Pages:
Author

Topic: Most Secure Method To Sweep Paper Wallet (Read 257 times)

newbie
Activity: 17
Merit: 6
April 14, 2021, 03:36:02 AM
#24
This guy talks through the general process:

https://www.youtube.com/watch?v=-9kf9LMnJpI&t=3s
It's pretty much the same process as described earlier in this thread, except instead of using a second computer as your airgapped device, he is using a phone.

This is certainly better than just sweeping your private key in to a hot wallet, but it is not as good as using an airgapped computer for a couple of reasons. A phone in flight mode is not truly airgapped, and studies have shown it still pings for cell towers, it can still send location data, it can still leak via WiFi and Bluetooth, and so on. A phone is not truly airgapped unless you open it up and start ripping out the antennas and WiFi modules. You also are not starting on a clean device, and your phone could have any type of malware on it already. Even if you factory reset your phone, you aren't starting from scratch, but rather starting from whatever bloatware and spyware your carrier/manufacturer has pre-installed, and with their (usually) closed source OS.

An airgapped phone is an OK middle ground, but it is not as good as using a fully airgapped computer with a clean install of an open source OS.


Since you're looking for the safest way to do it, I agree with @o_e_l_e_o's answer above. You only get closer to the highest safety/security possible when you eliminate all the potential risks and flaws out of your method. And so far, the only remaining potential security threats is someone physically tampering with your airgapped device which is imo a quite low probability unless you're being watched by intelligence agencies or have some bad actor around. That is unless you somehow mess up yourself and accidentally enter the airgapped device's seed into the online PC, which I believe is something that has a low chance of happening as well.

I would not use a phone because it has just too many backdoors and unknown/non-removable components. A PC is quite modular and you can easily remove or add anything you might or might not need. For me, privacy & security are not only interests but also a fascinating hobby (and now addiction, I guess). Even if you aren't followed by 3-letter agencies, I would still recommend to follow the best security practices as it's more than worth it over the long term. And since it's both fun and safer, why not?

Absolutely I agree with you both. I just posted the video link to illustrate the general process as it was all I could locate online. I'd never use a mobile phone with downloaded app.

Thanks.
legendary
Activity: 1134
Merit: 1598
Since you're looking for the safest way to do it, I agree with @o_e_l_e_o's answer above. You only get closer to the highest safety/security possible when you eliminate all the potential risks and flaws out of your method. And so far, the only remaining potential security threats is someone physically tampering with your airgapped device which is imo a quite low probability unless you're being watched by intelligence agencies or have some bad actor around. That is unless you somehow mess up yourself and accidentally enter the airgapped device's seed into the online PC, which I believe is something that has a low chance of happening as well.

I would not use a phone because it has just too many backdoors and unknown/non-removable components. A PC is quite modular and you can easily remove or add anything you might or might not need. For me, privacy & security are not only interests but also a fascinating hobby (and now addiction, I guess). Even if you aren't followed by 3-letter agencies, I would still recommend to follow the best security practices as it's more than worth it over the long term. And since it's both fun and safer, why not?
legendary
Activity: 2268
Merit: 18711
This guy talks through the general process:

https://www.youtube.com/watch?v=-9kf9LMnJpI&t=3s
It's pretty much the same process as described earlier in this thread, except instead of using a second computer as your airgapped device, he is using a phone.

This is certainly better than just sweeping your private key in to a hot wallet, but it is not as good as using an airgapped computer for a couple of reasons. A phone in flight mode is not truly airgapped, and studies have shown it still pings for cell towers, it can still send location data, it can still leak via WiFi and Bluetooth, and so on. A phone is not truly airgapped unless you open it up and start ripping out the antennas and WiFi modules. You also are not starting on a clean device, and your phone could have any type of malware on it already. Even if you factory reset your phone, you aren't starting from scratch, but rather starting from whatever bloatware and spyware your carrier/manufacturer has pre-installed, and with their (usually) closed source OS.

An airgapped phone is an OK middle ground, but it is not as good as using a fully airgapped computer with a clean install of an open source OS.
newbie
Activity: 17
Merit: 6
This guy talks through the general process:

https://www.youtube.com/watch?v=-9kf9LMnJpI&t=3s

legendary
Activity: 2702
Merit: 3045
Top Crypto Casino
I will likely test this method on on a small amount of satoshis first.

Why wasting valuable satoshis (at least 547 sats + transaction fee) on this when you can use the testnet! The testnet is deducated for such purposes and Electrum suupports it.
All you have to do is to run Electrum on the testnet mode and claim few test coins for free from any online faucet.
Just, don't forget to send the testcoins back to the faucet's address.
legendary
Activity: 2268
Merit: 18711
Yes it's a private key. What I'll most likely do is transfer the complete ammount then to play it safe. 👍
I would agree. Since you are sending it to a Ledger hardware wallet, then your coins will be pretty much just as secure there as they were on the paper wallet, and it will make your life much more straightforward in the future when you want to spend them again. If you do want to put some of them back on to a paper wallet, then you should create a brand new paper wallet from scratch (which is a whole other complicated multi-step process, but also involving many of the same steps regarding airgapped computers as above).
newbie
Activity: 17
Merit: 6
Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet? In essence I can just transfer whatever amount I wish? Sweeping wallets on Blockchain.info swept the total amount.
Normally, sweeping means to move the whole funds from wallets like paper wallet by proving the private key. Assuming, you have paper wallet, and you want to sweep to Wallet A. First of all, wallet A will have the sweeping feature, and it will request for private key of the paper wallet. Once you input the private key, the whole funds will be moved to the new wallet (wallet A). But, this is just a way you will have to just get your bitcoin to be handled by private key that will be online.

But what is explained above, you can send any amount of bitcoin you want (you can send half, you can send all, you can send less than half, or any amount), and yet your paper wallet private key is still offline, and yet the private key of the wallet you send it to is also offline. Nothing about your private key touch online. That is why I will strongly recommend the method.

Thanks. Everyone is a great help on here.

 Yes this offline method definitely is the way to go for me now.
newbie
Activity: 17
Merit: 6
I have sweeped wallets using Blockchain.info previously but never used this method before.
The issue with this is you must enter your private key in to a live website (and a very sketchy one at that). I definitely wouldn't recommend doing this, especially with a significant amount of coins.

I will likely test this method on on a small amount of satoshis first.
A smart idea.

Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet?
It depends. Is your paper wallet an individual private key, or is it a seed phrase?

If it is an individual private key, then it is generally good practice to sweep the entire amount. An individual private key will only generate a single address, so if you do not sweep it all one of two things will happen. What should happen is that your change is returned to the same address, which means you still have your coins but it is bad for your privacy. What has happened to some users in the past is that their wallet has generated a new address to send the change back to without them realizing, which they haven't backed up and have then lost access to their change.

If your paper wallet is a seed phrase, then you do not need to sweep the entire amount. The wallet will automatically send the change to a brand new change address generated from your seed phrase, which you can then recover again at a later date.

Yes it's a private key. What I'll most likely do is transfer the complete ammount then to play it safe. 👍
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet? In essence I can just transfer whatever amount I wish? Sweeping wallets on Blockchain.info swept the total amount.
Normally, sweeping means to move the whole funds from wallets like paper wallet by proving the private key. Assuming, you have paper wallet, and you want to sweep to Wallet A. First of all, wallet A will have the sweeping feature, and it will request for private key of the paper wallet. Once you input the private key, the whole funds will be moved to the new wallet (wallet A). But, this is just a way you will have to just get your bitcoin to be handled by private key that will be online.

But what is explained above, you can send any amount of bitcoin you want (you can send half, you can send all, you can send less than half, or any amount), and yet your paper wallet private key is still offline, and yet the private key of the wallet you send it to is also offline. Nothing about your private key touch online. That is why I will strongly recommend the method.
legendary
Activity: 2268
Merit: 18711
I have sweeped wallets using Blockchain.info previously but never used this method before.
The issue with this is you must enter your private key in to a live website (and a very sketchy one at that). I definitely wouldn't recommend doing this, especially with a significant amount of coins.

I will likely test this method on on a small amount of satoshis first.
A smart idea.

Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet?
It depends. Is your paper wallet an individual private key, or is it a seed phrase?

If it is an individual private key, then it is generally good practice to sweep the entire amount. An individual private key will only generate a single address, so if you do not sweep it all one of two things will happen. What should happen is that your change is returned to the same address, which means you still have your coins but it is bad for your privacy. What has happened to some users in the past is that their wallet has generated a new address to send the change back to without them realizing, which they haven't backed up and have then lost access to their change.

If your paper wallet is a seed phrase, then you do not need to sweep the entire amount. The wallet will automatically send the change to a brand new change address generated from your seed phrase, which you can then recover again at a later date.
newbie
Activity: 17
Merit: 6
Is there any way to accidentally screw this process up?
Lots of ways, unfortunately. It can be quite a complex process if you have never done it before.

Provided your private key never touches your online device, and you don't sign a transaction without double checking it is correct (and therefore making sure it has not been altered or tampered with by any malware on your online device), then it is incredibly unlikely that any mistakes you make would result in loss of your coins. With that in mind, the most important thing to remember, as I said above, is to ensure you only ever enter you private key or seed phrase on to your airgapped computer, and you only enter an address or public key on to your online computer.

If something goes wrong or doesn't seem to work as you expect, then simply stop, look for the mistake, ask on here if needed, or even start from scratch. Just take your time with each step.

Thanks my friend. I do not plan to do this for sometime yet but really just wanting to get my head around the process. I have sweeped wallets using Blockchain.info previously but never used this method before. I will likely test this method on on a small amount of satoshis first. Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet? In essence I can just transfer whatever amount I wish? Sweeping wallets on Blockchain.info swept the total amount.
legendary
Activity: 2268
Merit: 18711
Is there any way to accidentally screw this process up?
Lots of ways, unfortunately. It can be quite a complex process if you have never done it before.

Provided your private key never touches your online device, and you don't sign a transaction without double checking it is correct (and therefore making sure it has not been altered or tampered with by any malware on your online device), then it is incredibly unlikely that any mistakes you make would result in loss of your coins. With that in mind, the most important thing to remember, as I said above, is to ensure you only ever enter you private key or seed phrase on to your airgapped computer, and you only enter an address or public key on to your online computer.

If something goes wrong or doesn't seem to work as you expect, then simply stop, look for the mistake, ask on here if needed, or even start from scratch. Just take your time with each step.
newbie
Activity: 17
Merit: 6
Thanks everyone. Great help.

Is there any way to accidentally screw this process up?
legendary
Activity: 2268
Merit: 18711
Thanks. So on the online PC I create a watch-only wallet?
Correct.

In to the watch-only wallet you need to import either an individual address or the master public key from your airgapped wallet. If you have the address written down/printed as part of the paper wallet, then you can enter it directly from the paper wallet in to your watch only wallet. If your paper wallet only contains a private key or a seed phrase, then you will first need to import that in to your airgapped wallet, and then transfer either the individual address (in the case of an individual private key) or your master public key (in the case of a seed phrase) across to your watch only wallet, via either typing it manually, a QR code, a USB drive, a CD, etc.

The most important thing is to ensure that your private key and/or seed phrase never touches your online computer.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
Yes, the online PC is watch only. The signing PC (cold storage) stays always offline.
Maybe one more source makes it clearer?
https://electrum.readthedocs.io/en/latest/coldstorage.html
newbie
Activity: 17
Merit: 6
April 04, 2021, 07:29:06 AM
#9
newbie
Activity: 17
Merit: 6
April 04, 2021, 07:19:21 AM
#8
Step 1. You have to work on your airgapped PC to import the private key or seed into Electrum.
       Step 1a. From your airgapped PC, if you have a paper wallet containing a private key:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Import Bitcoin addresses or private keys"
                     2. Insert your private key in the textbox. Move on to Step 2.

       Step 1b. From your airgapped PC, if you have a paper wallet containing a seed:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Standard wallet"
                     2. Continue by checking the "I already have a seed" option and input your seed into the textbox.
                     3. After importing your seed, go to Wallet > Information and look for the Master Public Key. It should look something like this:
Code:
zpub6nXwKjUbuUY8BE2ETiErVgkSJZv5F5Ekz76dDFVzsmhNi26sm2WSkgNX4hmLE1c22q3prLJCcgC rkHyijEXsRb5SfNX5HAezmLVdinX1mTh
                     4. Scan the code using a barcode scanner or, the traditional way I like, write it down on a piece of paper Smiley Move on to Step 2.

Step 2. You have to work on your online PC to import the private key public address or the seed's Master Public Key into Electrum.
       Step 2a. From your online PC, if you just imported a private key into your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Import Bitcoin addresses or private keys".
                     2. If you have a paper wallet, chances are you have a public address on it. So, depending on this:
                          2a. If you have the public address, insert it into the textbox.
                          2b. If you do not have the public address, go back to your airgapped PC's Electrum and click the Receive tab. On the right side of your window, the public address is shown. Write it down somewhere or scan the QR Code (click the QR Code tab for this) and insert the address into the online PC's Electrum textbox. Move on to Step 3.

       Step 2b. From your online PC, if you just exported your Master Public Key from your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Standard wallet" followed by "Use a master key".
                     2. Insert the Master Public Key into the textbox. Move on to Step 3.

Step 3. Still working on the online PC, you have to create the sweeping transaction and export it:
                     1. Now you should see your balance in your online Electrum. Go to the Send tab, insert the address you want to send your BTC to and push the "Max" button. Do NOT leave it unchecked or you risk losing part of your funds! Press "Pay...", change the fee rate if you will and then press "Send".
                     2. In the bottom-left corner of the Transaction window, you have an "Export" button. Click Export > Export to file. After exporting it, either:
                           - Write the file onto a CD and insert the CD into your now-airgapped computer;
                           - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
                           - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

Step 4. From your airgapped PC, you have to import the transaction and sign it:
                     1. In Electrum, go to Tools > Load transaction > From file and select the transaction you just copied.
                     2. Press "Sign" and export the transaction to File again (Export > Export to file..). Copy the file back to your online PC safely. Move to Step 5.

Step 5. Moving back to the online PC, you need to import the signed transaction and finally broadcast it:
                     1. In Electrum, go to Tools > Load transaction > From file and import the signed transaction file.
                     2. Press "Broadcast".
legendary
Activity: 2268
Merit: 18711
April 04, 2021, 02:55:46 AM
#7
But, in case the user is done using the paper wallet and wants to transfer the whole funds, can my method above be used if bitaddress.org is run offline?
I mean, it can be used, but it is still far from ideal and I still wouldn't recommend it. Running bitaddress on an airgapped computer will protect your private key during the process of converting it from hex to WIF. However, if you are then going to take that WIF private key over to your online computer and import it in to Electrum, then you are still exposing it to an internet connected environment. It's not quite as bad as entering it directly in to a live website, but it is still far less secure than working in a completely airgapped environment as discussed above.

Take an older PC of yours, remove any wireless modules from it and install a clean Linux distro on it. I'd personally recommend Debian or Ubuntu. If you don't want to install it, then you could use it as a Live CD instead (Live CD means everything you do is wiped upon shutdown/reboot). For Live CDs, I'd recommend Parrot OS which comes with Electrum preinstalled (or Tails). (bonus: I also recommend encrypting your HDD; bonus x2: if your future airgapped PC is old or you want it to run a lightweight distro, install Debian with XFCE).
Nice write up. There are a couple of things I would clarify here.

When installing a clean Linux distro on it, don't be tempted to dual boot or something similar. Format your hard drive first so that your clean Linux distro is the only thing installed.
If you are only going to be using this to sweep your paper wallet, then I would go down the route of a live OS. Unplug your hard drive in addition to your wireless components before doing this.
If you are going to be using this as a long term cold storage wallet, then obviously you should install the OS, but I would say that full disk encryption in this case is a must. LUKS is ideal for this.
legendary
Activity: 1134
Merit: 1598
April 03, 2021, 04:19:33 PM
#6
The security of your chosen method depends on your habits. Most people have bad habits and generally practice bad security and based on my experience, the more critical your thinking is and the more paranoid you are, the higher the security you'll be looking for.

I'll leave here what I would personally do, since I really think you should always keep a good security practice. The more you don't, the higher your risks of messing up are.



If you want to sweep a paper wallet, the most secure way to do it is on an offline, airgapped PC. For the setup, you basically need three things: two computers (one as the cold, airgapped wallet and one as the online wallet to broadcast your sweeping transaction) and an address to which you want to sweep your BTC.

Take an older PC of yours, remove any wireless modules from it and install a clean Linux distro on it. I'd personally recommend Debian or Ubuntu. If you don't want to install it, then you could use it as a Live CD instead (Live CD means everything you do is wiped upon shutdown/reboot). For Live CDs, I'd recommend Parrot OS which comes with Electrum preinstalled (or Tails). (bonus: I also recommend encrypting your HDD; bonus x2: if your future airgapped PC is old or you want it to run a lightweight distro, install Debian with XFCE). Make sure you verify your install file upon downloading it (Ubuntu verification tutorial; Debian verification depends on the type of download you prefer.

After installing Linux on this offline PC, it's time to download Electrum. Download it from here and verify it.

Installing Electrum
Now you have to install Electrum on both of your PCs (cold and online). If you want extra security, after verifying the file, you can (in descending order based on security as I see it):
 - Write the file (and signature, if it has one) onto a CD from your online PC and plug the CD into your now-airgapped computer;
 - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it (and signature, if it has one), unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
 - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file (and signature, if it has one) on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

As soon as you have Electrum installed on both PCs, this is what you have to do next:

Step 1. You have to work on your airgapped PC to import the private key or seed into Electrum.
       Step 1a. From your airgapped PC, if you have a paper wallet containing a private key:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Import Bitcoin addresses or private keys"
                     2. Insert your private key in the textbox. Move on to Step 2.

       Step 1b. From your airgapped PC, if you have a paper wallet containing a seed:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Standard wallet"
                     2. Continue by checking the "I already have a seed" option and input your seed into the textbox.
                     3. After importing your seed, go to Wallet > Information and look for the Master Public Key. It should look something like this:
Code:
zpub6nXwKjUbuUY8BE2ETiErVgkSJZv5F5Ekz76dDFVzsmhNi26sm2WSkgNX4hmLE1c22q3prLJCcgCrkHyijEXsRb5SfNX5HAezmLVdinX1mTh
                     4. Scan the code using a barcode scanner or, the traditional way I like, write it down on a piece of paper Smiley Move on to Step 2.

Step 2. You have to work on your online PC to import the private key public address or the seed's Master Public Key into Electrum.
       Step 2a. From your online PC, if you just imported a private key into your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Import Bitcoin addresses or private keys".
                     2. If you have a paper wallet, chances are you have a public address on it. So, depending on this:
                          2a. If you have the public address, insert it into the textbox.
                          2b. If you do not have the public address, go back to your airgapped PC's Electrum and click the Receive tab. On the right side of your window, the public address is shown. Write it down somewhere or scan the QR Code (click the QR Code tab for this) and insert the address into the online PC's Electrum textbox. Move on to Step 3.

       Step 2b. From your online PC, if you just exported your Master Public Key from your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Standard wallet" followed by "Use a master key".
                     2. Insert the Master Public Key into the textbox. Move on to Step 3.

Step 3. Still working on the online PC, you have to create the sweeping transaction and export it:
                     1. Now you should see your balance in your online Electrum. Go to the Send tab, insert the address you want to send your BTC to and push the "Max" button. Do NOT leave it unchecked or you risk losing part of your funds! Press "Pay...", change the fee rate if you will and then press "Send".
                     2. In the bottom-left corner of the Transaction window, you have an "Export" button. Click Export > Export to file. After exporting it, either:
                           - Write the file onto a CD and insert the CD into your now-airgapped computer;
                           - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
                           - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

Step 4. From your airgapped PC, you have to import the transaction and sign it:
                     1. In Electrum, go to Tools > Load transaction > From file and select the transaction you just copied.
                     2. Press "Sign" and export the transaction to File again (Export > Export to file..). Copy the file back to your online PC safely. Move to Step 5.

Step 5. Moving back to the online PC, you need to import the signed transaction and finally broadcast it:
                     1. In Electrum, go to Tools > Load transaction > From file and import the signed transaction file.
                     2. Press "Broadcast".



There you go. Quite complicated for a newbie, but it's the safest way you can go. From here on, you could safely use the airgapped PC as a cold wallet. Practice good security. It's worth it in the long run.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
April 03, 2021, 04:07:51 PM
#5
You need to use an offline computer, preferably a permanently airgapped one with a clean OS, import your private key there and sign a transaction on this airgapped computer, and then move the transaction to an online computer to be broadcast. There's a good post from LoyceV about this here, which I'll just link to rather than re-hashing all the information - https://bitcointalksearch.org/topic/m.56389821. Make sure to verify your Linux and Electrum downloads before installing/using them.
I noticed one things about this method. The user can be able to make a transaction using the watch-only wallet and use the airgapped device to sign the transaction. The transaction can be any amount of bitcoin of choice owned, and yet the private key remains offline before and after the whole process.

Your are bang on correct. It's a very old paper wallet and I am not able to import it into any new hardware wallet. But I want to learn the most secure way to move said paper wallet into a Ledger.
Follow o_e_l_e_o post above.

<...>
But, in case the user is done using the paper wallet and wants to transfer the whole funds, can my method above be used if bitaddress.org is run offline? Normally, the private key will still be exposed online on electrum, but the user will send the total bitcoin amount to an address on his hardware wallet, and not using the paper wallet again.
Pages:
Jump to: