Topic: SEED storage on digital media. - page 2. (Read 890 times)

I know you are very technical man, more than me, and I believe you knew about these risk very well. There are public cases like CEO of an exchange years ago suddenly died and he is the only one who control treasury of that exchange. Maybe more cases like this, I could not remember them all, from business level to family or individual level.

With individuals, they can learn from Hal Finney who has a chronic disease and prepare for his wife to inherit his Bitcoin private keys and bitcoins. You can do the same for ones you love, wife/ husbands, children, ...

[1] Crypto CEO dies holding the only passwords that can unlock millions in customer coins
[2] Quadriga CEO's widow speaks out over his death and the missing crypto millions
[3] Bitcoin and me (Hal Finney)
[4] Using Locktime for inheritance planning, backups or gifts

Yeah, I know that they can may break down. That is why I'm testing each of my cloned flash drive regularly on the month bases. It's highly unlikely that all three will fail simultaneously  because of poor workmanship, thus if  any of them  were noticed as corrupted it  could be replaced by other clone.



Agreed, this is the weakness of human being whose  memory is vulnerable to deceases, hard accidents and senility.

Thus, I'm in the process of development of the inheritance plan, just for above reason.

It's an interesting setup and I kinda like it. And 3 copies sounds good.

Still... flash drives can get corrupted a bit too easy for my liking. I mean I had to reformat or throw away at least 10 USB disks in the last 20 years... and we're talking about very long time here, right?
This is the issue with electronic devices. They can get broken easier than more physical stuff.


I will add that age or an accident or stroke can make you forget the passwords/PINs you've used there.


These are the weak spots I've seen.

For those who have the courage  to try my method I  share a trick on how to unite in friendship Kleopatra and hardware pgp keys that hold the same secret but have different ID.

The problem is that each HW pgp key has its own unique ID and by  keeping the last used ID in the cache  Kleopatra refuses to work with other clones of HW key.

The work around is the following.

• 1.  Before importing public pgp HW key into Kleopatra remove default keys which come with Tails distribution ( they are developers keys and    become not necessary for your purpose)
• 2.  Insert any HW key from your cloned set
• 3.  Import relevant public key
• 4.  When  being asked about certification choose Cancel
• 5.  Right click imported public key and select Change Trust
• 6.  Choose "It's my certificate"
• 7.  Proceed with your tasks involving inserted HW key: decryption, encryption, signing, verifying what ever you want.
• 8.  After completing your tasks remove you HW pgp key.
• 9.  Right click public key and select Remove
• 10.Close Kleopatra
• 11 .Next time when you open Tails you will have the   pure untouched Kleopatra that doesn't remember HW keys ID. So you can proceed with any key from your cloned set referring to 2 - 10 in this list.

Recently, i made a thread suggesting creating/importing seeds in wallets like Electrum or Sparrow, as they allow you to export encrypted digital backups.

Security tips for making encrypted backups of your seedphrase.

I completely support your idea!  Seed storage on digital media is a crucial topic, we definitely need more threads like this on the forum.

Mantra.

Never recommended by whom, by you?

 Then, don't use it.


Wise people use for this airgaped Tails which doesn't contain any malware including  keylogers , wooden headed folk utilize devices  and OS that have keyloggers.
Regarding,  IronKey Vault, all typing must be done on airgaped machine, it goes without saying, beside IronKey Vault has the build-in virtual keyboard.
Do you have any experience of working with Tails and/or airgapped machine?


Empty words in fact that tell nothing. Tell better how they can leak from my system.


Yeah, yeah , and better on the other planet, let's say on Mars for instance.
 
In fact digital form of storage should be a companion for primitive one, which in my case is a binary code hold on  titan washers .

---

Further on, any referring to primitive forms of SEED storage in this thread will be considered as offtopic. Tread is solely  for the discussion of best methods to store SEED on digital media.

I have shared my SEED protected by described way to close relatives (geographically distant by hundreds miles)  and don't afraid that they or any other folk can get my phrase. They have only flash drives with Tails but all  set of HW pgp  clones  is in my hand.

SEED phrases stored by primitive way can not be shared with other people without revealing them.

It is never recommended to store your seed phrases in any form of digital media, not even using PGP encryption. You never know, you may lost the secret key file and if you lose then you lose the pass phrase. You also is going to type the seed in the digital media, you will never know if there is a keylogger installed in your device. For any form of digital storage, you always have chance to leak your private key.

It's always better and recommended to store you seed in digital form and it needs to be a fireproof solution.

For not tech savvy people, like you, who wanna use digital media for storing sensitive info like SEED phrases, passwords, etc   I would advocate off-the-shelf products like those produced by Kingston.

I have their flash drive from IronKey Vault Privacy 50 Series and must confess that having AES 256 encryption as well as protections from both bad USB and brute force  it may be considered  as a good digital media stuff for storage  SEED phrases . The only drawback I see is that it is not friendly with Linux and works solely on either Windows or Mac OS machines.

My approach is a bit complicated as in fact it has three layers of protection which might  be looked as overkill.

I saw this notification on the bitcointalk supernotifier and it caught my attention because I have done a DIY Seed Storage on a soda can Inspired by Pmalek's Guide. I would have really loved to try this but I am not a tech savvy person. The only software I recognize there in the write up is Kleopatra which I used one time when I learning to sign a message courtesy of bitcoingirl.

With this contribution I'd like to share my latest "innovation": a method I've implemented  for storing my SEED phrases on digital media.

For this purpose, I use the bootable flash drive holding  Tails OS with  all communications drivers locked. Persistent volume of this OS is  secured with a compound password i.e part of this password is  stored in a hardware security key and enters unlocking field via its OTP interface , while other part is entered manually at unlocking volume. HW security key is aimed also for storage  my private ed25519 PGP key.

The persistent volume keeps   KeePassXC database, locked with a composite password that includes a segment stored in HW key. This password differs from that one safeguarding the Tails persistent volume.

The KeyPassXC database houses encrypted GPG messages corresponding to my SEED phrases. These messages are encrypted using my PGP hardware key (smart card in terms of Kleopatra), which is protected by a PIN code. Notably, only two incorrect PIN attempts are permitted; a third incorrect attempt will result in the blocking of access to the PGP key.

For anyone interested , I  provide ppg code for setting up hardware keys.



The corresponding public key is imported into Kleopatra key manager with database situated within the persistent Tails volume.



Consequently, by utilizing Kleopatra and a hardware key, one can decrypt/encrypt SEED phrases  and securely add  encrypted messages  to KeePassXC database.

In practice, I maintain three cloned Tails flash drives and three hardware keys, each serving as a backup for the others.

I welcome any constructive criticism regarding potential points of failure or unknown vulnerabilities in my system.

---

Picture shows my Tails flash drive (in the form of debit card, metal frame)  and pgp HW key