Topic: Paper Wallet, Encryption & Airgapped PC. Sweeping Question (Read 201 times)

This is called a "Cold-Storage" set-up.
Here are the steps on how to create and spend from it: https://electrum.readthedocs.io/en/latest/coldstorage.html (official doc)

Note: The images are from an older version, 4.0+'s "advanced preview" and transaction export buttons are a bit different than what's displayed.
"Advanced" button will be displayed after you click pay or if enabled in the preferences; and "export" is in the same location of the advanced preview but with a few extra clicks.

Electrum's seed phrase is different from most wallets/tool's which are BIP39 seed, you need to click "option->BIP39 seed" under the seed text box if you want to use a seed phrase from "some algorithm".
I'd suggest you to just create a wallet using the normal method directly on the offline machine just like in the documentation.

Or get a reputable 'hardware wallet', it's only a fraction of  that amount.
It'll spare you from great deal of hassle from spending from a cold-storage setup, specially if you're the type who spends frequently.

Nope. Storing individual private key for Ethereum has same level of risk as in case of Bitcoin. The process of generating public key is exactly same for both i.e. through Elliptic Curve Cryptography. Only the process of generating address differs. Ethereum address is the last 20 bytes of Keccak256 hash of the public key whereas bitcoin address is the Base58 encoding of RIPEMD160(SHA256(public key)).

So it is advisable to use HD wallet in case of ethereum as well. Good thing is that you can use exactly same 'mnemonic words' (seed phrase) for both bitcoin and ethereum. BIP-44 has defined the standard of deriving addresses from the seed. Since you have common understanding of hierarchical deterministic process, I will tell you a little more. The seed derived from mnemonic words is first hashed using HMAC-512 hashing then left 256 bits of the resulting hash is used as 'master private key' while right 256-bits as 'chain code'.

These private key and chain code are then combined with various index numbers to produce set of private/public keys which can then used for addresses.

Bitcoin's derivation as defined in BIP-44 is m/44'/0' which means the chain separated at first hardened child of 45th hardened child of master private key will be used for generating BTC addresses.
Whereas, Ethreum's derivation is m/44'/60' which means the chain separated at 61st hardened child of 45th hardened child of master private key will be used for generating ETH addresses.

This is how same seed phrase can be used to produce addresses for multiple coins without conflicting the addresses and keys.

---

Nope, you cannot manually calculate the private keys from the seed phrase. First of all, you shouldn't manually pick the words. BIP-39 has defined the set of 2048 words which are to be picked as randomly as possible to create seed phrase of length 12-24 words. It is always advisable to use wallets to create mnemonic seed phrase for you using strong pseudo random number generator. (Note: Electrum doesn't use BIP-39 and has its own set of words)

Ok! Now that you have mnemonic seed phrase, you have to use PBKDF2 key stretching function to produce 512 bits seed. This involves 2048 rounds of SHA-512 hashing and it is no way possible for your brain to do that manually.

Once you have 512-bits seed, rest of the key derivation process is what I explained in first part of this answer.

---

You don't have to do that. You can store the unencrypted seed phrase without worries. PBKDF2 key-stretching function as I explained above takes 'salt' argument. This salt argument by default is 'mnemonic' string constant. However, you can increase the security of your wallet by using custom strong 'passphrase' as the salt at the time of seed generation. Keys generated from custom salt are entirely different from the one used without it. So even if someone knows your seed phrase, he won't be able to get hold of your keys if he doesn't know your 'passphrase'. And good thing is that no one could guess if you are using custom passphrase or not so they will be redirected to empty bitcoin addresses if they try to generate addresses using your seed phrase without knowing the passphrase.

---

Again there is no need to do that manually. Most of the wallets are well-equipped to do that automatically for you. They will automatically create change address from different branch for you when you try to send transaction.

Also, it is common practice to use different branches for change address. So your first change address won't be your second in-line bitcoin address of m/44'/0'/0' branch but first bitcoin address of m/44'/0'/1' branch.

PS: If you have hard time understanding Derivation Paths, I would recommend to watch few youtube tutorials or this thread from blue snow is good starting point as well: https://bitcointalksearch.org/topic/derivation-path-5243350

Electrum itself can generate the wallet.
Click on "Standard Wallet" when creating a new wallet and then select "Create a new seed".
Just note that the seed created by Electrum is not supported by other wallets (except bluewallet AFAIK).

You can also use iancoleman to generate a BIP39 seed phrase which is supported by most of other wallets including Electrum.
For more security, you should run iancoleman  in an offline computer.

For making the watch-only wallet, yes. Just import the Master public key into Electrum.
You can also import a list of addresses instead of the Master public keys.


You can make the wallet using the Master private key or the seed phrase.
Just note that if the seed phrase is BIP39, you need to click on "Options" and check "BIP39" when importing the seed.


Yes, but the transaction is unsigned and need to be signed in the offline computer.


Yes, after entering the required data (the amount to be sent, fee, receiver address), you can click on "export" button. Just save the file into a removable drive (like a USB drive)


yes, Just click on "tools" at top of the window, load the unsigned transaction file and sign it.
Then you need to go to online computer again and broadcast the signed transaction.
Again you need to go tools > load transactions


Yes, you are the owner of all addresses generated by the seed (mnemonic) phrase.

Okay, so I'll:
1. Generate a hierarchical deterministic wallet using some algorithm. Then import the master public key to an online computer running Electrum. (I assume that the master public key can be used to generate unique public keys deterministically, correct?)

2. Then install Electrum to an offline computer but instead importing the master private key. (which can generate unique private keys for the same public keys? Which when derived gives me the same public keys so to say).

3. On the online computer I make a transaction. I guess I initialize the transaction from the online computer because it needs data from the Blockchain which can't be accessed from an offline machine obviously.

4. Because the private keys only are present on the offline computer I transfer the transaction data (how? - usb, sd?) to the offline computer and there I sign through Electrum somehow. (I'll probably find it by clicking around in the GUI).

5. Then take the signed transaction and broadcast it from the online computer to the blockchain.

Do I understand this correctly? I rather not fuck up with 1000$. (Though I'll prob test with smaller amount and/or testnet first.)
If I print out my mnemonic phrase encrypted with a password I should be all set and I can start transferring money to the first generated public address, right?

The main purpose of using a watching-only wallet is to keep track of your wallet/adresses activity. So it has to be run on an online computer to keep the wallet synced.

You can create a watching-only wallet by importing the master publuc keys or individual public addresses. This way you can monitor your transactions and balance without exposing your private keys/seed.

Thanks, so basically:

Just storing the private key is fine for Ethereum.

HD wallet for Bitcoin is used because of the unspent transaction thingy requires a ton of addresses if I want to actively send funds? (I think I'll learn about it more tomorrow lol).

Just so I understand correctly: HD wallets use a deterministic algorithm for generating private and public keys. So anyone with access to the seed phrase gets access to all of my wallets? Seems like a bigger brained paper wallet hmm.
All BTC HD-wallets use the same algorithm right? So if I wanted I could just manually calculate all of my private keys in my head even without a computer if I remembered the seed? (that would definitely be boring though).

I guess I'll encrypt the seed phrase with a good password using some algorithm and print QR codes that I then store in a lot of different buildings. Is that ok?
Oh, lets say I want to hodl for a year, can I just run the algorithm once to get my first address and then hold all my funds on that? Then when sending a payment I run the algorithm twice to get a second address and use that as change address, leaving the first one empty but with change in the next and then I continue like that?

You can use Electrum. (Download electrum only from its official website and don't forget to verify the signature)
Below is the guide.

How to spend from an offline paper wallet using Electrum


Even if privacy doesn't matter to me, I would prefer a HD wallet.
If I want to write a private key on a paper, there's a high probability that I miss a few characters or misspell them. Writing a list of words is much easier.

There are some standard algorithms for deriving private keys from a seed phrase. The most popular one is BIP39 which is supported by most of wallets.

Mind sharing how to do this?

That seems very nice indeed. But if I don't care about my payments being anonymized I still can't see why I shouldn't just use the same address.
So you basically come up with a seed yourself and then you run an algorithm on it that deterministically generates keys for you? (So you get "infinite" addresses by only remembering a phrase of words (seed, just like Minecraft!!!!)?

Yes, yes. Ofc. I think of the private key as a kind of user/pass combo for signing transactions on the network from your wallet (stored on the blockchain), correct?

Yes,
If you don't want to send the remaining balance to a new address, it would be better to make the transaction offline. To do so, you need to create a watch-only wallet in an offline online* computer, sign it using your private key in the offline computer and broadcast it using an online computer.

 You can create a HD wallet and keep the seed phrase instead.
A seed phrase is a list of words that generate numerous private keys and addresses.  

 Note that your coins are not in the paper. Your coin are in blockchain and you keep your private key in the paper.
You can import your private key. But it would better to use a HD wallet and send the entire balance to the new HD wallet.

*Edited. Thank you khaled0111. I miswrote that part.

Oh okay, I just assumed that Bitcoin worked kind of the same as Ethereum. I'm very new to crypto, got interested like 2 days ago. I have used Bitcoin before for purchases though.
So on Ethereum it's fine to just store the private key on a paper and use it like a password to the Ethereum network?

Just wondering
"So now you have exposed the private key of the address on the device"
How is this a problem if I use a secure computer, like a BSD without anything on it except a program to send Bitcoin?

"and also created new UTXO on the same address which kills the whole purpose of using paper wallet!"
What does this do (explain like I'm a toddler lol). If the change address is the same as my paper wallet address, won't I just get all the change back to the paper wallet?
I mean paying 100$ and getting 70$ back is for an end-user just like spending 30$, right?

And about hardware wallets. Might get one if you say so

If I hodl on a hardware wallet, is it wise to back up the private key on a paper anyways so if I lose it I still have access to all my funds?
If I buy eth and btc and just hold them on paper until I get a hardware wallet, can I import my keys to the hw wallet or should I just send the funds as normal transactions?

And, hardware walslet can satisfy this purpose. And, like you have commented, paper wallet serves no two purposes than for holding, it comes with only one private key, and can not be used for daily/frequent transaction purpose. But, if the person that wants to hodl is having $1000 to be saved in bitcoin and ether, I do not know why he should not get a good hardware wallet like ledger nano x or trezor, if he even want cheaper ones, ledger nano s or keepkey are perfect.

You know that balances are spent differently on Bitcoin network as compared to Ethereum network, right?

On Ethereum network, accounts and balances are stored in a global state so transactions work like normal database where addresses are debited and credited. But on Bitcoin network, you have to consume the entire UTXO as the input in order to spend the funds. If you got 1 BTC on your bitcoin address, whole 1 BTC will be consumed as the input even if you send less than 1BTC. Remaining amount will be used to create a new output on a change address.

In case you are using paper wallet, the wallet you used to import private key of your paper wallet will most probably send the change to the same address of the paper wallet. So now you have exposed the private key of the address on the device and also created new UTXO on the same address which kills the whole purpose of using paper wallet!

If you are looking to send payments regularly, I don't see any reason or benefit of using Paper Wallet. Better go for HD Wallet by securely keeping the mnemonic code offline and creating new change address every time you spend UTXO.

Hi, I'm interested in buying some crypto and I've thought about storing it on paper wallets. Mostly BTC & ETH.
I have 8 different places to store it in so fire/water damage won't be an issue.
I'm just wondering about why I'd need to sweep the whole wallet when sending the btc? From what I understand you basically have a private and public keypair and the private is used for signing payments. I'll encrypt the printed keys with a 30-character password which I remember and only store in my brain (permutation of my master password for everything SUPER important, used similar twice before).

Of course I should discard my wallet if I use it on something like a 24/7 networked Windows machine but I guess my airgapped (except when I send payment) FreeBSD laptop would be fine? I'll only use it for crypto payments. The method of sending will be geth (Ether) and my own tool written in BitcoinJ or btcd for Bitcoin. I'm not worried about being tracked either at all because I'll use this only for hodling/some legit payments.

What I'm asking about is why I should recreate a wallet immediately after making a payment? Seems overkill as long as I use a safe computer.
I'll also only store the private key in a ramdisk so any forensic analysis will be useless.

I'll start pretty small at around $1000 since I'm a student, and I rather not risk more. A hardware based solution seems ok but if it costs 10% of what my total amount is it seems like a waste.

So, what's the point of sweeping?
Example for Ethereum:
1. Store private key in ramdisk & use personal.importRawKey to import it after inputting manually from paper (configured geth to store everything in ramdisk ofc).
2. unlock my account with personal.unlockAccount.
3. send eth with eth.sendTransaction.
4. shut down the computer.
Is there any flaw here that I'm missing? I'll get addresses, gas prices, etc. from another computer because I don't want any web browsers installed on the computer.
I'll use the same principles when sending Bitcoin, any recommendations for simple free software Bitcoin tools like geth? I know how to write my own in BitcoinJ but I'd rather want a stable fool-proof one tbh.