Bitcoin Forum

So, recently my personal laptop's hard drive got corrupted and all my data was lost, including private keys for my wallet.
...thankfully I already had a secure backup of them and no coins were lost.

Here I am sharing my technique to beginners so they can back up their private keys the same way I did.

Many of the users might be storing the keys/seed in some written form but physical damage to paper might lead to loss of your funds.

Here's how I do it:

1. Edit an image using notepad, paste the seed in between.
2. Add it to a .zip file and encrypt it by setting a password.
3. Create a new Gmail account and set up 2-factor authentication. Upload .zip file to Google Drive.
4. Remember this account's password, and Never use it. NEVER. Don't save to any password manager, just remember.
5. That's it, you got yourself a secure online backup for your keys.

Don't repeat the password in any step, or else this method might become useless.

I don't know if this is optimal or not, but comments are appreciated.

You're replacing one potential problem (physical damage to a piece of paper) with multiple passwords, a cloud service, etc. Too complicated and too many points of failure.

A laminated piece of paper in a waterproof/fireproof safe works well, maybe a second copy offsite if you're really paranoid. Or a hardware wallet.

You'd have to be very confident in your ability to create a strong enough password and being able to remember it is probably more important.

Anyone thinking of doing so would do well to spend a while researching the best way of creating strong and memorable ones. I have plenty of encrypted folders with variations on long term passwords that I can't remember. There's nothing of importance in them so it doesn't really matter. It obviously would in this case.

I remember what Bob123 say to me:



From his post, I learn to more careful to save our PK on cloud storages. And, remember, Google not really save too, because they tracking everything that connect with our account. Maybe you can read "Let's talk about Privacy (https://bitcointalk.org/index.php?topic=3210982.0)" by Bitmover. There are many Google alternatives you can use.

DWYOR/DYOR

I never knew that you can open an image file with notepad, I just don't like the idea to upload it on Gmail. I have an experience where I can't open my email account anymore due to long inactivity. although it's not Gmail, there is a tendency that it would be the same. I'm talking about my yahoo mail, I know the password but I cannot open it anymore it asks me some verification to another email which I don't know the password. FYI that Email I'm trying to open is my first email in 2008, older than Bitcoin. something like this could happen, you need to aware of it guys.

https://i.ibb.co/WnRWzbp/Screenshot-2.jpg

Not sure if it's the case any more, but at one point Yahoo would make your address available again if you hadn't logged in for six or more months.

I've had the same thing with dead or forgotten recovery systems. I find it really annoying when gmail won't let you in. There should be a 'you're on your own' option that doesn't make these demands as sometimes you can't meet them.

How about XORing the value that your seed represents with the hash of a (weaker and shorter) password and creating again an BIP39 seed from the output ?

The output looks like a valid seed but most probably isn't usable to use as seed (and certainly doesn't allow spending your funds). You get your original seed back by simply XORing again against the hash of your password.

Still easy to break with a classic $5 wrench attack though...

I am not really sure, edit image with notepad.
Also that is complicated. We don't know :
zip also can get virus
Google maybe will block your account without notice
also to open it we must use laptop, pc, phone.
That is too long process...
I am still choose to write it manually in paper then laminated it. Save in the deposit box, if you want really secure.  ;D

Yeah you are right, but I wanted a way to access my wallet as I usually live remote, away from where I would have kept my keys in physical & permanent location. Can't risk it to carry them along with me wherever I go.

I am pretty confident that I would remember all the passwords involved. I also use a sort of algorithm (mentally) that enables me to modify my password, making it unique for each site, so it's not much of an issue.
I cannot emphasize much on the importance of having different passwords for different websites.

In order to maintain my privacy with the google cloud, I upload only the encrypted file to their server.
Thanks for linking this thread, wasn't aware of other open-source alternatives like these, the only problem they have is one has to setup his/her own dedicated server.

Woah, you definitely got a valid point here. This thought never crossed my mind. I wasn't aware that such things might happen for inactivity. As in this case, I would be using the cloud for backup purposes only, so logging into this email is rare.
Btw, one can setup "Inactive Account Manager" (link: https://support.google.com/accounts/answer/3036546?hl=en (https://support.google.com/accounts/answer/3036546?hl=en)) to forward any data before account deletion by google.

Here's a quote:

Haha true !

I don't think the zip would get virus if it is safely stored in the cloud.
I fully accept that Google, being in control of this could cause a problem. Might need to consider better alternatives. As in cryptocurrencies, it all comes down to Being Your Own Bank (BYOB) !

That's could being your mistake not services by mails, lets we learn from it, to always set up email or phone active so we can easily revocery a case on one day. Images could be coverted by words then saved on notepad, it's called as encrypt & decrypt methode.

that's what I have been doing all this time to secure my private key, which is to write it on a piece of paper and put it in the ground, like planting a time capsule. I have a box made of stainless steel, strong for the long term. when planting private keys, I make sure no one knows. if saving on an online backup, it is very risky to forget the account in the long run and have to remember it all the time.

Agree, this is very failure possible method. Not secure to store any serious BTC.
Less failure method would be even storing piece of paper with your seed in front of your PC screen. Stupid? Yes, but you not relaying on 3rd party service like google servers, you don't have chance to forgot multiple passwords etc.
Think again about it, im glad it worked this time, but for future you can improve your method so much.

Yeah, this is horrible advice.

Storing a key in an image file would only hide it from the most cursory of searches. Anyone who is seriously trying to steal private keys won't be fooled by this.
Applying a password to a ZIP or other archive file doesn't necessarily encrypt it, and if it does, doesn't necessarily use strong encryption. All depends on the software you use.
You shouldn't be storing private keys in the cloud, and certainly not on some random insecure email server.

Why are trying to reinvent the wheel? There is an accepted standard for backing up wallets - write down your 12 or 24 words on paper, and store them somewhere safe and secure. There is a reason that all major wallets suggest this method.

Invest in a hardware wallet.

To paraphrase Dan Geer: cost, security, convenience - you can only pick two. If you're trying to make it cheap AND convenient you will sacrifice security and that's not a good thing when you're dealing with money.

If someone is already on your PC, you have been compromised. You never COPY/PASTE your seed. There are much better alternatives to make backup copies of your seed which have been discussed here before.

Anyway, If I were to create a secure seed, I would download an official copy of windows from Microsoft and verify it first. Most people don't run official windows and if you ask me that's a major threat that most people ignore/are unaware of. After Installing the windows on a spare drive, I would Create a seed, backup the seed on 2 Encrypted flash drives and probably place them under a plant in my home :P Even if one of them fails I will have the 2nd one. The more flash drives you have, the better :P

'
I have 3 encrypted flashdrives which been kept in different locations in my house and i didnt even intend to store up any keys in cloud yet
im just too paranoid when it comes to online exploits and hackings so its better to store these sensitive informations offline or physically.
I do able to sleep well without worries because even one of your flashdrives is gone or got destoryed you do still have back-ups of back-ups.

[I'm going to ignore the recommendation to use home-phoning malware known as Windows]

Do you even need to hide the flash drive? If anything, a hidden drive (if someone knocks your plant off accidentally and finds it) will look like it has something valuable in it. But you just throw it into a drawer with some random junk it will look like any other flash drive. And better store the other drive offsite (work, car, etc) in case your house burns down.

That's assuming encryption is reliable. Some "hardware encrypted" flash drives are not. I'd rather use known good encryption software at the file level, which allows you to do some other stuff, like make the files seem innocuous if someone looks inside. Although that also has pitfalls (speaking as a former TrueCrypt user here).

Or just skip the hassle and use paper. Proven technology, thousands of years old, with plenty of options to obscure and to secure.

Fine, let's agree to disagree :P

---

Hey, don't take my suggestion literally. That's exactly what I meant by having them "Under a plant" :P


Indeed. Mine are "Software" Encrypted as well :P


I have a dictionary and i have highlighted one of my seeds, it's a dumb idea but that's just me man. :)

I think it's a little bit too complicated for most of users. Moreover Gmail can be hacked and you have to remember 2 different passwords.

The easiest way IMO is to use BIP38 keys with a password or a bip39 seed with a passphrase.
If your wallet doesn't support seeds with passphrase, you can generate a bip39 seed with a passphrase off line on the iancoleman page https://iancoleman.io/bip39/ and then import the private key (xprv) in your wallet.
Then you can backup your seed online, you just need to remember your passphrase or to store it in another place.

You can also back up online a normal seed (without passphrase) by replacing few words, and remembering  these words, or storing them in another place.

LOL ok  :)


Just make sure to replace them with BIP39 words otherwise it might be easy enough to identify and bruteforce the missing words. Sorry if you meant this, it wasn't clear.

This is a good idea not many people knows this

Only do this when you have a lot of coins in your wallet

highly recommend no one should use gmail without a 2-factor authentication

password manager is ok as long as you choose the best password manager


I think there are a lot of other want but your is a good one too.

I have done that. It's safe as long as you know the passcodes. Op experience happens to me one time. My phone is not functioning well and have to perform a full recovery by wiping all of the data. My data all wiped out including my keystone wallet. So have to do something to prevent this to happen again. I did what op did. So far no problem. But I know it's not the safest way to protect your cryptocurrency. Hackers can break in to your Google drive and just brute force the file which you zipped and take all the funds. The most safe I think is furnish private key print out and keep it in your vault.

Another horrible advice here. Replacing words doesn't give you any meaningful protection, in most cases its trivial to get the original seed with bruteforce. A few months there was a thread about a user who lost his coins in exactly this way - he saved his seed in his email and just swapped a few words, thinking that it would be enough.

Newbies in this thread, please stop giving people advises about cryptography if you are not an expert cryptographer yourself, you are only making things worse.

If I remember I still don't have a phone at that time, I only used that email for gaming purposes, old school gaming you know. The password is quite easy that's why I can still remember it until now. but the problem is after I sign in with the Username and Password, it brings me to another tab that I need to confirm another verification. I wish I could get it back, I have some important files out there.

I would recommend against using OP’s advice on a net connected computer.  More simple, write it down with pen and paper and jam it into a fireproof safe. 

It is commendable that you use backups. Two troubles can happen with important information - leak and loss. Your backup method does not protect well enough from both of them and is too complicated for a beginner to implement. This is better than not making backups at all, but you should not cultivate a false sense of security in yourself while you are using your method.

you are doing two horrible things:
1. re-inventing encryption by doing weird things such as inserting the seed (un-encrypted) in another file type.
2. uploading it to a server!!!

just STOP.
backup of something this important that could also be valuable (depending on how much you store) needs to be proper. this means COLD STORAGE not storing it online! and STRONG ENCRYPTION.
just stick to what the experts have created for you instead of trying to come up with new ways. BIP38 is what you should use. it uses a strong AES encryption and with a decent password you can protect your private key very well. it also encodes it with base58 making it easier to backup and restore.
you could use AES to encrypt your mnemonic (seed phrase) too. which is what you should do instead of using a zip file!

That's your ways of doing it but I do not want to get in the hassle of making another Gmail and setting up 2fa and blah blah.
Here is how I keep my private key  seed safe. I have bought an USB and put the private key in notepad and in that Usb. Also I have save my seed on a piece of paper and both of these things are saved in private cupboard under lock and key. And they are 100% in my home.

There are so many passwords to remember in this scenario.

1- you have to remember the .Zip file password.
2-you have to remember the gmail account password
3- you have to save the back 2fa code also in case your 2fa device is lost.

Remember that secure the private key doesn't mean that you save it in the box under boxes and remember each of those layers passwords. Losing anyone will make you lost.

Brute force? How could you brute force it if you don't know which words had been changed? Maybe the user you're talking about(a link would have been welcomed) was using words not included in the bip39 dictionary of his language.
I'm sorry but if you use bip39 words and compute the checksum, no one can even know the seed is fake.
Moreover how many people lost their seeds because their precious sheet of paper has disappeared? If you live alone and if you're a tidy person that's could be ok but it's not the case of most of people. People aren't robots.    

Yes, brute force, because swapping a few words result in a number of combinations that can be cracked by modern computers - depending on how many words you have changed, it will vary from a few seconds to maybe a few days. Cryptographers consider systems secure if they take billions of trillions of years to bruteforce, and even a few years of bruteforcing is considered broken, so your method is absolutely not secure.


A hacker who finds an empty seed or a seed with only small amount can suspect that it was modifier in some way, and then they will just run a program that cracks it. They can even configure a crawler or malware to do it automatically.


And how many people will lose their money by storing their seed in insufficiently protected way in the cloud? And why do they have do these naive tricks if they can use strong encryption like AES instead?

As I said above, the attackers won't have any clue of the replaced words if you use bip39 words of your language.
You can find the dictionaries here https://github.com/bitcoin/bips/blob/master/bip-0039/bip-0039-wordlists.md

LOL I think you're trolling me...  ::) What do you want to crack?  ??? LOL You want him to check all the seeds possible?  ::) In this case he will find yours too LOL   ;D

It's ok to encrypt but you have to remember your passphrase, and to trust the software used to encrypt. In several years, will the available version be able to still decrypt your old files?

I'm not comfortable with storing delicate and important information such as private keys on cloud storages. Although writing it on a paper is very simple but I still consider it one of the best ways to back up our PKs.

Prone to being crumpled or ripped? write it on a cardboard or stronger paper that obviously can last for years.

seems way complicated just to substitute a simple piece of paper... if one is not enough, you can make several copies and store them in several places, making redundancy at 100%
with your system, you are introducing several points in which it could fail and that are dependant of third parties... think about it... not that your system does not work, but it can fail in multiple places.... sometimes the simple way is the best :)

I am not comfortable with that method to saving Mnemonic (words) 12-24. that's could be same with saving privatekeys to paper. Since a month ago blockchain has lock to open source for privatekeys.
I'm just considering if in a case the website down, trouble or maintenance, we can't access for a while or in urgent situation.

Yes many years ago system number for verifying not yet implemented. But following clue on you picture, you had set up email for recovery or second, but you did it for random email. Never save any important data or things on you could, or you'll lost'em on day.

the real question is "why would anybody want to do this". when you come up with a new way it has to have some advantage over other methods not disadvantage.
lets take a closer look at your setup and compare it with the alternative. you say you have two parts: 1. something stored online (in the cloud) 2. something stored on a paper.
the first one is the seed with some words changed as an encrypting technique and the second is the words that were changed as the key to decrypt it.

what is the alternative?
encrypting it with a strong password and storing the password offline on a paper (#2) and storing the encrypted seed in the cloud (#1).

so what's the difference? you are still storing two things: one encrypted data and one key to decrypt it. the difference is that in the alternative way, the encryption technique is a very strong one (AES-256 for example) and it can not be broken but in first method the encryption technique used is not even close to being as strong as the alternative.

A new way? I don't think using a passphrase of a bip39 seed, or changing words of a bip39 seed without a passphrase, is a very brand new way...
And I didn't say it's more safe than to encrypt it.
But you don't answer the issue, how do you prevent a potential incompatibility of future versions of your encryption software?

any decent software like that will always keep backward compatibility in mind. it is not something they can skip and change the software so that it becomes incompatible! besides the algorithms used by these softwares are standard and are not going to change. in most cases you don't even need to reuse the same software! for instance AES became a standard in 2001 and for the past 18 years if you encrypted something using that, you can still decrypt it with any software the supports the algorithm.
same with bitcoin BIPs, they are standards and they won't change. even if your software changed you can still find the standard and re-implement it.

I will not encourage to do that for anyone what OP has done. It's quite unsecured to me and but complicated in case your forget your password or encrypted password. Storing this kind of sensitive data on gmail isn't recommended. It would be harmful for you if in case you forgot about your email details or lost 2FA and so on.

What I did about my wallet, I have exported my all private and write the seed on same page and print it eventually. I have stored it on multiple place so there is very low chance that I may loss both documents at the same time. And I feel this is the secure way to store my private keys.

Thanks, everyone for pointing out flaws in my method. The standard procedure seems the only way to proceed with one's backing up of private keys or seeds.
Someone rightly said that why re-invent the wheel when tried-and-tested methods work fine.
Locking up this thread since its motive is completed.