Topic: Securing your savings wallet - page 5. (Read 8363 times)

I already have something like this setup but this is vulnerable to keylogging.

except for the no blockchain part.. what about just having truecrypt (or whatever the better one is?) partition on USB, store vmware/virtualbox hdd on it with linux and run wallet inside that ? Then use keypas or similar to copy/paste wallet passwd in each time you want to spend  ?

Have you looked at my little project already?

It includes Bitcoin official client and Bitcoin Armory. You can choose between two kernels at boot: One for online usage (to broadcast transactions / use your watch-only wallet / etc.), one for complete offline usage to sign your transactions (either with saved wallet or wallet recreated from paper wallet). In online mode hard disk access to your host system is allowed and Bitcoin does ask for its data-directory. So if you have downloaded the blockchain on your host system already, you can reuse it (and don't have to download again, Attention: The version of bitcoin within the live-system uses a newer version of the db-backend. The blockchain is converted to this newer format on first start and then can't be opened with an older version anymore. If you still want to use your blockchain on the host-system make a copy first.). In offline mode blockchain is not needed (verification / creation of unsigned transactions has to be done in online mode).

Thread: https://bitcointalksearch.org/topic/announce-privcoin-v10-pendrive-linux-for-offline-transaction-processing-109439
Link to Demo-Download: https://github.com/flipperfish/privcoin/downloads (Be aware that this is only for demonstration, it would be more secure to create the live system yourself. If you use a freshly installed VM with Debian Wheezy this should be pretty easy.)

You can still use blockchain.info from the live-os in online mode, if you want. It would also be possible to use electrum in the same way as Armory with offline transactions, but there is no gui for this currently, which results in bad usability. And IMHO bad usability is the arch-enemy of good security.

Man I'm disappoint. I thought there's an easy plug&play solution for this issue but I guess not.

Let me repeat this again, I'm willing to pay up to $15 for a plug&play USB stick that would allow me to meet my conditions and I don't believe I'm alone.

I've used Ubuntu Privacy Remix + a downloaded version of Brainwallet.org.

To make/fund the wallet:
Run UPR and make a brainwallet using a long, secure passphrase. Write the address down AND copy it to a separate USB stick. Fund address as needed.

To spend coins:
Get your transaction info from block explorer like so:
http://blockexplorer.com/q/mytransactions/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
Save it to your USB drive with UPR. Run UPR and use brainwallet to generate and sign a transaction. Copy the TX to second USB (and write down if paranoid). Broadcast to the network using one of various services.

There are other ways to do the same sorts of things using Electrum, but I found this simpler as all one needs are two USB sticks and UPR+Brainwallet.org.

be aware that the Armory watching only wallet can generate you an infinite number of addresses to receive coins.  its a deterministic wallet.  thus the backup is easy also and only requires a seed and chain code.

those options are then restricted to server based solutions which i personally am not comfortable with. 

i use an Armory offline netbook as my solution but am intrigued by the USB option outlined above and on etotheipi's thread.

Same. I love it so much. It's even running on my RPi

Yeah no, I don't want a blockchain on my laptop at all because I frankly don't see a need to have it given that there are other options.

No, it has to be the Armory client.


Armory requires a copy of the Satoshi client running in order to connect to the network and keep the block chain up to date. I thought your requirement was that you didn't want to have to download the block chain twice, once for your main operating system and once for the secure storage. With Armory, you still need to download it once.

Ok chrisrico, that sounds very good but I have two questions:
- can I import the watch only wallet into blockchain.info wallet and generate new addresses there or does it have to be the satoshi client?
- can I send from those addresses without having to download the blockchain - I don't want the blockchain on my laptop at any point if at all possible?

Here's what you do. Download the Ubuntu LiveCD and put it on a USB drive using Unetbootin. Don't forget to allow for space to preserve files across reboots. Boot onto your USB drive and install Armory. Now, disable all network connections inside the operating system. Start up Armory in offline mode (it will prompt you since it won't detect Bitcoin running), and create a new wallet. Go to the wallet properties, and create a watching only copy. Save this to your USB drive (not the mounted file system). Make a paper backup if you want.

Now, boot back into your main operating system. Get Bitcoin running and up to date with the block chain. Start up Armory, and import the watching only wallet. With this, you can generate addresses, see incoming payments, and create spending transactions, but you cannot sign them. In order to sign them, you'll have to follow the Offline Transactions prompt, transfer the generated file to your USB drive, boot to USB, sign the transaction, boot back to your main OS, and broadcast the transaction.

Just some light reading I think might be relevant here for the paranoid:

http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf

Think so.

I've never worried about that, since I keep all my machines both windows and linux regularly scanned.
You really don't have much to worry about on a fresh install of Ubuntu. How you expect it to get infected?

You'd only risk comes from keyloggers if you happily installed a wallet on an already infected drive, which quiet frankly is your fault for not making sure it's clean first.

If the Bitcoin client generates the keys, is the only way to get those keys is through and export function?

The beauty I saw in the bitcoinaddress.org paper wallet approach is you never had to load the private keys into memory (simply print them).  Thus eliminating any chance of key loggers capturing that data.  Is there a way to do something similar in a BC client?

Pretty much every wallet software that I have installed to my computer has made one for me, upon install.
Now if you using one which doesn't, then I don't have any recommendations, since I wouldn't trust a 3rd party to generate my new address.

Any open source address generation tools you can recommend?

I'm not overly familiar with Mac. So can not offer any advice that is very specific to it.

At least with the electrum wallet that doesn't download the blockchain, you'd still need to be online to really check on or change anything.
But there is no reason why you would need to stay online longer than you needed to. So yes I suppose during bootup you could be offline.

I wouldn't generate an address via a 3rd party, I'd rather my program on my computer did it, that is just me.
I'm sure you could do that, some wallets will allow you to import those sort of details.

This might sound a bit naive...

...But before I go through the effort of setting up a USB boot, is it possible to boot to Ubuntu on a Mac running Parallels?  If not what are my OS options for this machine?

And to make this secure, I would need to be disconnected from the internet when booting to the USB right?

If that's the case, is it possible to somehow save the javascript https://www.bitaddress.org is using to generate bitcoin addresses.  And then run that on the USB stick in a browser not connected to the internet?

I use electrum, on ubuntu, that yes is installed on a usb stick.
It's my secondary wallet and is easy to backup and secure without any fuss on downloading a blockchain.
Sending and receiving of coins is pretty easy.

Since it's a pretty usual ubuntu install I can easily install and do anything I want for it that ubuntu can usually do.
I could of made it a live usb based version of ubuntu, but I wanted abit more flexibility, but it be pretty easy to do that if you wanted.

I used http://unetbootin.sourceforge.net/ to make the usb install drive, then install it to another.
Same program could be used to make a single usb drive a live drive and reserve X amount of room towards any programs and saved data you want between sessions.
Electrum is pretty easy to install for Ubuntu to be fair, then you just need to do standard stuff to secure it, giving it a nice long password and securing your seed (backup) somewhere safe
http://electrum-desktop.com/download.html