Topic: Hardware wallets vs paper wallets (Read 380 times)

https://twitter.com/0xCygaar/status/1614742237690171394
"A big misconception I've seen is people believe that hardware wallets keep coins/NFTs in cold storage and offline.
This is not true.
Hardware wallets keep KEYS in cold storage, not the assets. These devices are "secure" because the keys aren't revealed anywhere else."

https://twitter.com/0xCygaar/status/1614742239074455552
"The reason your assets are considered safe in hardware wallets is because even if your computer is hacked, the private keys needed to transfer your assets are never exposed. The keys only live on the devices themselves, they're never seen by your computer."

https://twitter.com/0xCygaar/status/1614742240143998977
"However, if you take the seed phrase from a hardware wallet and import it to your computer, you've effectively rendered your hardware wallet useless because there are now multiple places where your private keys are stored.
Your cold wallet has now become a hot wallet."

https://twitter.com/0xCygaar/status/1614742241226162176
"To be safe, NEVER take the seed phrase (which is used to generate your private keys) from your cold wallet and upload it anywhere else.

Remember, a cold wallet is only cold if the keys to that wallet are stored only on a physical device not connected to the internet."

Thank you all. I have acquired lot of knowledge discussing with you here. I had underestimated the power of airgaped devices.

I hadn't realised that they could store the keys and only be used to sign transactions.

Furthermore, I have learnt how to use watch-only wallets. Now I can watch my hardware wallet's balance and transactions without risking exposing the private keys.

Finally, I have realised that what I have tried to implement is good for learning and educating myself, but in fact, it is not useful. There are too many options out there and after all, being secure requires proper education, which I have been lucky enough to obtain thanks to you all.

Brilliant people in this forum!

The thing is, when you make one shortcut, it might lead you to make a second or a third one in the future. That way you are only making your setup less and less secure.

Some time ago, I asked why is everyone recommending using Linux distros on airgapped systems when your computer won't go online anyway? It was maybe o_e_l_e_o who explained it. There are far more attack vectors and backdoors on Windows than on Linux. Windows is a close-source OS with a wider market share than Linux. More people that can be attacked and more incentive to come up with different ways to break its defenses.

If you start making shortcuts and say I am just going to use Windows, the next thing that might happen is you deciding not to remove the WIFI or network cards to make it easier for yourself. While you at it, you might want to save yourself some time and not format your OS and install a clean version on it. After all, you are not going to connect it to the internet. One day you could decide to connect your "airgapped" computer to the internet just for a little bit because you need to check something, and it's quicker than turning on your other computer.

To avoid all that, you should respect all the recommendations or not do it at all and go for the next best thing - a hardware wallet.

Which is a far riskier way of doing things.

The complicated part of generating a paper wallet is setting up an airgapped computer with a clean install of a reputable open source Linux distro. Once you've done that, you still need to download, verify, and transfer to this computer the software you are going to use. This is the same for either Bitcoin Core or bitaddress. Then the only difference after that is whether you load a piece of software or whether you load an HTML file. It really is not that much more complicated to use Bitcoin Core than it is to use bitaddress.

Further, given the huge number of people who have lost coins from websites generating insecure paper wallets (even when offline), and that bitaddresses uses javascript which is a very poor choice when it comes to generating entropy, I would strongly suggest not using any website to generate a paper wallet.

This is a very good but complicated way. If you really just want to give 10 USD with of bitcoin to a friend, you can also create on with this website: https://www.bitaddress.org The website should be used in an offline mode and the computer should be a fresh install that was never connected to the internet.

Correct. You would create what is called a watch only wallet on your online computer, which contains only your addresses but no private keys. This wallet can be used to watch your addresses, balances, transactions, etc., but cannot be used to actually sign any transaction or send any coins, since it contains no private keys. You use this watch only wallet to create an unsigned transaction, and then either display that unsigned transaction as a QR code on the screen, or export it to a text file. Then with your airgapped computer with your cold Electrum wallet, you either scan this QR code or transfer over the text file using a USB drive or similar, and use your cold wallet to sign the unsigned transaction. Then reverse the process to move the signed transaction back to your online computer and broadcast it to the network.

If you want an classical single key paper wallet, then I would simply use Core on an airgapped computer to generate a private key and then copy the private key and address to a piece of paper to be printed with a dumb printer. I prefer to use seed phrases to generate HD wallets, though, rather than individual key pairs. For this I would either use Electrum, or generate the seed phrase manually by flipping a coin. Write that seed phrase down, and then use Electrum to derive the relevant addresses from that seed phrase to either also be written down/printed off, or transferred over to an online machine via QR code. Once you have the seed phrase written down and some addresses to send coins to (and double checked everything!), you can wipe all traces from your airgapped computer.

So I am guessing that electrum provides you with something like a QR code and you use your device to read it and sign it. Like the seedsigner device, which I absolutely love. Correct ?


So, speaking of paper wallets, how did you generate them? The whole point of this thread and the fact that I tried to develop something is that I didn't trust bitaddress for example.

That's OK. When Electrum is used in an offline/airgapped environment, you don't have to fear that your private keys will leak. Assuming, of course, the computer you use is clean and malware free. The device should also be formatted and not be connected to the internet after a clean install of the OS ever. Most people recommend using Linux, but this is your choice. It's also recommended to remove ethernet and wireless cards from the motherboard so no one can try any tricks. Full drive encryption is another noteworthy step.

After that is done, you use the offline machine only for constructing and signing your transactions. The broadcasting takes place on a different online computer. The signed and unbroadcasted transaction can be transferred for signing using a USB drive or via QR codes.       

I meant hot wallets. OK so I totally understood how you can use them. In fact I used to own a Trezor wallet which I think also Connects to electrum.


Yes, my confusion was that I thought those wallets could be used only as hot wallets. I knew they are software wallets but it never occurred to me that I could use them "offline"

Are you trying to say hot wallets or maybe software wallets? They are, yes. However, Electrum can be both a hot and cold wallet, meaning you can use it on an internet-connected computer or a permanently airgapped device. Bitcoin Core is a full-node client, which needs internet connection to update and sync the newest blocks. Electrum being a light client that doesn't require downloading the whole blockchain to work is easy to take offline. I think it's still doable with Bitcoin Core, and I could swear I saw an old guide for it in the past. But it's not user-friendly having a full client that is offline.   

What do you mean by "host storage" wallets? With both Core and Electrum, you generate your own private keys and you are the only one who can access them. This is generally referred to as "self custody" or "non-custodial", to differentiate from web wallets or exchanges where a third party holds your private keys for you.

Both Core and Electrum can be used as a simple hot wallet on an online device, which is the least secure way to use them. Similarly, both can also be used as a cold wallet on a permanently airgapped device, which is a much more secure way to use them. And if you are using them on an airgapped machine, you can also use them to generate key pairs or seed phrases that you then print out or write down to create paper wallets.

Yes, exactly that. I have a small amount of "daily spending" bitcoin which I carry on a mobile wallet. Insecure, but very convenient, and only ever an amount I can easily afford to lose. The vast majority of my coins are in a variety of more secure wallets, including hardware wallets, airgapped cold storage, paper wallets, and some multi-sig wallets involving a combination of these things. All my wallets are synced from my own node to minimize any privacy leaks.

That's great. Two questions though:

1. Bitcoin core and electrum are in fact host storage wallets, so it is kind of strange that people refer to them as the best wallets.

2. I know that this is private, so feel free not to answer it, but when it comes to you, where do you store the keys to your coins? Do you have a combination of hot storage and cold storage? Personally I use blue wallet, cold card and I am trying to create one on my own but as you said the majority of people who have tried in the past have lost money this way

Depends on the wallet. But there are plenty of wallets in the past which have generated insecure entropy and users have ended up losing coins, and plenty of people who have tried to come up with their own solutions and ended up losing coins. By far the safest thing to do is to stick to some tried and tested, open source, and verified software, such as Bitcoin Core or Electrum.

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

You can read more in the code here:
https://github.com/bitcoin/bitcoin/blob/master/src/random.h
https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp

Thanks! Of course it is interesting. In fact, the whole entropy generation idea is fascinating. I keep realising that nothing is truly random

There is a great thread created about two years ago by webtricks that you might find interesting > [Full Guide+Code]Seed Phrase & The Process of Deriving Bitcoin Addresses from It.
It tells you about generating entropy with coin flips, how to create the checksum, how to derive the recovery phrase from the number sequences, etc. I am sure you will find it interesting.

Alright, that's obviously wrong by my side. I could ask them to flip a coin and enter the result. However, what do professional wallets do to create entropy ? If they don't use SecureRandom, what do they do ?

You are asking a human to enter a sequence of characters on the keyboard. Even although you are asking them to enter something random, many won't. They'll use a name, a date, a reused password, a song lyric, something like that. Your own example even uses your username. Further, humans are not capable of being truly random. Even when you think you are being random, you aren't. Human chosen "entropy" is never random, and as such, is weak. There is a reason that no good piece of software uses human chosen strings to seed a wallet.

I thought that in a brainwallet you need to remember a phrase. The reason why I get the user to input a random sequence of characters is to simply immitate the mouse-movement entropy. I just tell the user to randomly press anything they want in the keyboard and of course, not to remember it.



Yes, my english may not be very good, but I understand what you say and that's what I wanted to say actually.

You certainly want that to be the case, but the reality is that almost no one can independently verify that is the case, and there could well be other attacks we simply don't know about yet which are still able to bypass any protections in place.

I think that 99.99% of people who try to design their own paper wallet generator will end up with something insecure. Your method combines a brain wallet, which are very insecure, with SecureRandom, which has also suffered from critical vulnerabilities resulting in people having their coins stolen - https://www.theregister.com/2013/08/12/android_bug_batters_bitcoin_wallets/.

A far safer option to generate raw private keys would be to use Bitcoin Core. If you don't want to use a piece of software, then flip a coin 256 times.

You are confusing separate concepts here. A seed phrase does not encode an individual private key. A seed phrase is used to generate a near unlimited number of private keys in a deterministic manner, meaning backing up the seed phrase backs up all the private keys that it generates.

The seed is a representation of that number sequence in human readable and understandable form. It's much easier for us to look at and understand individual words and their meanings compared to a long sequence of (to us) illogical characters. That's why it's recommended to make physical backups of those seed words instead of the long number sequences where a mistake can happen.

Well exactly --but I think it is far different from the hardware wallets, correct me if I am wrong but hardware wallets have a security feature that can protect themselves against malware infection or an OS that is already infected with malware.
I will hardware wallet over a paper wallet, but of course --it will vary always be in your hand how to protect it in a safe place.

[/quote]

Yes this is the whole point of the hardware wallet! They will not be infected, especially if they are used with only an MicroSD Card. Still the paper wallet will get exposed, since it shows the private key in the PDF file it creates.

Actually a private key is nothing more than a 256bit random sequence (e.g. 010110...1001)

The words that you refer to, derive from this 256bit number, if you add 8 bits more (checksum).

Therefore, it is quite simple to get the words, like you mention above.

However, I also generate a QR code, which is what I keep track of in a custom QR template. I took this idea from SeedSigner's QR template. It is basically empty and you fill it up with the information you see on the computer.

Sorry, but I don't have the programming skills to comment on your project. I will check the responses of other members to see what they say. There are those who know these things. Maybe you talked about it in your thread, but I have to ask, why generate private keys if you can generate 12/24-word seeds? They are longer strings and difficult to write down. Therefore, the possibility to make a mistake is greater compared to a sequence of English words, for example.

Hello, thanks for answering. How about this "app" that I have implemented: https://bitcointalksearch.org/topic/m.61539325

What I want to achieve is:
1. run a custom-made program
2. run it on totally offline computer
3. take a note of the private key and write it down as a backup on a piece of paper (2-3 times)

this process allows me to avoid many of the cons you mentioned above.

Essentially, what I wanna say is that I believe that running your own paper-wallet generator offline is the best method in terms of privacy and security.

What do you think ?

Just a few things that spring to mind. There are other similarities and differences of course.

Hardware wallets:

- If you ship the device to your home, they know and store your address. If the data leaks, many more people will know who and where you are.
- You have to trust the developers and manufacturers that they won't mess up and intentionally/unintentionally introduce bugs and vulnerabilities in their native software and hardware. Unless you can go though each line of code yourself (99% of people can't/won't), you will have to trust that the community and security experts have done a good job with it.
- The device (unless airgapped properly) needs to be connected to a computer or phone through a USB cable/Bluetooth to be used. 
- Seeds, private keys, and PIN codes are stored on the device and protected by secure element chips (if available).
- Requires backups of seeds in physical form (highly recommended).
- Change goes to change addresses.
- The coins are spent from the same secure device.

Paper wallets:

- Use TOR or VPN to download the wallet generator to your local machine and no purchase data is stored anywhere.
- You are responsible for your own backups and there are no software or firmware upgrades that can affect you in any way. You are also not affected by NDA agreements or unfixable hardware vulnerabilities.
- No cables, no USBs, or Bluetooth connectivity ever.   
- No digital copies of seeds or private keys. But the same data is imprinted on the paper, making it easier for someone to take note of it.
- Is obviously a backup in physical form.   
- The change could end up in an address you don't have the private key for if you are using such a bad setup.
- The seed/private key has to be imported elsewhere before spending. You could put your coins at risk using a hot wallet for such purposes. Transactions could, however, be created and signed on airgapped systems.

Air-gapped hardware wallets that employ QR codes and cameras as a means to transfer data between devices are considered one of the most secure options of interacting with potentially malicious software. Naturally, this communication channel has its own drawbacks and attack vectors, one of which being a maliciously altered communication channel (hackers trying to exploit vulnerabilities in a hardware wallet by sending specific tampered data via QR-code-encoded messages). You can't keep hardware wallets fully isolated from the outside world (even the most secure and sophisticated ones) unless you never make transactions using them, which is ridiculous.

Well exactly --but I think it is far different from the hardware wallets, correct me if I am wrong but hardware wallets have a security feature that can protect themselves against malware infection or an OS that is already infected with malware.
I will hardware wallet over a paper wallet, but of course --it will vary always be in your hand how to protect it in a safe place.

I haven't really thought about it. I mean if the computer is connected to the internet, or it uses a problematic OS, then there will be a problem no matter what type of wallet you choose to use.

The issue with the coldcard and paper wallets is, that you need to save them on a Micro SD card and open them on a Computer to be able to view them. This will always compromise the wallets if you dont use a special computer for it. Almost seems like they dont want you to use that feature.

Thanks to your guidance and info from previous posts, I have identified that my key-pair generator was based on a completely wrong implementation haha! Need to start it over...

You can use any old computer as an airgapped device to either run a digital cold wallet, or to securely generate paper wallets. An old desktop or laptop works well. I always suggest opening up the device in question and physically removing any connectivity hardware, such as ethernet cards, WiFi cards, Bluetooth chips, etc. That way you can be certain you will never accidentally connect to a network and risk your data or your coins. Once you've done that, you should format the device and install a good open source Linux distro of your choosing.

Once you have a permanently airgapped device, then you can install software such as Bitcoin Core or Electrum to generate and run an airgapped wallet. You would create a complementary watch only wallet which contains only your public keys or addresses on your internet connected computer in order to watch your addresses for incoming transactions and so on. You can then use this watch only wallet to create unsigned transactions, move the unsigned transaction to your airgapped device via either QR codes or a USB drive to be signed, and then move the signed transactions back again to be broadcast to the network.

Alternatively, you can use your airgapped device to generate paper wallets. For paper wallets, I much prefer using a seed phrase to generate an entire wallet rather than a single key pair for a variety of reasons. It means I can have multiple addresses rather than just one, which is better for privacy. I can create my paper wallet by writing down a seed phrase accurately by hand. Writing down a key pair is prone to errors, and printing a key pair adds additional risk in that the printer may be WiFi capable or have internal storage and so on. Importing a seed phrase also avoids the risk of importing a private key to some software which will send your change to an address you do not have saved anywhere and will therefore be lost. To spend from the paper wallet it should only ever be imported back on to your airgapped device and spent from in the same way I described above for a digital cold wallet.

Yes, a ColdCard is an airgapped hardware wallet.

I would agree with this. Every time you have to go and get your paper wallet out of its secure storage location and import it in to a digital device in order to make a transaction from it, there are risks involved. The fewer times you do this, the less risk.

I'm more fond of having a paper wallet for some reason (practicality, probably?). I still have my Ledger sitting unpacked, I thought that I was going to do it, but in the end, I gave up.

It may be better to generate a seed phrase and have a HD wallet instead of dealing with a single private key and a single address. In this way, you can have numerous addresses all generated from a seed phrase. Using a same address for all your transactions may not be good for your privacy.

Well for now I have a coldcard and I am happy with it. But, my next project will be to create my own key pair generator and create my own paper wallet and keep it eternally, only depositing btc and never withdrawing

Paper wallets are more like login/password for your banking application; you can use them to access your deposit account, but they themselves don't provide you an option to withdraw funds. I mean, you still need a banking application with UI you can interact with to do manipulations with your balance. That's the main drawback of paper wallets: with them, you need to always rely on external (and probably insecure) software to sign and broadcast your transactions. Hardware wallets are way better in this sense because no matter what software you will choose, the private keys remain isolated on a device's secure element, whereas paper wallets hold private keys in the open. If in doubt, then paper wallets are definitely not for you. At least for now. Keep it simple and buy a reliable device created by people who are experts in security but choose only with open-source codebase.

What matters is how you generated your wallet and how you use it.
If you generate your paper wallet and use it in the correct way, you can send fund from your wallet whenever you want without any problem.
In the case you generate your paper wallet in the incorrect way, your fund may be stolen even if you have never sent any fund from that.

As far as I have understood, paper wallets act mainly as deposit accounts, where the optimal usage is to accumulate BTC and make as less withdrawals as possible. Am I correct?

With hardware wallets you can generate multiple addresses, send coins quickly, make additional passphrases, create multisig setup, etc.
Paper wallets are still usable but they are used much less nowadays, there is nothing wrong if you use both of this options.

You obviously can't hack paper, but someone can find them, duplicate or take picture of them and steal your coins.
Paper wallets are lately used a lot in scamming people, there was many reported cases in Australia, scammers tricked people in thinking they found free bitcoins.
This means that paper wallets have been used to make phishing attacks with success.

USB sticks are worse than paper, and I prefer keeping backups in physical form, not in digital.

This sounds like a great idea and thanks for the knowledge transfer. Could you elaborate more? I am interested in what you say. What devices are you referring to? Can you give me specific mentions? I know what airgaped means, but I thought my coldcard already meets these criteria

That's not how seed phrases work. The process of using a seed phrase to generate key pairs is a one way process via various hash functions. You cannot start with a private key and derive a seed phrase which produces that private key, unless you are doing something very non-standard which I absolutely would not recommend.

I would say the main benefits of a hardware wallet over a paper wallet is that they are much easier to set up and configure for the average person, and they are also much easier to spend from in the future. Paper wallets are a poor choice for the majority of crypto users, as they do not have the ability to set them up in a safe and secure fashion without doing something wrong, relying on third party software, leaking information online, etc., and will also tend to import them in to a hot wallet when they want to spend from them. Paper wallets can be very safe, but only if you really know what you are doing with them. You should be using a permanently airgapped device (i.e. not just one which is temporarily offline) to create them, and they should only ever be imported back on to this permanently airgapped device to sign airgapped transaction when you want to spend from them. I would also suggest using verified and open source wallet software such as Bitcoin Core or Electrum to generate your entropy/key pairs/seed phrase.

Thank you all for the answers.

How about that:

I use the program I have implemented on an offline computer. I produce a key pair. Then I produce a seed phrase that produces the private key for the public address and finally, I save the seed phrase in offline USB sticks?

How does it sound?

Short term perhaps. but never ever rely on your memory for the seed. It's been discussed many times.


Because the quality of lamination varies a lot along with the quality of paper. You could be sealing in some crap, or find out 10 years later that the lamination has turned yellow / brown and you can't read the words though it and can't un-laminate it without risking damaging the wallet.

A good 'indestructible' paper is probably better to print on: https://bitcointalksearch.org/topic/--5296179

As with everything YMMV some people like the seedplates others like other methods.

-Dave

 

What harm can lamination cause? Can you describe in more detail?

I believe that the purpose of hardware wallet and paper wallet is fundamentally different and therefore, it should not be compared. HW device is better for everyday use and allows to securely send / receive btc, while paper wallet is for long-term storage and the less often you open it, the better. Entering the private key from paper wallet every time to send a transaction is a dubious exercise.

Tbh you don’t even need to make it that complicated. (Writing down your priv keys)

Writing down your seed words is even more practical. You may even memorize them. It will come in handy in case you lose your paper wallet somehow. (Gets damaged etc)

Paper wallets with a written down key were considered insecure since a while ago because of things like the ink being damaged/fading and it being transcribed wrong when trying to spend. If you're a software engineer is there a reason you can't take the bip39 wordlist and a private key and get a tool so that one can generate the other? I think it'd then be safe as each word could act as a sort of checksum (there's other - longer - wordlists available too based on best practices for passwords).

A lot of the security and usability of a hardware wallet comes down to how you're printing it and how you're storing it (things you might think would preserve it - such as laminating it - can actually do more harm than good).

Yes, thank you, that's why I implemented it myself. Otherwise, I would consider it the exact same thing as a hardware wallet. In fact a hardware wallet would win this comparison thanks to it's convenience and feature-rich application.



Thanks for the answer. I only use open source wallets, but I have the ability to do so because I am a software engineer. Well the only thing I want to do is to create a wallet for my children (not yet born haha). I plan to send BTC every month and never withdraw. Essentially that's what I do for myself too, using a hardware wallet. But I thought, why not trying paper wallets for my kids? it still seems safer to me.

Paper wallets are perfectly safe, if you make it yourself. If you use a third party like bitadress.com then yes, you might get hacked.

In the end a paper wallet is just a paper with your private keys written on. You can create your own on an offline PC and it will be safer than anything else.

Not necessarily, some hardware wallets are fully open-source [1].

Paper wallets are pretty safe until you decide to spend your funds. If you're someone who spends regularly, it's probably not the best option because each time you're scanning that private key QR code to send a transaction, you're taking a risk of exposing it.

[1] https://bitcointalksearch.org/topic/list-open-source-hardware-wallets-5288971

Hello everyone.

I have some experience with various hardware wallets and I admit that I am more than happy with the ones I have tried, especially with the coldcard.

However, even though I have watched multiple videos concerning paper wallets and why people shouldn't trust them nowadays, I feel like they are safer alternatives and I want to discuss it here.

So, how can a hardware wallet be a better option than a paper wallet?

I know, that a simple piece of paper can be damaged or lost, but, apart from that, how can it be hacked ?

It seems too safe to me and I reckon that the only thing I need to do is to protect this small piece of paper from thieves or from physical damage.

I have implemented a key-pair generator myself and I run it on a computer that has never touched the internet. Thus, I get a private and a public key and then I print it on a piece of paper.
Alternatively, I could save the keys on 2-3 usb sticks and then protect the usb sticks, in order to avoid every point of paper failure (i.e ink stains, water etc). Isn't that extremely safe ? Am I missing something here ?

On the other hand, when you set up a digital device, even though the keys don't "touch" the internet, don't you actually trust the manufacturer and the code that they provide? And, simultaneously, you must maintain a piece of paper (or metal plate) where the seed phrase is written, so, technically it's the same thing.

thanks