Bitcoin Forum

Hi

Is it safe to transfer private keys between to USBs, that are connected to the computer, at the same time? (two USBs inserted into the computer in other words)

I mean to hold the "alt"-button and drag/copy one key to the other USB. Is this safe to do from a security-perspective?

Or will the computer have some kind of memory of the file going between the two USBs so that a hacker can go into my computer and find the key/file?

As soon as you connect your USB disk to your computer, the Operating System and any program that is running on it can have access to your USB disk data (unless it is blocked by Anti virus or something). And it is not hard for a malware to copy itself on your USB disk (infect it so to speak) or read and copy its data.

For example if it is a bitcoin specific malware it can read your USB, analyze the files to see if it can find a wallet file, a list of private keys, ... and using those private keys it can broadcast it to the attacker or sweep them!

If you want to transfer sensitive information like your private keys, then do it on a clean and "air tight gapped ^{sorry, my English sucks sometimes!}" computer. You can use a live linux without persistence which is disconnected from the internet.

Ok what is a live Linux and an airtight computer? :)

You can pick any live distro... But Tails is known to be one of the most secure ones out there.
The "air tight" part, i presume, means that it's not connected to the internet... Basically: unplug any utp cable, and make sure wlan is disabled.

I think its even you are using other OS its still not safe anytime soon if you are not using your usb for a long time or just few months usb can be damage i have lots of transcends usb disk i am using them for making bootable usb but i stop using it for few months but they are damage and never detect in computer or laptop.
So if you really want to be safe the only thing that i know your bitcoin are safe is to buy trezor wallet you can use it offline and save your bitcoin for a long time. its immune to viruses and keyloggers..

He means "air gapped"... basically, it is as described above... a computer disconnected from all networks (and other devices). The idea being that it helps to prevent any hacking or malware etc unless the person has physical access to the machine.

The "Live" distro is a self contained Operating System that will boot from a dvd/cdrom or usb drive and does not require any permanent storage. It will load itself completely into RAM without needing any harddrive etc.

"Tails" is one of the more widely known "live" distro for the crypto world: https://tails.boum.org/

Live linux is a linux distribution that runs from a DVD, USB or other removable drive and which does not change things on your hard drive. It is like a virgin system that makes no permanent changes to your computer.

An air gapped (not airtight) computer is one that is never connected to any computer network. The term dates back to when we connected to computer networks using physical wires i.e. ethernet cables. To be air gapped means that their is gap between the cable and the port on the back of your PC i.e. the cable is not plugged in so there is no connection to the network.

In this day and age an air gapped computer would not be capable of network access via both wired and wireless means. So it would not have a WIFI card or a mobile network access. The hardware for such wireless access has to be removed from the computer for it to be a true air gapped PC (because otherwise deeply embedded malware could be making such connections without your knowledge).

The idea behind an air gapped computer is that any malware that might infect the computer can't communicate with the outside world so it can't steal your secrets i.e. your private keys.

http://trilema.com/2013/how-to-airgap-a-practical-guide/

Well what happens when you transfer data from a us to your hard drive ? It's the same thing. What you asking doesn't really make any sense. Nothing wrong with copying data from one drive to another. I see people talking about programs that steal your info off your usb. Please don't listen to these people they have no clue what they saying. Things don't run on your own without you rinning or installing them yourself end of.

Also to people who are paranoid. Please don't use computers. If you that paranoid computers aren't for you.

Clearly you live under a rock, are illiterate, or didn't think before posting. I spot 304 hits for published CVEs mentioning remote code execution in Microsoft's products alone. Just search nvd.nist.gov (https://nvd.nist.gov/vuln/search/results?adv_search=true&form_type=advanced&results_type=overview&query=Remote+code+execution&cpe_vendor=cpe%3a%2f%3amicrosoft) for "remote code execution" and you'll see.

There's being paranoid, and then there's taking appropriate precautions. Spyware that transmits sensitive data such as cryptographic keys from disks and USB devices is not unheard of.

It can be very unsafe in Windows. If you are very concerned about security - use Linux, no network connected, same size USB drive and do low level disk copy such as:

dd if=/dev/sdX of=/dev/sdY bs=2M

where sdX source, sdY target. Be careful, that will destroy everything on sdY

What if /dev/sdX is a bigger drive than /dev/sdY and the key file happens to have been fragmented/moved to the end of /dev/sdX? And why not make bs equal to the underlying physical sector size? If running on a secure offline system you should just be able to use cp and skip the raw disk copy nonsense.

Your best bet is actually creating a paper wallet.

Go to https://bitaddress.org to get started. Here you will get your public and private keys whereby you can send Bitcoins to them and print your keys onto physical paper that no one else will ever know except you. This is the absolute safest way to store Bitcoins. It is basically like fiat cash money, except Bitcoins instead.

Reply:





I dont understand few things in this post. How can a malware read the file is related to wallet or not? It should be present there to do that and guess transferring from one USB to directly another won't give the file path to malware? Moreover, is it possible to send file via sandbox of antivirus where no malware can even touch the stuff.

The same way a worm copies itself on your USB disk when you connect it to an infected computer. And checking contents of a file is not a hard thing when it is not encrypted!
;D

Remote activation can only happen when when there is something on the victims pc to to allow it to run. You can't magically run things remotely on someone's oc without tricking them into installing something first or it finds an exploit into something they already have installed. Dude go put on your little tin foil hat. Paranoid.

So that whole "wannacry" thing was just a made up story by people being paranoid and nothing to do with exploits in Windows Operating System services (https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/) then? ::)

Given that there have been so many "0 day exploit" attacks in the past... and no doubt will be more in the future... being a little bit "paranoid" when it comes to valuable (and easily "stolen") digital assets is not necessarily a bad thing.

So it's good idea to rename documents or folders which contain your private keys. Viruses can parse file and folder names but they can't open random files.

1. Make sure your computer clean from virus/rat. scan it first by antivirus, antikeylogger, etc
2. Turn off internet connection.
3. Make folder with different name on your other USB disk.
4. You can copy it safe now.

No, that's complete BS. A virus can make a system call to obtain a file handle for reading just like any other user-mode program can. If Notepad (or your favorite choice of benign program) can open files on the computer, what keeps a virus from doing so?

Why do people keep trying to reinvent the wheel? Most of us quit using air gapped computers for storage of bitcoin private keys when Trezor came on the market back in 2014.

Good info in this post. Will work to create my air gapped machine

These things i would definitely do specially if those keys contained lots of bitcoins you will surely think up on secure transfer or copy of the key which n one could able to see non whats your doing. First of all having a clean computer free from virus would be really advisable and at the same time turn off  internet since most remote viruses do really move on this way which do rely on internet connection to send out informations to its hacker.

If you are going to transfer keys there would be a possibility that it may copy or it can be used by somebody. And we all know that USB is just a universal port of sharing and receiving information such as photo and video. But most of it do not support further security and do not provide safety for you account. So if you want security at its finest you must need to find a more reliable tangible wallet. Such like Trevor that is offline wallet that promises security and anti virus for you safe keys.

It's a hell of a lot cheaper to use a $5 USB than a $100 trezor when they can accomplish the same thing, being no private keys while connected to the internet.

It depends o how you are going to transfer but with that, you should be careful and raise your guard up like transfer the whole file without leaving any trace.

it depends - what else  :)
on the value you want to transfer. This has been discussed many many times, here in the forum and reddit, and Trace Mayer in his bitcoin podcasts repeats it every time - search for it   ;)

Generally:
for a couple of Euros/Pounds/Dollars (up to 100 maybe), it is ok to use a normal machine and wallet (or iPhone and Android). Similiar to your normal wallet for FIAT money. To then copy via USB, use a machine, that has been verified for malware.
When you have values in the 1000 Euros/Pounds/Dollars range, you pay more attention, and copy this stuff from a secure, unixoide (xBSD or Linux LIVE CD) air gapped machine.
At this point in time a cold storage wallet like Trezor or similiar has it's value.
When you have more than 10.000, then you need to spend some time into re-thinking your store of value. Trezor is not secure enough, cause we cannot see, what is "below" the device. Here you would need to have your cold storage setup along with multisig. Do it yourself, make it trusted, and reliably tested. There is no final solution.
Summary:
low value, little effort in securing your keys, high values, much effort securing your keys.
spend two dollars in security efforts for low bitcoin values, spend 1000 dollars for security when bitcoin values are above 10.000 Dollars, and yes, spend much more, when it's a million value. You are your own bank!