Author

Topic: How secure is this Mac strategy? (Read 1731 times)

newbie
Activity: 37
Merit: 0
June 27, 2011, 04:59:59 PM
#20
Check this out, it's even simpler, just create an encrypted disk image:
https://en.bitcoin.it/wiki/Securing_your_wallet#Mac

This indeed:

Quote
Follow these instructions to backup all the bitcoin data (wallet and block chains) to an encrypted disk image.

  • Open Disk Utility
  • Click New Image and choose 500MB, 128-bit or 256-bit (faster or more secure) encryption and single partition.
  • Save it somewhere you won't lose it (like your Wuala, Dropbox, Strongspace or whatever)
  • Choose a safe and strong password
  • Move everything from ~/Library/Application Support/Bitcoin/ to the image
  • Symlink it back so the app would be able to use it
  • ln -s /Volumes/Bitcoin ~/Library/Application Support/Bitcoin

Don't forget to mount your image before using Bitcoin and unmount after quitting it.

And I do this on a separate User Account that I exclusively use for the Bitcoin client. To check my balance, I use http://forum.bitcoin.org/index.php?topic=23123.0

I think it is pretty safe. Probably not 100% safe, but I don't know a better way that is at least reasonably practical.
newbie
Activity: 29
Merit: 0
June 27, 2011, 04:45:25 PM
#19
I would say "just create an encrypted disk image" is not as safe as having a different user and cold start into the safe user to transfer coins out of your savings wallet. Staying logged into your ordinary user invites any active processes (sniffer and keyloggers) to access the mounted drive, and also makes it harder to have two wallets.
sr. member
Activity: 546
Merit: 253
June 27, 2011, 02:40:00 PM
#18
Check this out, it's even simpler, just create an encrypted disk image:
https://en.bitcoin.it/wiki/Securing_your_wallet#Mac
newbie
Activity: 29
Merit: 0
June 27, 2011, 02:07:00 PM
#17
+1
I think this is a pretty good start for Mac users. There are extra points for simplicity as there are new risks with complexity as dealing with manual encrypt/decrypt of wallets etc on linux or other unknown environment. When you are not logged in to this special user, OS X TimeMachine will back it up as well, in the encrypted form. (in addition to your unencrypted USB drive you should keep in your safe deposit)

Extra note would be to never log in as this user when you have a WiFi connection to internet. Do it at home via cable and behind a decent firewall. Note that you can have a "smaller" wallet in your normal user account.
nux
newbie
Activity: 24
Merit: 0
June 27, 2011, 01:29:19 PM
#16
When you install an application and it asks for your password to continue, entering that password allows it to operate as root to normally modify system files or something similar.

Having root wont do you any good to get the wallet file in itself, but the moment you log in as that user and mount the encrypted drive, it will be accessible by root as if there were no encryption.

I'd say it's a rock solid setup, and until Macs become a much bigger target it will continue to be.  Just be mindful of what applications you allow to install on your system.  There was a recent Mac "virus" that was just a file distributed to people.  Only the people that decided to install it were infected.  Stuff like that is what you'd have to worry about.
full member
Activity: 237
Merit: 100
June 27, 2011, 01:11:30 PM
#15
Thank you all for the comments.

I'll create another wallet with a fresh linux install on another machine, deleting it from the hard drive and storing it on usb's.  I'll make a long-term savings deposit here and check it on the block chain explorer.  PITA, but from what I'm hearing in this thread it's not avoidable for true security.

I'll keep my everyday wallet unencrypted and accessible in my everyday user, and my smallish savings wallet under my 2nd user.  That will give me 3 convenience levels, 3 security levels.  I'll divide the balance between them and the exchanges and mybitcoin.com as my risk tolerance and laziness dictates.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
June 27, 2011, 12:59:17 PM
#14
It's UNIX terminology - basically meaning that you have access to everything.
... semantics but, not right still cant access the encrypted part without the key.
sr. member
Activity: 546
Merit: 253
June 27, 2011, 12:55:15 PM
#13

okey then it will require root rights and the wallet user to login. it a hacker could possible do it.
its is only as safe as the OS then. but still not safe enough.
Well I was also corrected by Rob. P who points out that the Bitcoin client can only ever interact with an unencrypted wallet.dat
I think it's quite secure as a means of storage - pretty much requiring physical access or a brilliant Mac Trojan. But I don't know much!

If someone gets access to your machine as root

what exactly does this mean?

It's UNIX terminology - basically meaning that you have access to everything.
legendary
Activity: 1050
Merit: 1000
You are WRONG!
June 27, 2011, 12:50:36 PM
#12
its secure enough to fool your sister, but not a hacker or trojan or government agency .
Pretty darn safe I reckon. There would have to be a trojan which can steal your wallet.dat for OS X, and bypass filevault encryption - quite an ask.
oh i did not read the post well enough, my fault.

okey then it will require root rights and the wallet user to login. it a hacker could possible do it.
its is only as safe as the OS then. but still not safe enough.
full member
Activity: 182
Merit: 100
June 27, 2011, 12:49:00 PM
#11
If someone gets access to your machine as root

what exactly does this mean?
jr. member
Activity: 42
Merit: 2
June 27, 2011, 12:47:28 PM
#10
I have a time-travel portal, which I can use to mentally connect with someone in another age and make suggestions. Luckily, I happened upon a skilled egyptian craftsman who is working on the latest and greatest sarcophagus for the late pharoah. My wallet.dat is has been laboriously engraved into the inner lid of the vessel, buried now in the most massive structure on the planet.

Of course, retrieval is another problem... hmm....

The hole in your strategy is that people would need to learn egyptian language to communicate with the craftsman, and you know people are too lazy to do this.
nux
newbie
Activity: 24
Merit: 0
June 27, 2011, 12:45:46 PM
#9
If someone gets access to your machine as root, they can wait for you to login to the secure account next time and easily copy the wallet file.
legendary
Activity: 2408
Merit: 1121
June 27, 2011, 12:41:51 PM
#8
I have a time-travel portal, which I can use to mentally connect with someone in another age and make suggestions. Luckily, I happened upon a skilled egyptian craftsman who is working on the latest and greatest sarcophagus for the late pharoah. My wallet.dat is has been laboriously engraved into the inner lid of the vessel, buried now in the most massive structure on the planet.

Of course, retrieval is another problem... hmm....

member
Activity: 84
Merit: 10
June 27, 2011, 12:36:54 PM
#7
Interesting question! I also wondered how much more security you gain by creating a second user.
I also tried out FileVault which can be choosen when the new user is created. Does that help in any way?

How secure is that?

If you're running both useres with quick change and you are loged in as the second user (where you install your savings wallet) is said user threatend by the other user's (everyday account) vulnerablity ?

Here's the problem with encrypted drives, that people seem to gloss over when coming up with these strategies (FileVault is no exception, if the drive is mounted, the data on the drive is accessible):

The Bitcoin GUI needs to be able to read the wallet.dat file in an unencrypted form.
In order to USE the wallet.dat with the GUI, you have to mount the drive (at which point it is UNENCRYPTED to your user space, i.e. ANY applications you run as you can access the wallet.dat unencrypted).
If the drive is mounted, and you allow something to run as you, it can be easily stolen and having it stored on an encrypted drive is useless.

Encryption, by itself, is not a solution.

Should you encrypt it?  Sure, I store my wallet.dat in an encrypted volume on my Dropbox.  However, that only protects it from someone getting into my Dropbox and stealing it.  It doesn't protect it from me getting a trojan, spyware, etc. on my local computer while I have the drive mounted.
sr. member
Activity: 546
Merit: 253
June 27, 2011, 12:21:53 PM
#6
its secure enough to fool your sister, but not a hacker or trojan or government agency .
Pretty darn safe I reckon. There would have to be a trojan which can steal your wallet.dat for OS X, and bypass filevault encryption - quite an ask.
full member
Activity: 182
Merit: 100
June 27, 2011, 12:11:06 PM
#5
its secure enough to fool your sister, but not a hacker or trojan or government agency .

Thanks for the assessment! IOW: it simply isn't safe!

legendary
Activity: 1050
Merit: 1000
You are WRONG!
June 27, 2011, 12:08:05 PM
#4
its secure enough to fool your sister, but not a hacker or trojan or government agency .
full member
Activity: 182
Merit: 100
June 27, 2011, 12:05:40 PM
#3
Interesting question! I also wondered how much more security you gain by creating a second user.
I also tried out FileVault which can be choosen when the new user is created. Does that help in any way?

How secure is that?

If you're running both useres with quick change and you are loged in as the second user (where you install your savings wallet) is said user threatend by the other user's (everyday account) vulnerablity ?
nux
newbie
Activity: 24
Merit: 0
June 27, 2011, 10:22:15 AM
#2
Mac's aren't as big of a target for malware anyways, and to have an encrypted account on the machine get compromised isn't very likely.

But it would only take you typing in your password to install one piece of software as root to compromise this setup.
full member
Activity: 237
Merit: 100
June 27, 2011, 10:17:55 AM
#1
It's super simple; just not sure whether it's secure.

1. make a new user and opt for encryption with a difficult password.  (you do get to provide a hint.)

2. load the client as the new user

3. backup (but don't delete) wallet.dat on a couple of USB drives.

4. only use *that* user to access your savings account.

How vulnerable is it?  It doesn't involve any technological know-how beyond following basic Mac menus.


Jump to: