HOWTO: Run Windows Bitcoin-Qt with Blockchain elsewhere

d4n13

full member

Activity: 210

Merit: 104

“Create Your Decentralized Life”

Quote from: grue on June 23, 2015, 11:40:01 PM

If someone has SYSTEM access, you're already pwned. They can easily modify critical system files (like filesystem drivers) to allow intercepting wallet.dat while it's decrypted. Or they can modify explorer.exe so it decrypts all files belonging to the current user. Or my favorite, install a patched version of bitcoin that always sends its bitcoins to the attacker's address.

Also, SYSTEM can also take ownership of any object. So even if you removed SYSTEM from the ACL, it can easily set itself as owner and add itself to the ACL.

True with SYSTEM write access. The exploit I saw was a PHP bug that allowed the attacker to do a GET to basically any file. They could grab the files from \Windows\System32\Config, then get the user list. Now they did a get on \Users\<$user>\AppData\Roaming\Bitcoin\{bitcoin.conf, wallet.dat}, then they parsed the rpcuserid and rpcpassword, and tried those on wallet.dat with success.

Now IFF EFS was enabled, the they wallet.dat and bitcoin.conf files would have been scrambeld. They would have need the certificate... which is stored in HKLM\SOFTWARE\Microsoft\SystemCertificates... which they would now have as well.... %$@#$%!!! guess I didn't think that one through. Your right SYSTEM == REG_ACCESS == CERT_ACCESS == PWNED

Damn

grue

legendary

Activity: 2058

Merit: 1452

Quote from: d4n13 on June 23, 2015, 09:25:59 AM

Quote from: The00Dustin on June 23, 2015, 05:05:28 AM

Quote

Well, do you know how to recover data with encrypted with EFS if your OS crashes? That's important if you're going to use EFS. Also, it's not clear whether you did this so you could encrypt your wallet file or to free up space on your main drive. That having been said...

If it was for encryption:
I'm pretty sure EFS can do individual files, so splitting up the directory is unnecessary

If it was to free up space:
You can move the entire Bitcoin directory and get rid of the other extra steps if you add (to match your example) "-datadir=X:\Bitcoin" to your bitcoin-qt or bitcoind command.

It might still be useful to split up the directory if you want the blockchain data on a non-redundant drive and the wallet on a redundant array, but even a redundant array can be lost, and you should be making backups of your wallet, so if you wanted redundancy, I'd think it would be more useful for the blockchain data that you aren't backing.

Yes, EFS recovery is kinda simple, if not well publicized. When you use EFS, there are public / private keys uses just like bitcoin. If you know where to look, you can export these keys from the system hosting the EFS files and store then on the system you want to access them from. This is the data recovery methodology.

The reason EFS is of interest to me is because of a recent "I lost my bitcoins" thread. The victim in this case had a very strong RPC password that he mistakenly shared with his hot wallet. The attacker gained access to the SYSTEM account (like root in windows) which generally has access to all files. With the heightened access level they were able to read the RPC password and tried it on the wallet which succeeded in compromising the account.

Now there are two ways to prevent system from reading your files:
1) you remove SYSTEM from the access control list of the file in question (can cause some odd problems)
2) you employ EFS on the file in question.

With the second option, SYSTEM can read / write / delete the file, but can't decrypt. This allows it to do basic system maintenance (defrag, etc) without breaching security.

so much psudo-security advice here.

If someone has SYSTEM access, you're already pwned. They can easily modify critical system files (like filesystem drivers) to allow intercepting wallet.dat while it's decrypted. Or they can modify explorer.exe so it decrypts all files belonging to the current user. Or my favorite, install a patched version of bitcoin that always sends its bitcoins to the attacker's address.

Also, SYSTEM can also take ownership of any object. So even if you removed SYSTEM from the ACL, it can easily set itself as owner and add itself to the ACL.

Meuh6879

legendary

Activity: 1512

Merit: 1012

I use, too, the line command "-datadir=x:\Block" since 2013 because DATA drive are on other place than SYSTEM drive.

DATA drive = 512Go
SYSTEM drive = 10Go

d4n13

full member

Activity: 210

Merit: 104

“Create Your Decentralized Life”

Quote from: The00Dustin on June 23, 2015, 05:05:28 AM

Quote

Well, do you know how to recover data with encrypted with EFS if your OS crashes? That's important if you're going to use EFS. Also, it's not clear whether you did this so you could encrypt your wallet file or to free up space on your main drive. That having been said...

If it was for encryption:
I'm pretty sure EFS can do individual files, so splitting up the directory is unnecessary

If it was to free up space:
You can move the entire Bitcoin directory and get rid of the other extra steps if you add (to match your example) "-datadir=X:\Bitcoin" to your bitcoin-qt or bitcoind command.

It might still be useful to split up the directory if you want the blockchain data on a non-redundant drive and the wallet on a redundant array, but even a redundant array can be lost, and you should be making backups of your wallet, so if you wanted redundancy, I'd think it would be more useful for the blockchain data that you aren't backing.

Yes, EFS recovery is kinda simple, if not well publicized. When you use EFS, there are public / private keys uses just like bitcoin. If you know where to look, you can export these keys from the system hosting the EFS files and store then on the system you want to access them from. This is the data recovery methodology.

The reason EFS is of interest to me is because of a recent "I lost my bitcoins" thread. The victim in this case had a very strong RPC password that he mistakenly shared with his hot wallet. The attacker gained access to the SYSTEM account (like root in windows) which generally has access to all files. With the heightened access level they were able to read the RPC password and tried it on the wallet which succeeded in compromising the account.

Now there are two ways to prevent system from reading your files:
1) you remove SYSTEM from the access control list of the file in question (can cause some odd problems)
2) you employ EFS on the file in question.

With the second option, SYSTEM can read / write / delete the file, but can't decrypt. This allows it to do basic system maintenance (defrag, etc) without breaching security.

The00Dustin

hero member

Activity: 807

Merit: 500

Well, someone beat me to the punch on the -datadir, and the X: drive is FAT32, so no EFS there. My original post is below, but quoted because it is not really relevant.

Quote

Well, do you know how to recover data with encrypted with EFS if your OS crashes? That's important if you're going to use EFS. Also, it's not clear whether you did this so you could encrypt your wallet file or to free up space on your main drive. That having been said...

If it was for encryption:
I'm pretty sure EFS can do individual files, so splitting up the directory is unnecessary

If it was to free up space:
You can move the entire Bitcoin directory and get rid of the other extra steps if you add (to match your example) "-datadir=X:\Bitcoin" to your bitcoin-qt or bitcoind command.

It might still be useful to split up the directory if you want the blockchain data on a non-redundant drive and the wallet on a redundant array, but even a redundant array can be lost, and you should be making backups of your wallet, so if you wanted redundancy, I'd think it would be more useful for the blockchain data that you aren't backing.

d4n13

full member

Activity: 210

Merit: 104

“Create Your Decentralized Life”

Quote from: odolvlobo on June 23, 2015, 01:51:57 AM

You could add this to the command instead of making the links: -datadir=x:\BitCoin

Started that way, but since I put x:\Data on a Fat32 drive, I got real nervous about ACLs for that directory. So this is why I left the data directory under %AppData% and just linked out the blocks and chainstate subdirs.

So yes, you COULD do it with just naming -datadir, but I didn't want to for the reasons above, namely security

odolvlobo

legendary

Activity: 4522

Merit: 3426

You could add this to the command instead of making the links: -datadir=x:\BitCoin

d4n13

full member

Activity: 210

Merit: 104

“Create Your Decentralized Life”

Of all my apps, Bitcoin is the biggest storage hog, so for a while I had been running the entire datadir with my wallet on my main drive. I did this mainly because my data has data, but not private data, that stuff I usually keep on an encrypted folder. So after digging around, I found a better way.

The main data hogs WITHOUT personal information are:
Bitcoin\blocks
Bitcoin\chainstate
Bitcoin\testnet3\blocks
Bitcoin\testnet3\chainstate

So here's my solution (not mine but others)
1) Set up a data dir lets call it 'X:\Data'
2) Move folders to X:\Data
cd %AppData%
Move Bitcoin\blocks x:\Bitcoin\
Move Bitcoin\chainstate x:\Bitcoin\
Move Bitcoin\testnet3\blocks x:\Bitcoin\testnet3
Move Bitcoin\testnet3\chainstate x:\Bitcoin\testnet3
3) Link to the directories in X:\Data
cd %AppData%
MkLink /D Bitcoin\blocks x:\Bitcoin\blocks
MkLink /D Bitcoin\chainstate x:\Bitcoin\chainstate
MkLink /D Bitcoin\testnet3\blocks x:\Bitcoin\testnet3\blocks
MkLink /D Bitcoin\testnet3\chainstate x:\Bitcoin\testnet3\chainstate
4) Encrypt the Bitcoin directory with EFS now that it is very very small.

Like?

Topic: HOWTO: Run Windows Bitcoin-Qt with Blockchain elsewhere (Read 941 times)