Just thought I'd start a discussion (if anyone wants to discuss) how you lot are securing your bitcoin wallet, machines ? Here's how I have mine setup.
Bitcoins are stored on my laptop.
Laptop boots from UEFI grub
(more secure than bios)grub handles luks encryption now yey so grub prompts for password and mounts /boot fs
(protects against initrd and vmlinuz tampering)system has two drives one ssd (encrypted lvm) and one HDD (/var,virtual machines,wine).
init contains script to check hashsum of grub after boot and warns after boot
(warns of changes to your bootloader)after unlocking other drives the system boots into desktop.
My bitcoin wallet is stored inside yet another encrypted lv and symlinked back into my .bitcoin directory. I also have a custom startup script to handle loading the bitcoin-qt client. Here it is it's nt pretty but it works
#!sudo /bin/sh
# Secure bitcoin starter by Zarren Spry
#
USER="zarren"
mount_crypt() {
cryptkey=$(zenity --text "Enter passkey for encryptedfs" --password )
echo $cryptkey | cryptsetup luksOpen /dev/laptop/bitcoin bitcoin
mount /dev/mapper/bitcoin /home/$USER/.bitcoin/encryptfs
}
check_mount() {
if [ ! -f /home/$USER/.bitcoin/encryptfs/wallet.dat ]; then
echo "Mounting failed ! Please try again or check $LOGFILE for errors."
exit 1
else
echo "Filesystem is mounted correctly."
fi
}
(
echo "30" ;
echo "# Mounting encrypted filesystem." ; mount_crypt
echo "60" ; sleep 1
echo "# Checking mount." ; check_mount
echo "80" ; sleep 1
echo "# Creating symlink to wallet.dat" ;
if [ -f /home/$USER/.bitcoin/wallet.dat ] || [ -h /home/$USER/.bitcoin/wallet.dat]; then
rm /home/$USER/.bitcoin/wallet.dat
fi
ln -s /home/$USER/.bitcoin/encryptfs/wallet.dat /home/$USER/.bitcoin/wallet.dat
echo "90" ; sleep 1
echo "# Loading bitcoin client."
echo "100" ; sleep 1
) | zenity --progress --title="Starting bitcoin-qt client" --text="Attempting to start bitcoin client ..." --percentage=0 --auto-close
if [ "$?" = -1 ] ; then
zenity --error --text="Initialization canceled."
fi
bitcoin-qt
pid="$(pidof bitcoin-qt)"
wait $pid
umount /home/$USER/.bitcoin/encryptfs
cryptsetup luksClose bitcoin
if [ "$(ls /dev/mapper | grep bitcoin)" ]; then
zenity --info --text="Bitcoin-qt quit, encrypted file system closed!"
else
zenity --error --text="Bitcoin-qt quit but encrypted filesystem still exists! Bitcoins are at risk :("
fi
What does this do ? Here's a brief explanation.
prompts for crypt password.
unlocks the encrypted filesystem and mounts to the appropriate folder.
checks to see if the encrypted folder is mounted with a simple file test.
checks and cleans up any old symlinks or now wallets created due to premature bitcoin-qt loading.
loads the bitcoin client with my wallet.
unmounts and locks the encrypted filesystem when bitcoin-qt is closed.
Script includes some zenity to give me nice gtk windows with information etc. I suppose I could get hit by a hardware sniffer, or exploited while the client is running but if I keep the client use to a minimum. Also I encrypt my wallet using the bitcoin client.
Also I have an init to wipe memory on shutdown via secure-delete, I also have a patched kernel with tresor included. My laptop has been bios locked and nothing else is allowed to boot except internal dd.
Is this over the top ? Or could I do anything else to keep people out ? How do you protect yours ? I suppose I'm trying to protect from theft of my laptop and theft of my wallet from my laptop while it's unattended (providing I've remembered to close the bitcoin client).