Topic: HOWTO: create a 100% secure wallet - page 2. (Read 9000 times)

Don't sweat, I like taking the piss. Just yanking your chain...

My initial point was, that you don't need to access your wallet.dat in order to transfer funds to it, so as long as you're in piggybank-mode, a tiny SDcard in a safe seems the least error-prone way.

But you're right of course. If you can store a netbook safely somewhere and trust its hardware will remain intact it'll work. Just never, ever install any programs in userspace. And of course, see that you never use sudo for anything you're not 100% sure about. So thanks for your contribution (Ugh, that's me being nice, I hate myself already).

Why are you taking the piss?  I have just made your idea way more convenient.   

Instead of booting up off a liveCD (which IS slow) then installing bitcoin and waiting for the download, you can just fire up the netbook. 

You can make a script that burns an encrypted wallet copy as well, do whatever you want, it's waiting there for next time you need it.

When you've finished the transaction you just stow the netbook in the safe again.  If I had 25k BTC I would probably do this.  I think it makes a whole lot of sense.

+1 for you jerfelix

aral: So you're saying burning CDs is too tedious, better buy a netbook and use that as medium? And do you specifically require a crappy one?  

You're still going to have to connect to the internet if you ever want to spend the coins.

You could always just get a crappy cheap little netbook to put your safe wallet on and keep that in the safe.  Saves a lot of faffing with CDs.

@aiwk171-

Excellent guide, and I especially appreciate the crossed out words.

The only thing I did differently was:
1.  Download LinuxCoin, which is a "Live CD" that includes Bitcoin
2.  Install LinuxCoin while you are disconnected from the internet.  This way there's no chance someone will hack you during the minutes it takes to complete this procedure.
3.  Fire up your PC running LinuxCoin, start up Bitcoin, and create your wallet file.
4.  EXIT Bitcoin
5.  Dump your wallet file to multiple mediums, including CD, USB key, and maybe even paper.

My wallet.dat file was 16K, so a lot of hex to re-key in later (in an emergency situation), but really you only need less than 1K of the file: your public and private keys to enable the one Bitcoin Address to work. 1K of hex isn't impossible to type in.  I may write a quick python script to pull out the critical few bits from wallet.dat, as an emergency+emergency backup.  Of course, a QR code would be nice, but too much work for the emergency+emergency backup!

The only reason I really like paper is because I am thinking 50 years down the road, when someone pulls out my safe-deposit box.  I'm afraid electronic media might be in jeopardy.

Don't forget to include instructions for your next-of-kin.  It's possible that they will find the disks, and not realize the potential value stored on them (especially if it's in the next year or two, before digital currency really is wide-spread).

---

And, for everyone who is too lazy or not technical enough to do all this, the alternative is to find a Linux geek who you REALLY Trust to execute these steps for you.

If you ARE the Linux geek who can follow these instructions, I encourage you to offer your service to others.  Once you fire up your Live CD, create a few of these "vaults" for your non-technical friends.

---

Also, note that if you make regular deposits to this account, you can check the status of them at any time on Blockexplorer.com, and see that your deposit was made.  You can also sort of verify the balance at any time, and make sure no one is stealing your Savings account. 

Use an on-screen keyboard to get around hardware keyloggers. Cumbersome but quite safe...

If you're looking for really strong passwords I can always recommend a YubiKey http://www.yubico.com/yubikey
Using a "normal strong" password (something you can actually remember) in combination with the 16-64 character long static password on the YubiKey provides pretty good safety. Though you then have to watch out for your YubiKey of course

Yes, that's why I have a 12-character password with really independent characters of all categories, which I meantioned in the Howto.

Idea for your setup: It looks reasonable for me to disable unnecessary dangers in the system, like automatic mount and preview of files.

See my link in the guide. Not only are there physical keyloggers which you usually put between the keyboard an the USB-port, but there are ways to remotely monitor what you're typing.

How does a keylogger get installed on a live cd?

bcearl: Your setup seems quite the sensible thing to do. It's actually the method recommended by the wiki, and right now I can't think of any reason why this shouldn't be very secure. Especially if you never run any programs when logged in as the secure user.

However, the problem of keylogging (physically) still exists, as your password is the point of entry for any attacker. Other than that, you'll be completely fine.

Edit: Actually, the weak point is the login password, just wanted to clarify that (If I'm correct in assuming that your home directory is decrypted as soon as you log in. At least in RAM.). Also, scusi for the double post.

I'll have a look at both, promised. I have to run now though, I'll be back later.

We already asked for a security subforum, maybe you join the request.

https://forum.bitcoin.org/index.php?topic=16273.0



If you have time and want to, you could also review my specific multi-user Ubuntu setup. Of course it is a trade of between perfect security and usability. A seperate system as you propose is absolutely necessary for huge amounts of coins.

http://forum.bitcoin.org/index.php?topic=15068.0

Yeah, that the netbook will be encrypted is already in my thought-process (that's why I didn't write it explicitly ). And I think one could write a simple script that 1) wipes the USB medium completely
2) copies the old savings-wallet to the medium
3) runs the Bitcoin client and (if that's even possible) automatically generates a few addresses and saves them in a textfile on the USB medium

Though I think the last step is not possible afaik, but it also isn't necessarily needed.

Brainslug: Seems to kinda-work, but always be careful with overly complicated schemes: the possibilities for making an error are simply much bigger. Also, it seems a little tedious. Plus there is the physical security of your notebook. If you don't encrypt the partition, it will be open to anyone getting his hands on your machine.


I aim to please. Happy that you like it.

First security advice I read here that doesn't look like total bullshit.


Thank you for your work!





Ultimately you could do security in three stages then:

1. Regular user account has a wallet with small amounts only.
2. For larger but not huge amounts you could follow my advice for a second user account.
3. For huge amounts your proposal is the only way in my opinion.

Yeah, I think I'm slowly beginning to think in the context on how to keep my BTC safe (I hope that made any sense, english isn't my first language )

I was thinking of using my old netbook I don't use at all (because it was too slow for my purposes), install Ubuntu on it and create my savings wallet there. Now I thought of something (I'm probably not the first) so I'd appreciate it if you (or anybody else) may give me some feedback on that thought:

I make a completely clean installation of Ubuntu on that netbook. I only once let it connect to the internet to install all current needed updates and the Bitcoin Client. As soon as that's finished I completely disconnect it from the internet and generate a few addresses which I write down on my PC on which I use my every-day-wallet. I either use that every-day-wallet or the addresses of the savings-wallet directly to store my "savings-BTC".
Now if in some point in time I want to withdraw something from my savings-wallet, I first transfer everything from my every-day-wallet to the savings-wallet. Then I turn on the netbook, take a completely clean USB-stick (or any other medium), move the savings-wallet on that medium and repeat the first step (create a new wallet on the netbook and write down the addresses). Then copy the old savings-wallet on my PC and transfer the remainder of the BTC (if I only want to withdraw a certain amount) to the new savings wallet.

Although... now that I read it, it doesn't seem as safe as I first thought it was >.>

You're welcome. And remember: nothing prevents you from doing the whole procedure now and just transferring a few coins every now and then. You'll get the extra satisfaction of having something like a piggy bank

mods: is it possible, to somehow ShamWow merge these two topics, or at least redirect the replies to just one of the two?

http://forum.bitcoin.org/index.php?topic=17240.msg222430
http://forum.bitcoin.org/index.php?topic=17240.0

If not, then I'm sorry I made such a mess on your carpet.