually.

You certainly want that to be the case, but the reality is that almost no one can independently verify that is the case, and there could well be other attacks we simply don't know about yet which are still able to bypass any protections in place.

I think that 99.99% of people who try to design their own paper wallet generator will end up with something insecure. Your method combines a brain wallet, which are very insecure, with SecureRandom, which has also suffered from critical vulnerabilities resulting in people having their coins stolen - https://www.theregister.com/2013/08/12/android_bug_batters_bitcoin_wallets/.

A far safer option to generate raw private keys would be to use Bitcoin Core. If you don't want to use a piece of software, then flip a coin 256 times.

You are confusing separate concepts here. A seed phrase does not encode an individual private key. A seed phrase is used to generate a near unlimited number of private keys in a deterministic manner, meaning backing up the seed phrase backs up all the private keys that it generates.

The seed is a representation of that number sequence in human readable and understandable form. It's much easier for us to look at and understand individual words and their meanings compared to a long sequence of (to us) illogical characters. That's why it's recommended to make physical backups of those seed words instead of the long number sequences where a mistake can happen.