Author

Topic: [HowTo] Secure your currently unencrypted wallet (Windows) (Read 1150 times)

full member
Activity: 168
Merit: 103
  • VirtualBox - Install Linux
  • Encrypt linux VM at install
  • Install bitcoin

Even worse advice.


http://forum.bitcoin.org/index.php?topic=15052.20
newbie
Activity: 29
Merit: 0
  • VirtualBox - Install Linux
  • Encrypt linux VM at install
  • Install bitcoin
full member
Activity: 168
Merit: 103
But once a day you start the Bitcoin client to keep track of transactions and catch up with the blockchain.
While you're doing this your Truecrypt volume is mounted and the wallet.dat decrypted and accessible by all malicious applications on your computer.

At least you got that point right -- but that makes the advice pretty useless.

Better install a second computer or secondary/live system or a second user account with encrypted personal data. You need to enforce policy as much as you need encryption to end up with a useful and secure setup.
member
Activity: 70
Merit: 10
wouldn't it be easier to boot a live-CD/live-USB and 'update' your wallet over this system?

Most likely yes. But it's always nice to have an alternative. There are a lot of users out there that will always use their Windows main system to manage their wallets. This way they can live a bit more secure.
newbie
Activity: 56
Merit: 0
wouldn't it be easier to boot a live-CD/live-USB and 'update' your wallet over this system?
member
Activity: 70
Merit: 10
So, you followed all the tutorials and now your wallet.db is safely encrypted in a Truecrypt volume.

But once a day you start the Bitcoin client to keep track of transactions and catch up with the blockchain.
While you're doing this your Truecrypt volume is mounted and the wallet.dat decrypted and accessible by all malicious applications on your computer.

To conquer the most simple attack to your wallet, the complete search for any wallets on all mounted partitions, you can make use of user rights management on Windows.

Here's how:

Note: The Truecrypt volume has to be NTFS formated in order to work with this tutorial.

1.) Start lusrmgr.msc.
  • Create a new user
  • Choose a password you can remember
  • Remove all group memberships of this user

2.) Navigate to your Bitcoin client datadir (e.g. your mounted Truecrypt volume)
  • Open up the properties of the directory and locate the security tab
  • Navigate through the advanced options and deactivate the inheritance of security parameters
  • Now you can edit which users are able to access the directory. Grant full access to your new user and block everyone else's.
  • If everything worked as intended you will now see a lock on the directory icon the explorer. Try to open it, you should see an error message.

3.) Configure your Bitcoin client to start as the new user.
  • Either: Shift+Right-click on bitcoin.exe and choose to run as a different user. Fill out username and password.
  • Or: Write a short batch-script to start it (I assume most people already do that anyway)

Quote
start runas /noprofile /env  /user:yournewuser "bitcoin.exe -datadir=%cd%\data"
Adjust the bold text to your environment.

4.) Everything should work now.
  • Feel free to post your problems or suggestions.
Jump to: