Bitcoin Forum

With news of recent lost or stolen Bitcoin, like many, I have been thinking about what steps I should be taking to protect my bitcoin savings (however small that may be).

Here's what I have currently swirling around in my head - please consider this just an initial brainstorm of sorts.  I am very interested in feedback, thoughts and other brainstorms :)

My experience lies mostly with Windows so that is what I'd use to do this but the concept could be implement in Linux and probably even on a MAC just as easy for those experienced in those platforms.

My general goals here are security and backup/redundancy for an offline savings wallet.

1) Start with a clean OS install on a non-networked PC.

2) Put clean copies, from trusted sources, signed, sealed, etc of the Bitcoin client, TrueCrypt, and some file splitting utility (such as hjsplit) onto a freshly formatted USB drive (or similar) and transfer to the sterile PC.

3) Using TrueCrypt, create 6 key files and then create an encrypted standard volume (in a file) using the 6 key files and also some strong password.  Mount the volume.

4) Run the Bitcoin client with the -datadir option to create a wallet.dat in the encrypted volume.  Make a note of the wallet address so you can send some Bitcoin to it once you're done.

5) Dismount the volume and then split the volume file into 6 parts using hjsplit or the like.  Delete the original volume file.

6) Grab 6 new media of your choice (USB thumb drive, SD card, CD-R, etc.. or any combination of).  I'll assume we're using USB drives...

7) Onto each USB drive, copy 5 of the 6 key files and 5 of the 6 TrueCrypt volume parts.  On each USB, exclude a different numbered pair of files.
   For example:
   Copy all key files except # 1 onto USB1 and all volume parts except part 1
   Copy all key files except # 2 onto USB2 and all volume parts except part 2
   Copy all key files except # 3 onto USB3 and all volume parts except part 3
   etc...

8 ) Delete all original files so all that remains is what's on the 6 USB drives.

9) Store each USB drive in a different location, put one in a safe deposit box, mail one to a friend or family member, put one under your pillow, etc..  Just keep them all separate.

10) Once all USB's are stored somewhere send some Bitcoin to the wallet address.

11) Sometime in the future when you want to retrieve the Bitcoin from your savings wallet, you only need any 2 of the USB drives and your password.  Combine the files from any 2 USB's, re-join the 6 encrypted volume parts, mount the volume with the 6 key files and your password, and access your wallet.dat file, send all the BTC somewhere and then dispose of the wallet (or better yet, keep it but don't use it again).   

This provides security in that only someone who has at least 2 of the USB drives AND your password can access the wallet, and redundancy in the fact that there are 6 USB drives out there and all you need are any 2 of them to get at your coin.  I will give one USB to my next of kin (just in case), and with the one in my safe deposit box I will include a note with my password.  Even if a thief gets the contents of the safe deposit box, they still will only have 1 USB and the password, not enough to access the wallet, but my next of kin will have access to everything in case I get hit by "the bus".

So that's it, what do you think?  Does this seem like a good idea, or am I nuts, or both?

I agree it's complicated, no apology necessary - but I don't know of an easier way to accomplish the same.  Most wallets won't need this treatment but all I can say is if BTC hits $100 each or more, I will want as much security and redundancy as possible for my few coins.

Step 1 doesn't cover that (well the at least part)?

Does this general concept make sense?

Any feedback welcome and appreciated.  But please at least read the OP first.

You should better look at existiting advice on how to manage wallets, and if you find flaws there you can add ideas.

Your idea is complicated, which is very bad for security. You have to be able to think about the whole thing clearly and analyze it for possible flaws. You put so much obscurity in it that it's hard to check for flaws.

I haven't noticed any other threads that discuss a concept that provides this level of security and redundancy (although I did develope this concept after reading as many other threads as I could.

Perhaps you could point me to the other threads that provide a similar end result?

I did a less effort setup with Ubuntu user accounds, you find it here:
http://forum.bitcoin.org/index.php?topic=15068

A high security idea more similar to yours has been made here:
http://forum.bitcoin.org/index.php?topic=17292

Yes I had read both of those, thanks.

The problem with that "high security" approach is that the wallet exists in it's entirety in one single place.  Put it in a safety deposit box in a bank and that bank gets robbed, the thieves have your complete wallet - doesn't matter if it's encrypted, that can be hacked with enough time and resources, now the thieves have your wallet.

With my approach, even if they get at the contents of my safe deposit box, even if I've included my password along with the 1 removable media in that box, they do NOT have my wallet (I am of course using the safe deposit box just as an example, it could just as easily be under my bed, in a fire safe, etc..).

I apologize if creating a new thread to discuss my concept was inappropriate.

No, that's not an issue. Of course, everything can be broken some day. But AES-encrypted wallets will not be broken before the very methods of bitcoin blocks are.

but when you want to actuall retrieve those coins you've got to remove all the security, and when bitcoin loads or reads a wallet file it loads the entire wallet.dat into memory, making it trivially easy to steal. It's like building a giant nuclear proof bunker to store all your priceless art in, but then to read it you take it out of that and walk to a bus stop at the dodgy end of town.

Since when do you have to use the regular client software?

@bcearl:

So encryption is 100% perfect and can't possibly be hacked/cracked/etc?  I accept that this approach is probably overkill for many but it suites my tastes.  Even if it is unlikely that the encryption could be hacked, why not have the additional protection of each USB drive only having "part" of the wallet?

I am trying to understand your point..  Are you hinting that you think my concept for having the wallet split into multiple chunks where you need at least 2 of the chunks together in order to access the wallet is a bad idea?  

Is there a better way to achive the same "Security and Redundancy" that this approach provides?  Or does this approach maybe not provide the "Security and Redundancy" that I think it does?

While you may be safe from remote and brute-force attacks, your strategy is no match for the rusty pipe gambit. If you had enough bitcoins for anyone to care about, they'd probably do that first.

Yes of course, in order to use the wallet sometime in the future it will then no longer be secure which is why you use it to send the saved Bitcoin somewhere else and then never use it again (last part of step 11).  The goal is to keep it secure and have redundancy so that the wallet and bitcoin are still there come the day when you need them.

Sorry, I don't follow, could you elloborate?

Ah ok well doesn't the TrueCrypt Hidden Volume address this, potentially?  You could have 2 wallets, one in the outter (decoy) volume with a small amount of Bitcoin in it and then the real savings wallet in the hidden volume.

Never make it more complicated, if you don't get a security advantage. It just makes flaws more likely.

How do you split the wallet for example? Splitting is stupid, I can tell you an absolutely secure (mathematically provable!!) way to do it:

1. Take your wallet.dat (call it file A)
2. Create a file with the same amount of bits, but totally random (each bit probability of 0.5, each bit independent of the other bits) (call it file B)
3. XOR files A and B (call the result file C)
4. Store files B and C at isolated locations


Now you can be absolutely certain that nobody reconstructs a single bit of your wallet without getting both files.
Further reading: http://en.wikipedia.org/wiki/One-time_pad




Another method is even more flexible, but not absolutely secure. [EDIT: Turns out to be absolutely secure also.] You can choose freely a number N of parts, and choose freely a number n of how many parts shall be needed to reconstruct the secret.

http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Did you notice, there's also 6 key files and only 5 of them are on each media.

Can you XOR  and end up with B, C, D, E, F & G and then just need any 2 of them to restore?

Yes. XKCD illustrates a variation of the rusty pipe gambit, in the form of a wrench:

http://imgs.xkcd.com/comics/security.png

That's why I mentioned Shamir's Secret Sharing. That is designed for that purpose, and well known.



You shouldn't just create your own schemes, how do you know it is secure? Use publicly known schemes that are known to researchers worldwide for decades.


EDIT: Shamir's Sharing is proven to be information-theoretically secure. If you have one part less than required, you don't get a single bit of information about the secret.

Seems like what I have come up with is similar to Shamir's Secret Sharing scheme with K=2 and N=6.  Thanks for that link.

It has similar properties, but you don't have a prove that your's is secure.

Shamir's is secure because it is based on polynomial functions. If you have a polynomial function of degree N, you need at least N+1 points on the curve to reconstruct it. If you have one point less, the secret could be everything.



EDIT: Btw, Shamir is the guy, who the S of RSA stands for. Not an unknown person in the world of cryptography.

Ok so any suggestions for how I go about implementing Shamir's scheme into my concept?  It would seem that there are no implementations that allow you turn a file (a TrueCrypt volume in this case) into a bunch of shares, just a password/string.  Granted, I could use this instead of my six seperate key files but still a goal is that the TrueCrypt volume also get split up and spread across the 6 storage locations such that no one location contains the entire volume file.

EDIT:  I am just trying to understand why simply splitting the file is "stupid".

It is not stupid. But you should not trust it until you have a reason to assert that it is secure. If you don't know whether it is secure, assert that it isn't. That's the only proper way to do security.

I recall a previous reply from you indicating that "splitting is stupid", guess I missunderstood that.

If something is made up of 6 parts, and you only have 5 of the parts, and each part is unique, you do not have the whole thing.  That is not something I am just hoping, that is fact, I know that if you don't have all 6 parts you don't have all 6 parts.

The core concept here is that there are 6 volume parts and 6 encryption key parts.  All are required in order to access the wallet.  Each media only has 5 of the volume parts and 5 of the key parts.  Don't you think it's safe to say that there is pretty much no way to derive the missing part of either, if you only have 5 of the 6 parts?  And to compromise the wallet, you'd have to somehow come up with BOTH of the missing parts.  BTW I have decided I like the number 6, this could be done the same as long as there's 3 or more parts.

I realize this seems overly complex but so far I do feel confident that it provides a fairly high level of both security and redundancy and in many regards, this approach is me keeping it simple. 

I very much appreciate the feedback, information, and opportunity to discuss.  And I'm happy so far anyway, nothing has come up that suggests to me that this is a bad approach.  I think we (the community) should try to put together several guides for keeping bitcoin wallets safe and each one would have a different paranoia level associated with it :)

You can't get information about the sixth part, but you still may get information about the secret without it.


Yes, I think your idea is worth a try. But I think is not reviewed enough to advice people in a forum to do that, or only for experiments.

In my opinion everybody is free to do as he likes, but when people start to spread their unproven ideas to other users (who may be noobs who just follow the advice without having the capabilities to review it themselves) I get a little upset.

Your thread is very valuable for a discussion here, I just wanted to say that unexperienced users should prefer the better tested ideas.

I also appreciate the very fact that you share your ideas with us in the first place! I also appreciate that you take criticism seriously and review your work.


That's how we get closer to the solutions for our problems. :)

http://point-at-infinity.org/ssss/

I'm not sure I'd go with the truecrypt for this. You can generate a random passphrase with enough bits to be more secure than the original private key. Then encrypt your wallet with that using gpg, then run ssss on the secret key. I'd do this all in memory and only write out the individual ssss parts to the usb keys, never write out more than one key to any media.

This distro looks like a good choice: https://www.privacy-cd.org/

It disables all network and hard drives so you don't have to worry about accidentally writing stuff to something persistent.


There are important tradeoffs here. You're putting almost all your trust into the safe deposit box. That might make sense, but if that's the case why not just put the full key in there without a passphrase? The passphrase is sitting right next to it so it doesn't really serve a purpose in this scenario. Each extra piece is also a risk because you could lock yourself out even without a thief. You could forget the passphrase, forget where you put the drives, something could happen to them. In my case, I've decided that I need either a pass phrase or 2 out of 2 usb drives to get in, but I'll never write the pass phrase down anywhere, and the usb drives don't require any pass phrases in case i forget it.

The important thing is you're putting a lot of thought into this, and posting your ideas and getting feedback is the best way to do security.

Thank you for that link, I couldn't find any implementations either! I didn't know whether it was practical with long strings at look. Seems to work!

A miniature carrot shaped laser which projects your bitcoin keys as QR code on a wall. This laser is surgically implanted in your hip. This in combination with a few decades of intense hapkimudo (http://www.youtube.com/watch?v=GOCgfuajpJs http://www.youtube.com/watch?v=M64skAfLIZc http://www.youtube.com/watch?v=NrWCYk6_4cg ohh and of course this one too http://www.youtube.com/watch?v=1PMhkUH8ARU  ;D ) training should make it fairly secure.

Than if someone tries to take your bitcoin QR laser you do this http://www.youtube.com/watch?v=kg8lDZXyvMQ

Thanks for the link!  It is for Linux only apparently but there are other implementations at the bottom of the wiki page previously referenced by bcearl:  http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing


Actually no, because there is only 1 USB in that safe deposit box and it does not include all required pieces, I will need 2 of the 6 to have everything needed to access the wallet.


In order to lose a wallet or lock myself out, I would need to lose 5 of the USBs or 5 would have to go bad or be otherwise unusable, or I would have to lose the passphrase, but that will be stored in a few different locations (separate from the USBs with the exception of the one in the safe box).  Or as you suggested, I could just not use a passphrase at all.

Thanks for the response and feedback!

Hence why the word "Hopefully" is included in the thread title, and why I worded the OP as I did.  I am sorry that my thread has "upset" you.  But regardless of who I might upset, I don't have any qualms about throwing out an idea that I have personally tested, that I personally have faith in, and I believe provides more security and redundancy than many of the other concepts that other's have presented.  Is this forum not the ideal place to present such ideas to the community for feedback?

And, unless I am missing something, we have yet to come up with a reason why this concept should specifically NOT be used.  I for one would never suggest that ANY of the concepts presented to date are perfect and are ideal for anyone and everyone to use.

Other then the few decades of training, I like this idea - maybe I can hire a hapkimudo bodyguard!  Know any that will work for BTC?


Hey bcearl, will this pass as a "proven" approach?

Why not just create a split WinRAR archive with a strong password and do the same with the USB keys?  Seems an awful lot easier to me than messing with TrueCrypt.

That would work just fine also - how the wallet is encrypted and split is a matter of personal preference.  However, the hidden volume option with TrueCrypt is interesting - allows you to essentially have 2 different passwords, one would only allow access to a decoy wallet, with a tiny amount of BTC and no way to prove the hidden volume (with the real savings wallet) even exists.

As mentioned by others, simply splitting the wallet, or even an encrypted volume or archive containing the wallet, is not secure. An attacker does not need a whole wallet file to steal from you. All they is a whole private key to an individual address (or enough of it that they can brute force the missing piece) to steal any coins received by that address. With the OP's method, chances are an attacker could steal most if not all of your coins with only one flash drive and your password.

Except that the hidden volume isn't actually hidden.

Based on my understanding it is hidden, hence it's name, hidden volume.  Do you have some information that suggests otherwise?

If you don't have the entire encrypted volume file, and you don't have all of the encryption key files that the volume was encrypted with, how exactly do you go about unencrypting the volume and accessing what data is there?

It is an unsupported claim of TrueCrypt, you should not trust it.

Their website and all of their documentation would lead one to believe otherwise.  I have experiemented with the feature personally and have yet to see anything (other then your suggestion) that suggests that it shouldn't be used.  I don't suppose you have any supporting information you'd like to share?

That's not the point. They have to prove that their claim is true. Until they haven't done that, you should not trust it. That's the only way to do security.

i would agree with not trusting a hidden volume, but could we agree that it would be safer than a non-hidden volume, except perhaps barring damning evidence supporting otherwise?

But what's the advantage compared with an AES-encrypted file that you delete? It is still on disk, but looks like random data. And it has a major advantage: It is way smaller and looks way less suspicious than a 5 gigabyte blob (perhaps with macroscopic patterns of a TrueCrypt hidden volume).

I haven't read the rest of the thread from here but something you guys seem to be missing (and which is mere speculation on my part as I haven't read the bitcoin client code yet) is that:

-. the wallet.dat file may be entirely useful even in part.  For example, consider that the private keys are stored in sequential order with no striping (distribution).  Having just one or a few parts of a wallet.dat would then allow you to recover some of the funds (via the private keys the part contains).

EDIT:  Just saw Eric's post.  I concur.

I think the OP wanted to split the encrypted file. But thats no proof of security either. Without a good argument supporting it, you shouldn't trust it. I agree with you.

Yea, he only mentioned one password and 6 key files.  Presumably if you have one of the parts and the password (and one of the key files), then you can get part of the wallet.dat (and thus part of the coins).

Actually, I noticed that he is also using multiple key files, so you actually would need two of the drives to get the full key to decrypt any of the archive. However, the part about splitting the TrueCrypt volume itself is pointless and unnecessary, as far as I can tell.

Well, I solved this.

 I made a SIMPLE solution, which hosts the entire Bitcoin data (~/.bitcoin) directory, within the "Ubuntu One" free cloud service... Ahh! 100% encrypted by the way...

 With no third party softwares.

 Take a look at this:

 Wallet in the Cloud - Keeping your Bitcoins encrypted and saved into the Cloud!
 http://forum.bitcoin.org/index.php?topic=22386.0

 What do you guys think about my solution?!

 It is really easy to do by everybody... No complications.

 And it can be easily changed, or used with a USB pendrive instead a Cloud environment... But always use a Live CD, even to mount your encrypted USB Pendrive.

Cheers!
Thiago