Topic: Sweep vs. Import? (Read 7283 times)

On the Imported Address Warning, it would help if

'If you do not plan to use the address again, it is recommended that you "Sweep" the private key instead of importing it'

was changed to

'If someone else might know this address, it is recommended that you sweep the private key instead of importing it'

Ok,
but thats now more than enough to say about this silly and dangerous nonsens:

Touching and manipulating private keys is the worst you can do.
Everybody should know that.

Should not be provided by Armory at all. 

No need at all for such a dangerous stuff.

LvM

NO! Dont like to explain self-evident facts.
LvM

WARNING:

Armorys "Sweep" and "Import" is nothing but dangerous nonsens.

Should never be used at all!

LvM

As explained, the paper wallet protects you from all armory-generated addresses, it does NOT protect you from imported ones, however. That's basically it.

I imported one of my private keys to Armory and it appears to be working.  Now I can do offline to online payments using this wallet.  When looking at my wallet, the top public address says Imported, then 1, 2, etc.  What is the significance of this?  Am I losing some benefits of Armory wallets?

Should I create a new Armory wallet, and then sweep the funds from the Armory wallet with the imported key into the new Armory wallet?

When Armory "sweeps" addresses, it is simply executing a transaction on the network.  It's identical to if you had gone into your new wallet, generated a receiving address, then gone into the old app and sent all your coins to it.  It creates a tx spending all your coins to the new address and sends it to the network.

Importing, will import the private keys to your new wallet, but won't touch the coins where they are. If someone else has access to those private keys, they will maintain access to them after import. 

I would not be concerned about the security of address reuse -- though the privacy implications are much worse than people realize.  But in the far far future where quantum computers become real (probably 30+ years from now) or the math behind ECDSA is broken, any addresses that have been reused are vulnerable (security-wise).  But in the absence of these two events happening there is no security risk:  in the real world, public keys are reused all the time (after all, they are intended to be persistent identities -- but in this case we're trying to avoid being persistently identifiable). 

Bear in mind that all of internet security is broken in these cases, so it's not a unique problem to bitcoin.  All of internet security is based on neither of those two things happening, and because neither of them are considered feasible.  It just so happens that Bitcoin has accidentally protected itself from those events if you don't reuse addresses.  And even if it was going to happen, we'd probably have months (in the event of a math breakthrough) or years (QC breakthrough) to upgrade the system in anticipation of those effects becoming exploitable.

Thanks etotheipi, but this still doesn't totally satisfy my question.  Let's say a user has an old QT wallet from many months ago with some coins still on it. The user has never given the private key to anyone, & wishes to take those coins from the QT wallet and keep them safer in an armory offline wallet.

Does sweeping or importing do this instantaneously off-chain so there is no transaction fee involved? Or more directly, how exactly do these mechanics work?  Let's also assume the user wishes to migrate entirely to the armory online/offline way of keeping their coins, so that original QT wallet (or blockchain or whatever) is in no danger of ever being used again to either send or receive.

I'm trying to figure out the financial benefit (if any) of import/sweep versus simply sending a normal transaction over the network for the entire balance to armory wallet.

Also, I've read countless times that address re-use is strongly discouraged. IE: you want to use an address once to receive, and once to send, and that's final. All transaction change goes to a newly created address. Is there any SECURITY reason for this? Or is it simply a privacy thing? For instance, I believe just-dice has an offline wallet that gets constantly reused. According to blockchain tags, it's this:

https://blockchain.info/address/14o7zMMUJkG6De24r3JkJ6USgChq7iWF86

Is that a "Very Bad Thing"? What are the security ramifications to operating this way? Assume they're set up to use armory.

It is only recommended you use "Import" when you are sure you're the only person who's ever seen the private key, and you plan to use it again.  Since address re-use is discouraged, the only real reason would be for vanitygen addresses which are frequently used without.  Otherwise, always sweep, especially for Casascius coins and paper wallets which have been passed around.

WHy?  Because it's extremely dangerous to add private keys to your wallet that other people have seen.  You open yourself up to situations where someone "sends you money" by sending it to the address that they have the private key for.  It shows up in your wallet and looks like it's yours.  You act on the assumption that the money is yours, then they sweep it back to their own address.  This is a major attack vector against someone who accepts large amounts of money for services.  You pay, they serve, you sweep, they're screwed.

And don't fall for the argument that "all keys should be held on forever in case someone sends more money to it."  Someone randomly sending money to a private key that has become public is like dumping money on the ground.  Any actions you take to "watch that address" is like walking around your neighborhood every day hoping someone accidentally dropped $1 bill.  One day you might get lucky and find $1, but you have better things to do with your time, and it's best not to pollute your wallets with mixed-origin private keys. 

You want to know that when you receive money to any of your wallets, it's really yours.  If there's no reason to believe the key will ever be used again, sweep it.

I was under the impression sweeping would move the coins off-chain without incurring any possible transaction fee, and would do this instantly without need for confirmations. The more I think about it, the dumber that sounds as the rest of the network would have no idea those coins were "moved" in the first place.

I'm now a bit confused as to why someone would wish to sweep coins at all. It seems you need to have total control over both wallets in either scenario. You're also advising to never "delete" a wallet. If sweeping still means the coins get sent as a transaction to a new address, how is this different than a normal send?

In my question I do not care at all about signing messages or proving ownership at a later date. I'm more interested in keeping funds secure and organized. I also do not care about the astronomically remote chance of a private key collision.

So, the million dollar question: Why sweep at all, ever? Would the best course of action to be keeping all of the older wallets empty after draining them with a single transaction to the armory wallet, which would consolidate everything?

All the funds would be "swept" to the Armory wallet, yes, but the keys do not get "imported" into the Armory wallet.

This is fine, and actually probably I would say the recommended way to perform such an action as having multiple copies of the same private key (needed to spend the funds) in two different wallets is simply a bad idea, however...

If you then "dispose of" the Blockchain.info wallet (as you have swept all the funds from it is is no longer of use to you) and a friend  send you BTC, or a merchant has to return some BTC to the original payment address as some goods which were in transit got lost, or even you ahve been asked to sign a message using an address you used for payment in the past (from the old Blockchain.info wallet), then you might find yourself in trouble.

So what am I saying here? Basically, sweep your funds when importing funds from one wallet to another, BUT keep backup copies of every wallet you have ever used. Ever. Period.

Then you'll be covered!

Edit: I have just re-read your post to check that I have actually answered your question and I don't think that I did; If you want to send your funds from a Bitcoin-QT wallet, to Armory, just generate an address and perform a regular transaction (to yourself).

e4xit, or someone else, please correct me if I'm wrong:

Let's say a user currently already has a QT, blockchain.info, or some other wallet, and wishes to move that entire balance from some or all of those addresses into armory offline cold storage. Are you saying the user gives the wallet.dat to online armory and then says "sweep"? All those funds will go to an armory-managed address and the original wallet.dat would then be empty and effectively useless? Am I understanding this correct?

OK sweep; as I understand it this temporarily adds the keys to your wallet, then moves the funds to an address already from your wallet (either new change address, or reuses an old address). The benefit of this is, you can sweep funds from an address two people might have access to without leaving the private keys in your wallet, this measn that there is no chance of change from one of your personal transactions in the future from going to an address not 100% owned by you.

Some people have fallen foul of this by adding addresses they have seen private keys for on forums etc, sent another transactino later, and their (stupid) bitcoin wallet has used the imported address for the change, which can then immediately be swept by anyone else with the same private key.

Import; If you have a generated vanity address, you would import it, because you woudl want to retain that address in your wallet, in case of future payments.

You lose the deterministic benefit of Armory wallets when you import private keys instead of sweeping them.

No takers on this one? I'm still wondering... BTW I LOVE Armory! It's great!

What exactly is the difference between "sweeping" a private key versus "importing" a private key. What scenarios would you want to use one method over another?