Bitcoin Forum

.

Vladimir, how easily could you crack a WinRAR archive with a strong password?

This is essentially how I use my normal wallet! With that said, I wonder how many people just getting into Bitcoin would be overwhelmed just by steps 1-4.

Useful info!

But how about using something like AxCrypt? This allows you to encrypt individual files without messing around with images or mounting/dismounting. For the super paranoid I guess you can RAR or ZIP up the bitcoin dir and password protect the archive and then encrypt it with AxCrypt.

You should try Wuala.com. ( it also accept Bitcoin as payment: http://www.wuala.com/bitcoin )
It has many features like Dropbox, but it also include a local encryption before the upload ;)

Sweet..this saves me the extra step of encrypting my wallet.dat before I upload it to Dropbox..hmm..or I can copy the encrypted file to both for extra redundancy :p

7zip has some pretty good encryption and you could make the file a self extracting archive.

Wouldn't you just need to copy the wallet with your savings account once? If you send all the bitcoins you want to keep in savings to that one address, you should always be able to restore it in the future even if you only had the initial copy of the wallet. Am I wrong?

That is true. As long as you don't generate a bunch of new addresses with that wallet and/or send coins with it, you can access all the coins it received with an older backup.

Couple of questions:

1) Is TrueCrypt disk encryption superior to encrypting a single file with 7z or something and why do you prefer TrueCrypt above the alternatives?

2) How many characters would you use for the password? I hear that ideally the password should have 128 bits of entropy and that unicode characters have more entropy than ascii, is this true?

3) If you were extremely wealthy, would you prefer storing your bitcoins in a single address or spread it out evenly over 100 addresses, making it 100 times more likely for a collision to happen but only being able to lose 1% of your wealth at a time?

even if that happened you would not lose any coins, as I understand it.

One very important addition - make sure that the private key is only, ever entered on an "absolutely secure" computer.
I am "reasonable sure" that my home computer is free of keyloggers, but not absolutely sure. I plan to format a new computer, and only use it for bitcoin - this way I'm "almost absolutely sure" it has no keyloggers installed.

Three scenarios that I think of separate "almost absolutely sure" from "absolutely sure":
1. The OS image I'm using contains a hidden keylogger.
2. Bitcoin itself contains a keylogger.
3. My hardware/firmware contain a keylogger.

Out of these, I'd say #1 is the most likely, and if I choose my OS image well, I can reduce that to "not bloody likely" as well.

You absolutely could lose coins if a collision occurred. The new 'owner' of the relevant keys could spend your money.

So to John's question, it would simply be a matter of individual preference. Both setups would have the same chance of money being taken via collision, but one is 'all or nothing' while the other is more gradual.

@Vladimir, it's possible to have a savings wallet that has NEVER been online, but how do you securely SPEND from such a wallet?

it's easy to do this if you can parse wallet.dat yourself. but without doing that, there ought to be a relatively straightforward way to do what you want: 

keeping the 'large' wallet off of the public internet, connect a new, private, uncompromised node to it alone and make an ip-address (public key) payment of the smaller amount you want to spend. then disconnect the 'large' wallet's node, connect the recipient's node to the public internet, confirm the receipt, and spend the coins from there.

obviously you can't spend coins without attaching something to the network at some point, but the goal is to segregate your large holdings from the public internet.

if this method is too complicated, you could of course generate arbitrarily many private wallet.dat files and store small amounts in each of them, then move them over one by one. it wouldn't be hard to write better software tools to avoid the need for these steps, though.

Well, since it'd be a (long term) savings account, I wouldn't need to actually worry about it for a while, so hopefully when the time came to spend it (maybe 2 or 3 years), there'd be a lot more sophisticated wallet-parsing tools around. So I could split off a few BTC at a time and transfer to a net-connected PC via flash drive.

Quick question, if I create a back up, can I send Bitcoins to that address 100 times before I have to update it or is it that I can create 100 new personal addresses before it have to update it.

Thanks

SpiderOak <--

It's like dropbox except that it's encrypted locally before transmission to their servers so the company only sees ciphertext.

I'd skip all the steps about truecrypt and just use spideroak.  If you want to use the email backup method, then 1) schedule jobs to make backups, 2) use whatever encryption capable archiving tool you like, such as bzip2+openssl or in windows 7zip/WinZip etc 3) use a command line emailer mail/sendmail/sendEmail/etc in linux or something like blat in windows, to automatically mail it to your gmail account.

Had a quick question,

I did all the true crypt and set up an image.   I put all my data/bitcoin folders inside.   I made a copy and placed one on my storage drive and one on my flash drive.

I then put my flash drive away.  Afterwards I mounted my image from the C:\ drive and received some bit coins.


If my computer crashes do I lose those bit coins?  Or can I bring out my flashdrive and it will also receive those coins?


Thanks.

Awesome!

Also, which files can I save to have a "compact" version?  I copied all appdata & bit coin folder to my encrypted drive, but I would rather a smaller version I could upload online.    Not my main one, but a back up in case I end up losing everything.  I probably wouldn't ever update this one unless I needed to replace my main encrypted key that has the block files.

Thanks again.

If you're only doing it as a backup, you only need to back up one file: wallet.dat

However you should probably encrypt it with something like True Crypt first before uploading online.

Great.  I've got True Crypt up and running already.   I decided to make a larger encrypted file with the blocks that I'm using on my main PC and a flash drive backup.   I'll take the wallet.dat and encrypt it then distribute to a couple of places online.

And in order to restore using the wallet.dat file? I assume you simply replace any wallet.dat(fresh install) with my backup wallet.dat and then I can use the rescan feature to retrieve any transactions that were done previously? 

Yep, if it's a new installation you might not even need to use -rescan.

Put the encrypted pendrive inside a carrot.
Then, you can store the carrot wherever you want.  :o

the client generates 100 keypairs on setup and saves these in your wallet. whenever you get a new address, it picks a key from this key pool. this includes autogenerated 'my receiving address' AND hidden receiving addresses used to receive change.

If I send you 4btc but my only coin is worth 5btc, 1btc is sent back to me at a new 'change' address.

If it turns out that I've used all 100 of my addresses, that new 'change' address will (AFAIK) be generated on the fly. It will be saved in wallet.dat BUT at this point your original backup is out of date. So, if you actively send coins from a wallet, be aware that after some point your old backups will go out of date.

Ok so just to be sure.

In i run the bitcoin clien from inside the true crypt flashdrive.. on ANY COMPUTER it will find my... "Account" and have my coins in it?

And I can send money to that wallet at any time like on monday, plug the drive in on friday and it should pick up the coins?

Yes and yes.

Ok i just read up on the wallet.dat file So that is fairly simple.

Now obviously some server out there is making all these transactions right? So when I send money to my backup wallet some server is going to try to amke that happen for a long time. Makes me wonder how it is funded.

Okay,
I am a total noob to this. I am running a Mac and through the wiki, some guy explained that putting my wallet on an encrypted disk image would be fine. 

The other issue was that he recommended putting the whole bitcoin folder in the image.... Is that overkill?
Does that folder (which resides in the Library/Application Support) get larger over time?

Thanks for all the helpful advice!

Yeah, the folder will grow in size as you download new blocks and create new addresses. I don't really see an advantage in having the whole folder inside the encrypted volume so I just put the wallet.dat file and symlink to it. Makes for easier backup.

Btw, anyone knows by how much does wallet.dat grow with every new address past the default pool of 100?

No, this is far too complex and misses a key step to be really secure.

1. Install bitcoin on a computer.
2. Disconnect computer from the internet
3. Start bitcoin and generate a new address. This will be your savings address.
4. copy and paste the savings address to a text file
5. Dump the wallet from bitcoin, gpg encrypt or put on a truecrypt volume
6. copy the address-in-text-file and encrypted wallet to another computer, dropbox, s3, send to friends, etc.
7. shred (using a file shredder, like 'shred' in linux) the original wallet.dat file
8. Now save by sending coins always to that savings address.

Note, when you want to access your coins this will introduce some risk. To do this even better generate a set of new addresses and distribute between them. Then when retrieving coins you only risk a subset at a time.

Wow thanks, I had totally overlooked this essential step.

Actually to me the most important step is generating the addresses after the machine is disconnected from the net, but yeah if you're going to reconnect it later, shred the file.

Just to make sure.. from my knowledge.... This would work but you would have to update the client before you hit 1 hundred transactions because of your keypool right?

So assuming thats true. If I update the flashdrive every few transactions, If i leave alone the back up it would still be behind right?

If say i send 100 transactions to the backup wallet, then open my flashdrive and update. then I send another transaction to it and open the older back up stored somewhere else, id be missing the last transaction right?

Nope, all the transactions are going to the same key.


Well the backup has nothing to do with it. The flash drive is only to transfer the encrypted wallet to somewhere you can safely store backups, and to transfer the address so you can copy/paste it instead of trying to retype it and maybe sending thousands of BTC to the wrong address. :)


No.

I think you are a referring to the common reminder that a backup of wallet.dat needs to be refreshed regularly because the backup contains a limited number of "future keys" as configured by the keypool.  That is true, but the client only uses up one of those keys when you manually create a new address or when you send money to someone else.  Since in this case, you've created a special wallet.dat for the purposes of only ever having 1 address and generally only receiving money, the backup doesn't need to be refreshed often as keys will not get used up.  Now, if you start to "withdrawl" money from your "savings account", you'll start using keys from the keypool and you should start re-backing up the wallet.

Since you are willing to assume (modest) advances in software by the time you want to withdraw savings, I suggest:

1. Get a trustworthy live CD system with VAPORWARE A [1] that creates a Bitcoin key pair and displays its Bitcoin address without having to download the block chain.
1a. Alternatively, the system just needs an "openssl" program that supports "openssl ecparam -name secp256k1 -genkey" and "openssl ec -pubout", and you can do some base-58 math to get the address.
1b. Alternatively, for better security, learn to do cryptography on a pocket calculator, an abacus, by writing numbers in sand, or in your head, and dispense with computers in what follows.  ;)

2. Boot a trustworthy machine from the CD in a secure, non-networked location, and run Vaporware A to generate a key pair in PEM format (or a more compact form such as Sipa's).
2a. For added security, use a system without any writable media.

3. (Optional: requires remembering a pass phrase) encrypt the key pair with "gpg -c" or similar.

4. Copy the key pair and address from your terminal to a piece of paper.  You'd better generate and copy a checksum of the key pair to make sure you get it right later.
4a. Alternatively, if you trust your printer, attach it and print out the key pair.
4b. Alternatively, you could print it as a QR code, if your vaporware supports this.

5. Shut down the live CD machine.

6. Send your BTC to the new address.  Use some vaporware (a trusted block explorer) to make sure it arrives.

7. Go about your business until you want to spend the BTC.

8. Using Block Explorer or a similar tool, find the transaction out-point (transaction hash + output number) of each coin you want to spend.

9. Use VAPORWARE B to create a file containing the parts of the block chain needed to verify those transactions to your address.  (This could be the entire chain or just the block headers, Merkle tree stubs, and the transactions in question as described in Satoshi's paper.)

10. Copy the verification data to media such as a thumb drive.
10a. Alternatively, for a little extra security, prepare for several long nights of typing it in (assuming it is just the headers and Merkle stubs).

11. Boot a trustworthy live CD with VAPORWARE C on your secure, non-networked machine.

12. Using the verification data and out-points as input, run Vaporware C to sign a transaction.  This program will prompt for the key pair you generated in Step 2, as well as an amount and recipient address.
12a. If you worry about anonymity, you will have another secure key pair ready to receive the change.

13. Vaporware C displays a graph of network hash rate (or difficulty) over time.  Make sure it looks about right and there are no big, unfamiliar dips.  Cf. http://bitcoin.sipa.be/speed-ever.png.  This helps Vaporware C trust that the outputs obtained in Step 8 are in the amounts you think they are, so you do not accidentally give some lucky miner a huge transaction fee.
13a. If you don't care about this possibility, you don't need Vaporware B or the verification data from Steps 9-10.
13b. [Edit] I think, actually, the raw transactions and their hashes would suffice.

14. Copy the transaction signature to the thumb drive, paper, or similar.

15. Shut down the secure system.

16. Using VAPORWARE D on a regular, networked system, enter and upload the signed transaction to spend the coins.

17. Wait for the network to confirm the transaction.

18. Relax!

Note, you would want to test these procedures a few dozen times before entrusting your savings to them.

[1] Vaporware A, early alpha version: https://github.com/jtobey/bitcoin/raw/importkey/contrib/genkey.py

Oooh, I was thinking of trying to do something like this by violently hacking it out of the client code. I'll have a look at this instead, thanks!

I just want to point out that in many cases, the risk of losing the passwords/private keys, or screwing up one of the many steps, is orders of magnitude greater than some smart bitcoin trojan keylogger being on your linux box. Losing the password is a very real risk.

Eh, maybe if you're not used to using GNUPG. If I lose my key and password I'll have bigger problems than my bitcoin wallet.

splitting the key - http://en.wikipedia.org/wiki/Secret_sharing (http://en.wikipedia.org/wiki/Secret_sharing)
might be one way to spread that risk, or start a tontine,
if you're that worried about amnesia.

This is actually a very interesting question, because the two problems we want to solve are adversarial. If only one person knows the password (you), you could forget it, or something could happen to you and your money would be lost forever. If many people know the password, there's less of a chance it will get lost, but more of a chance someone else will steal the money, or get hacked. Secret sharing is cool, but it's really just a way to tweak the tradeoffs.

Here's another idea, a time lock. You could decide that for a period of 30 days, nobody has access but you. But if for some reason, you're unable to access the encryption for 30 days, either because you're injured, kidnapped, or forgot the password, then the shared secret password would go into effect and the second group would be able to access the funds. Of course there are all kinds of ways to game this, but it's an old stand by in meatspace security, and it should be a useful tool for the paranoid.

A dead man's switch, very nice. I'd be interested to hear details on how to implement this.

Now that I think about it, I don't see how it could be implemented with just cryptography. But with Bitcoin, it's easy. Just use future transactions, which will be entered immediately into the block chain, but won't actually take effect until a given block number. You do a transaction that empties out your private account into the joint account, in a block that will be computed 30 days from now. Then, each day you're around, you just transfer your bitcoins into a new private account, and that future transaction will fail because the originating account will be empty. You also set up another future transaction to transfer money from your new private account into the shared account in another 30 days. There are probably ways to streamline this, but I don't see any theoretical difficulties.

Amazingly, it looks like this feature is already baked into Bitcoin:

http://forum.bitcoin.org/index.php?topic=8821.0

Ok sorry. How exactly.. am I installing bitcoin to the flashdrive

me, for one. Be happy that your bitcoins will be more valuable when I lose mine.

for those with poor memory
you still need to rember a color and row or something.

http://www.passwordcard.org/

Being new I will tell you, it's very overwhelming. However I need to figure something out because I've been at this for a mere five days and have already been robbed. I made the mistake of using slush's service and didn't realize the user id and password needed to be separate from my site login credentials.

Someone used my worker's public login credentials for the site login and changed the wallet address and the payout threshold to .01 and cleaned me out!

Pathetic. Some lurker out there is probably watching for new users who continually make this mistake and steal from them. I guess in the open source world people do expect things for free. I do realize thought that there's a bad apple in every crowd. I'm just pissed.

Is there anything at all I can do with the wallet address they forgot to change? 

I just use Wuala. Got a free 10GB account when I bought a lacie external disk ^^

I'm not sure I understand the solution here.  This might be a bit long, so maybe it should be moved to it's own thread, but it seems relevant.

Disclosure: I am Noob.  Please correct me with anything I misunderstand; I am NOT here to dictate my vision of reality.  The only thing keeping me from having bitcoins right now is wallet security.

I see two security issues:
1) Loss of wallet by catastrophe (machine failure, localized sinkhole, terrorist bombing of my house, etc)
Lets strike issue '1' off the list.  It seems clear to me that a secure, encrypted backup stored in a variety of places is an obvious solution to machine failure.

Which leaves us with:
2) Loss of wallet contents due to theft of private key (trojans, keyloggers, posting private key on the bathroom stall, etc...)

My understanding of TrueCrypt is that it simply but securely locks a volume.  Which is great for backups, but once the password is entered, and the user has access to the volume, doesn't the computer and any peeping-toms also have access to the volume?  Key question here; if not, then my points are moot, but if so, all it takes is a couple milliseconds on a dirty computer viewing your savings account for a patient 'trojan' (or whatever you smart hacker people use) to nab the key, no?  And to me, I assume all computers are dirty all the time, since you can never really know.

Is it just impossible to completely secure the wallet?  Is it just an accepted risk that checking your savings is a window of attack, and should be done rarely, only when necessary, and only from a virgin system?  Should I assume that I can only check my savings account after reinstalling a new system?  Would that even be enough to guarantee security?

Thanks,
Paranoid Believer

password of WinRAR is not secure at all, don't use it!

if you are using symbol on keyboard to be the WinRAR password, The Government of PR.China is able to crack it in several seconds, the have a rainbow table for it, I was notified that couples of year ago, when I study in collage, on teacher is working for Government as a developer, he told me that.

Remember !

Don't use WinRAR to crypt your data anymore!

Of course I believe CIA is stronger then PRC Government

There are different solutions to this. One of the most simple would be to copy your addresses somewhere and check them on blockexplorer or another similar site to see what the balance is. That way you don't have to run the client and don't risk losing your coins.

Another solution would be to store your wallet on an usb drive (with or without truecrypt), and only access it from a livecd environment.

A third solution could be a combination of both: have two wallets, one with your savings, safely stored away and handled with great care, and another wallet with much less in it, that isn't that much of a risk to lose.

Great, thanks for the reply.  Between liveCD and the blockexplorer, I think I'm set.  Although liveCD (like bartPE, no?) is probably not 100% bulletproof either, but it adds a satisfactory level of obfuscation.

In what environment do I create the wallet?  Inside of liveCD?  Surely not in Windows, at least not a windows account that has or will ever see the interweb.  Can I run the bitcoin client and generate my savings wallet inside of liveCD?

Thanks.

Password card? What? Limiting all possible passwords to only hundreds combinations to test?

Sorry, no. Password card is bad tool.

How likely is it that someone who's using Ubuntu, looks at porn in firefox, and frequently saves image files (of teh girlies, obv), but doesn't download anything else or visit any really shady sites (cp, snuff, terrorist sites, etc.) has a compromised system? Should I be worried about losing my wallet and taking steps immediately, or am I being paranoid?

Does your wallet contain your life savings or just pocket change? It's up the individual to assess how important it is... how would you feel about losing it?

I think anyone with more than just a bit of pocket change should be paranoid about their wallet.dat.

Actually, even if you only have 0.01 btc... can you really say for sure how much USD that's going to be worth in a year or two?

There are some solid solutions in this thread, which are especially relevant to people who have tens of thousands of dollars in bitcoins. The problem is that executing the steps is hugely dangerous in itself. If you're paranoid about your computer being infected with keylogging malware that will send off your wallet pass phrase to a thief, you should be even more paranoid that you're screwing up one of the steps, or that there's a tiny bug in your vaporware. Unless you're a well known target, the chances of you screwing up are probably vastly higher than somebody remotely paying attention to everything you do on your computer.

Personally, I'd much rather use a simple but fully functional open source tool, that's successfully being used by thousands of people and is open to public scrutiny, than any homegrown scripts and protocols. I just don't trust myself enough. Can we get an open source project like this going? I'd be willing to put in a bounty.

Agreed.  I personally have put only a fraction of 1% of my BTC into the keys that I generated with my homegrown script, cited earlier in the thread.  I would put more in, but I first want to prove I can get the BTC out, which will require another round of vaporware to condense.  Even if successful, I will want to test successfully about 100 times to become confident that it doesn't sometimes fail.  Some more vaporware might help: transaction validation code extracted from a popular client.  And even then, to store a lot of wealth, I would probably distribute it among several addresses.


My genkey.py is open-source, though not well tested as far as I know.  Are you thinking of a friendly front end for the key generator, plus an offline transaction signer and a patch to allow the official client (or BitcoinJ) to import and broadcast the transaction?  I plan to do this eventually (minus the friendly front end).  I might be encouraged to hurry up for some BTC.

John, I've been reading up on your threads -- great stuff! I like the idea of some tools being integrated into bitcoin itself, because it makes that part more authoritative (lots of people looking at it, good maintenance schedule).

I think you could get some really good security combining some of these ideas. For small checking accounts, you'd just use the standard Bitcoin client, probably on an encrypted volume, with backups. For large savings accounts:

1. Never use the standard Bitcoin client -- it connects to the Internet.
2. All sensitive work is done on an offline, LiveCD box. (See https://www.privacy-cd.org/)
3. The LiveCD has a command line tool that generates a new wallet with as many accounts as you want.
4. It requests a pass phrase, generates the wallet, and spits out the account codes in plain text. Signs all this stuff.
5. The pass phrase isn't stored anywhere, it's just used to encrypt the wallet and then forgotten. You can test that you entered the pass phrase correctly by attempting to decrypt the wallet on the LiveCD box. (This "verify" step should be a standard feature of the tool. It lets you feel safe that you can transfer money to the account.)
6. Copy the signed package to a USB drive and then to your regular computer and upload it all over the place.
7. Now transfer lots of bitcoins to one or all of the new addresses in the usual way.
8. To spend, use another tool on the internet computer to download the minimum amount of data needed to sign the transfer. This could be part of the standard client.
9. Export another signed package to the USB drive. Insert USB in the LiveCD box.
10. On the LiveCD box, run a transaction tool. It will ask you for an amount to transfer, recipient address to send to (or maybe let you choose from the original batch you generated), and your pass phrase. It will then write a certified transaction package to the USB drive.
11. On the internet box, use yet another tool to send in the transaction to bitcoin. This could also be part of the standard client.
12. Monitor with an online app, or another tool, or both.

This sounds like a ton of steps, but a lot of them are being done inside the tools and transparent to the user. They're all just a matter of moving a USB disk around and running a few commands. They've been thoroughly tested and they reassure you by acknowledging that you have the right pass phrase and that all your data has been checked for integrity. Ultimately, they could be consolidated into the standard client on the internet box, and an offline gui on the LiveCD box. This is also nothing new, I'm mostly paraphrasing John's previous steps, but it helps me organize it for myself and hopefully others.

1. We don't have to worry much about keyloggers or malware on the LiveCD box because: A. How would they get there? B. How would they send the intercepted data out? We still have to worry about physical keyloggers, but that's a threat most people don't have to worry about, and there are physical ways to handle that. Eventually there could be dedicated devices instead of the LiveCD box.

2. Make sure your pass phrase is really strong.

3. The biggest remaining danger is that you forget your pass phrase. I think the dead man's switch (http://forum.bitcoin.org/index.php?topic=5194.msg147032#msg147032) is a good way to approach this. You might have to do the whole USB shuffle once a month, but it would be great if this were built into the tools. You could even have your bitcoins sent to some online trusted entity after a year of no activity, as a final backstop.

See also:

Deterministic wallet (http://forum.bitcoin.org/index.php?topic=11665.0)
John's vaporware approach (http://forum.bitcoin.org/index.php?topic=5194.msg145779#msg145779)
Private key and wallet import/export (http://forum.bitcoin.org/index.php?topic=8091.0)
Private key import (http://forum.bitcoin.org/index.php?topic=9046.0)

I had some "fun" trying to import a key to my workstation that was exported from my dedicated offline savings laptop. It didn't go very well.

In the end I decided for now that the savings laptop is probably enough. It's a little old laptop with a clean debian installation, no outward-open services except the bitcoin client, and it connects to the net through a NAT. I only connect it when I need to make a withdrawal. I decrypt the wallet and start bitcoin to xfer coins out, and then re-encrypt it, copy off the backup, and shred the original before shutting it down.

It's not ideal but it's far more functional than the totally-offline setup I had going. IMO it's very very unlikely that laptop is or will be compromised. I look forward to better key-management tools. Maybe it's time for a bounty?

This may be a stupid question, but if the wallet file just contains a private key, would it be possible to simply write the key down on a piece of paper and then take a magnet to your hard drive if you're paranoid about your security already being compromised? Obviously you'd need to be very sure not to lose that piece of paper, but this would give you time to set up a truly secure system.

Vladimir said: Amnesia could be a very expensive illness in bitcoin land, take care. You've been warned!

This got me thinking. We all die and suffer accidents in ways that often stretch our imagination to envisage. It has always been thus. Today we still occasionally find roman coins hidden by people who through bad luck or bad planning or a bit of both were unable to retrieve their fortunes (See 1) the story of a find of a crock of roman gold coins that weighed 25 stone, or (2) the moving story of a family on the run from the Nazis who burried their fortune in a London house that was bombed and then found 50 years later.

The point is this can NEVER happen with bitcoin. In some ways its a good thing, undoubtedly this removes the incentive for someone to "arrange"an accident for me. But it also seems sad and in a way deficient that while a store of value manufactured in roman times, still serves as exactly that now, even though we do no know who it belonged to, and that a store of value from WW2 was returned successfully to the descendants of the person who hid it, this cannot happen with bitcoin. Could it be that after say 100 years a lost coin is returned to something like a mining pool?  Is there any other way to return or re-mint lost bitcoins?

1) http://www.dailymail.co.uk/sciencetech/article-1292990/Chef-Dave-Crisp-discovers-largest-hoard-Roman-coins-Somerset-field.html
2) http://www.bbc.co.uk/news/uk-england-london-13128903

Yes, with the Dead Man's Switch (http://forum.bitcoin.org/index.php?topic=5194.msg147032#msg147032) You can program in several layers of transfer. After 30 days, the money could go to your close family. After a year, it could go to some website you sign up for that will specialize in determining your identity in more conventional ways and give the money back to you or your next of kin. Or you could make it go to some favorite charity. You could also have it go to a miner, but I'm not sure what the point is. I guess if a lot of people did this it would bring bitcoin transaction fees down.

One last thing to remember is that when the money finally disappears, it makes every other bitcoin user a bit richer, exactly the opposite of inflation. So in a sense, even then it's not completely lost to the world.

buy this for ~$70 depending on retailer
https://www.ironkey.com/basic

keep wallet.dat savings in a truecrypt container on it. ironkeys have a mouse keyboard you can use to defeat keyloggers to open your truecrypt file. brute force and even physical attack on ironkeys is pointless they self delete after 10 tries or from physical tampering

to remember a giant password that you don't want to have to write down for security risk, or you don't trust Bruce Schneier's twofish encrypyted Password Safe (http://passwordsafe.sourceforge.net) for whatever reasons then grab a dvd/book and use parts of it to make the password.

Example:

Grab your copy of Battletoads lying around and use the UPC and first sentence to make a pass: http://www.sega-mag.com/jeux/cover/Megadrive/Battletoads-Megadrive-EUR.jpg

alternate shift + caps

9&4#6%6!0^4&WtEdQkYbBaTbPa,ItTgRM,AtGe!
39 char pass you'll never forget as long as battletoads doesn't get thrown out

The LiveCD laptop is still more secure against keylogging malware. I feel like entering your password on an everyday, internet connected machine is scary. It would be cool if you could plug a keyboard straight into the ironkey.

Exactly! What does THIS mean?
4  create a truecrypt disk with image stored on this USB drive so that all bitcoin files and datadir and
therefore wallet.dat are on this truecrypt disk and make a .bat or .sh file which starts bitcoin client from this USB drive.

I now see that the wallet is one of the weakest aspects of bitcoin so far. This is going to continue causing misery for so many!

I hadn't understood where plausible deniability was important.  Then I read:
  TrueCrypt User Held in Contempt of Court
http://forums.truecrypt.org/viewtopic.php?t=23969
http://news.ycombinator.com/item?id=2693599

I was about to fire up a live Ubuntu USB with Truecrypt as this guide suggest, when I realized that the new client (0.4) that I'm going to run on the USB Live disk, already has the ability to encrypt my wallet.
Is there any reason to encrypt the wallet using Truecrypt when the client itself supports it?

the wallet encryption only protects the private keys, so an attacker cannot spend your coins. he can, however, see the balance in your wallet and on each individual address. so if thats an issue for you, you might use truecrypt in addition to the wallet encryption. truecrypt cannot protect a wallet thats in use, so for a regularly running bitcoin client the clients wallet encryption is still the best solution.

I see. I think I'm going for Truecrypt, also because it's had some years for people to find holes in its encryption implementation, while the Bitcoin client's implementation is fairly new.

Bitcoin isnt worth anything now its been trademarked by a lawyer.

^ The market seems to disagree you with.

take your sites down before it's too late!!

Anybody trademark cryptocoin yet?

Buy a cheap computer and never let it connect to the internet.
Download bitcoin on another computer and put it on a usb stick.
Install it on the new computer.
Create a wallet on it with 1,000,000 addresses (a big file harder to steal).
Encrypt it.
Copy the wallet back to the usb stick with at least one address for the wallet in a text file.
Trash the new computer (hammer nails through the hard drive and bury the hard drive).
Store the wallet in multiple locations.
Send all bitcoins you own to the address you saved.
Never access you savings wallet ever again.

What about putting the wallet on a Truecrypt protected bootable USB stick that only has Bitcoin stuff on it and is only used for Bitcoin.  Then there would be no possibility of keyloggers or other background processes spying out your password.

I tried to set up a USB stick like this last year but was unsuccessful, but if somebody who knows what they are doing could do this and upload the image, it would surely make many people feel more secure.

^ That would work. But as soon as you connect to the internet, your bootable USB stick might be compromised.

a better cheaper version of this is to download Ubuntu onto a Live CD.  start up your system off the CD and download Bitcoin and create a wallet.  note down one address and email it to yourself.

copy the wallet.dat over to a few Ironkeys and spread them around town.

shut down Live CD session and all data is wiped from RAM.

One could also use a USB stick with hardware write protection, boot a Linux distribution and use a Bitcoin client with deterministic wallets. On each boot, you recreate the wallet from the mnemonic code and nothing is ever written to the USB stick. Nothing to backup, nothing to steal for hackers. As long as the system is not hacked while running the Bitcoin client (you should keep it running just enough to do transactions, then shut down), it should be pretty safe.

For example: BitSafe-Electrum - https://bitcointalk.org/index.php?topic=54376.0

which is made of BitSafe - https://bitcointalk.org/index.php?topic=46916.0
and Electrum - https://bitcointalk.org/index.php?topic=50936.0

...or generate an address, write down the private key on paper...destroy the digital copy, put paper somewhere safe. Now your savings address is as safe as it can be from hackers.

I personally prefer generating a completely random private key / public key pair than using deterministic methods to create / recreate a wallet (or bunch of keys), as there is the risk (no matter how small) of the method to be discovered and the whole wallet compromised.

I only just discovered about this Wuala thing, but this is pretty awesome!

Looking into Wuala right now, didn't try it yet but so far it seems a big improvement over Dropbox:

• Encrypted locally, which is extremely important for sensitive data (such as your wallet)
• 5GB instead of 2GB in the free plan (well even 2GB is already WAY more than you need to backup your wallet)
• Ability to have multiple sync folders on your computer (as opposed to just one global 'Dropbox folder')

Looks pretty nice so far.

I made a pretty comprehensive tutorial for using cold storage in Armory:  Using Offline Wallets in Armory (http://bitcoinarmory.com/index.php/using-offline-wallets-in-armory). 

Get an old laptop, and it's 7 steps to get setup.  Then 7-8 steps to actually execute a transaction.  But of course, this is all with a pleasant graphical user interface with directions shown along the way, so the steps are a lot easier than the alternatives! 

Offline wallets/cold storage is exactly what inspired me to make Armory in the first place! 

The only potential point of failure is USB viruses.  And those viruses would have to be highly-targeted:  your private keys never touch any computer that will ever touch the internet.  So a USB virus would have to be fully automated and exploit autorun vulnerabilities to even have a chance.  In the future, I will support serial cables to close this tiny little gap, for the super-paranoid.

</spam>

How do you guys feel about bitaddress.org paper wallets for offline storage? Pdf's backed up as physical paper in a secure location and as a file on an encrypted disk image on email/dropbox/various usb sticks (25+ char. pwd)?

@etotheipi

The offline computer can have an offline antivirus, anti-malware, anti-rootkit software installed. It is updated by virus definition files offline through the USB. Serial cables (as in the RS232?) are non-existent on modern computers and you can consider them obsolete.

Personally, I don't have enough bitcoins to justify an offline computer for the purpose of cold storage, and I think I know relatively enough about malware to prevent it from affecting my daily computer usage despite not having installed anti-virus software (they slow down my computer so much that I notice it.)

Your software is interesting though and I might just download and try it out.

@fivemileshigh

That's almost how I do it. I generated some key pairs and they're backed up on paper and encrypted and rar'd with recovery records, and then protected from damage. I haven't actually printed them out to paper but will do it soon.

A piece of paper, printed using a dot-matrix impact printer (because laser toner sticks and inkjets smudge), optionally laminated, stored in a folder or envelope, in a safe is cheaper than a used mini laptop / netbook.

I'm actually looking for a decent font to print out my private keys and so far I've come up with Courier, Consolas and Lucida (fax / mono). I prefer monospaced font for this purpose.

You can get USB-to-Serial-port converters for $10.  One for each system and a null modem cable to hook'em together.

I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness.  But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars.

Please try it out and let me know if you have any issues or concerns.  I'm always available to help :)

If users really are storing $100,000+ there's no reason to use a general-purpose computer as an offline wallet. It seems like a dedicated hardware device should be able to be produced for less than the cost of two USB to Serial converters plus a PC. All it would need to do is receive unsigned transactions, wait for user input, sign the transaction, and return it.

Yes and no. 

(1)  Such hardware devices do not exist yet
(2)  Offline systems can usually be found for free, because even 10 yrs old with 256 MB of RAM will work
(3)  A specialized hardware device may work, but will lack flexibility -- with the offline system you can import keys, juggle wallets, print backups, etc.

I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway.

Flexibility is nice but it also means more potential ways for a remote attacker to find an exploit. The lack of flexibility in a specialized device is a feature because it greatly reduces the attack surface.

It might not be worth it for $1000 but a wallet with $100,000+ is a highly desirable target for someone to go after.

This thread lost me at 14 steps... easy?

anyway, in case I feel like I need more security... sub

I agree with your sentiment.  But a computer that has never touched the internet has no attack surface.  The only attack vector is the autorun-USB vulnerabilities when using a USB key for moving tx data back and forth.  It's a small surface, but it is theoretically exploitable.  That's why I brought up the USB-serial connection, which reduces that attack surface to zero (barring compromised software updates), because there is no way to induce remote-code execution through the serial cable.

EDIT: last sentence is true given a couple basic precautions taken on the offline system.  And the entirety of the above is true given that the software was designed "correctly."

I designed Armory specifically for the easiest cold storage capability possible.  And most people either have an old spare laptop sitting around waiting to be junked, or can get one from a neighbor/friend/coworker for free.  The program walks you through the process, and unlike other solutions, you get a watching-only wallet on your online computer so you can still generate addresses and monitor your balance and transactions, without the risk of someone getting the private keys.

That's what has me worried. It's been a long time since we used dial up modems as a primary means of accessing the internet so how much attention has been paid to the OS serial port drivers and libraries with regards to security flaws? Can you prove there is no possible sequence of bits capable of exploiting a bug somewhere in the stack?

In the case of Linux, wasn't the entire TTY layer recently rewritten? How much security auditing has been done on that, given that serial ports don't get a lot of use these days?

I love Armory, and I think it is the easiest possible solution for much of the current bitcoin crowd, but I think the time is approaching that we'll need to begin developing for our parents and less-tech-savvy friends.  I know lots of people, even among my cohort, who don't have spare computers sitting around, and even if they did they wouldn't be able to setup an offline Armory wallet.

Edit:  BTW, you've got PM.

I whole-heartedly agree.   My priority has been to make the functionality exist and accessible for those who want it.  So far, I haven't seen cold-storage implemented anywhere else that isn't a complete PITA to use.   In that sense, Armory is the perfect response to this thread, because you were already expecting to do 14 steps when you clicked on this thread :)    At least the steps for Armory cold storage are built into the interface, and lets you have a watching-only wallet...

However, as you point out, absolute beginners would probably not figure this out.  And to be fair, Armory is not designed, in its current state, to be a beginner's tool.  Armory is intended to be the ultimate advanced-users' tool first, then I will work on networking-independence and standard-usermode to make it usable by new users.  As long as you need the Satoshi client running in the background, there's no point in catering to beginners, yet...

I'm pretty sure that Mr. etotheipi is well meaning, but he is also very young and inexperienced. His advice about "attack surface" is generally right, but it just betrays his lack of experience.

1) Those who remember the old product called Laplink and its special "serial and parallel on both ends" cable will probably also remember the trivial procedure used to transfer Laplink from one machine to the other through that cable. Once you had Laplink on both machines you had access to all files on both machines.

2) Ten years old laptop computers frequently have IrDA (or other infrared) port. There wasn't many commercial products using those ports, but it was heavenly invention for hackers. Clever person could gain access to the other person's computer while siting right in front of him around the conference table during negotiations.

3) The biggest attack surface on 10 years old computers in not from hackers, but from your good old friend Murphy. If you plan on following his advice to store your valuable bitcoins on an old PC please buy at least 2 or 3 identical copies to have spare parts in case of inevitable component failure. Also make sure that either you know how to swap those parts or have a trusted person who could help you with that task.

This is pretty much close to a security theater performance art.

The constructive advice I could give is:

1) use modern computers, just learn how to boot them off the external drive or how to swap internal drives.
2) when storing on the hard drives learn about SmartMonTools (or other S.M.A.R.T. toolset), how to use them and how to interpret the results.
3) DVD-RAM is the only consumer-grade removable media technology with any track record of long-term reliability.
4) USB flash drives are to be trusted only if you also have access to the test and configuration application that is specific to the particular controller used in your flash device.

Thank you for reading.

I think you're forgetting that Armory can be use, and should be used IMO, to create offline paper backups.  Laminate a few of those suckers and store them in fireproof safes.  If the the old computer you used, which may have had an active wallet on it, dies; then just grab another computer and one of your paper backups and your back in business.

Thank you for reminding me about another "attack vector" that I neglected.

You'll also need to store the Armory source code as well as the source code of its tangled mess of dependencies, including the toolsets required to rebuild them. Or just buy a life insurance policy and a performance bond on Mr. etotheipi.

Sorry, but I have a feeling that explaining certain long-term attack vectors will look too much like a personal attack. I really don't want to go into that discussion.

2112,

I know what you're saying: it's improper to talk about "zero attack-surface" because there's always a vulnerability due to one of the assumptions made which isn't necessary true (unexpected software on the OS, improper software design, maliciously modified software, etc).  But what solution do you recommend instead?  Both, "what do you do right now to secure your coins" and "how do you improve the software to make it more secure"?

I am not sure if there's anything better than Armory for the first question, right now, in terms of being a solution that moderately-experienced users can use.  The answer to the second question has been the topic of many discussions including this one (https://bitcointalk.org/index.php?topic=68482.0) where I sought input from other users on exactly this topic.  I don't see any posts from you.

(EDIT: added the correct link to the previous paragraph)

You clearly have constructive input to add, so please do so on those threads.  You are clearly very experienced and your input would be valuable so that stupid things don't happen.  For reference, I am aware of various pre-installed tools for communicating via serial port -- and even IrDA could be used to initiate logins.  I didn't mean to imply that all you need is a serial cable -- using the serial cable would come with a lockdown procedure.  It would be for the really advanced users.  

I heed your advice about claiming "zero attack vector", I should really be claiming that this is the "best solution currently available."  It's certainly better than keeping an encrypted wallet on your online HDD.  

P.S. -- One thing to clear up:  paper backups for Armory are invaluable.  You can print off multiple copies to protect against hardware failure, and any version of Armory can produce a raw list of private keys that could be imported into any other program.  Agreed that old hardware is likely to fail, but new hardware fails too -- that's why there's such exhaustive backup features in Armory.

This is just my purely subjective personal opinion but if I had a wallet with $100,000+ in it I would store it on a computer that had complete air gap security - not even an RS-232 link to an Internet-connected computer. I would want the ability to create offline transactions by hand-keying in the source and destination addresses and would broadcast the transaction by having the offline computer print a hard copy that another computer could scan in and upload to the network.

Well you can do that with Armory.  It just might be quite a bit of handwriting (I think some transactions can be up to 10kB)...

However, I had considered the possibility of using webcams and QR codes.  But that will turn into a mess of wires and complicated interfaces to deal with multiple QR codes, etc.

... of course, as I review this thread I see that even if the serial-port solution is done technically correct, there is likely to be mental discomfort with having a physical cable connecting the two systems.  It definitely makes me uncomfortable, even if know that no electrons are flowing...

P.S. - I mislinked in my previous post, I was trying to link to my thread about improving offline wallets (https://bitcointalk.org/index.php?topic=68482.0). Please go to that thread and revive it if you have more ideas for how to achieve a 100% solution that isn't too complicated. 

QR codes should definitely be doable for transmitting transactions. I started writing a wrapper protocol in Java using QR codes (and web cams for reading them) last year. I got as far as creating a proof of concept, or close enough anyway. I never fully developed it since I found it difficult to setup a testing environment that I was happy with and I anticipated a lot of problems related to generating the offline transactions that I didn't want to tackle. Most of the code has been publicly available for quite some time now. In fact I stripped out the screen capture/reading capabilities and offered it to Jim as a reference implementation for a feature he was working on in MultiBit at the time. I'm not much of a programmer so it may or may not have made it into the code base. He did encounter some Java platform limitations regarding window transparency using it on Mac as I recall.

I believe the QR code spec allows up to about 2,000 reduced ascii characters (not bytes) per QR codes. Base91 appears to be the ideal encoding for QR codes. I know BeeTag on my Nokia 5230 had a software limitation of 250 characters. The smallest BitcoinJ transactions at the time tended to be a bit bigger than what my Nokia could handle, but that is solved easily enough by splitting up the tx across multiple QR codes, using as many character allowed by the spec, and/or storing some basic metadata in the QR code. In any case it would be a lot faster than typing. I estimate my reference implementation could handle transactions up a little over 64,000 bytes.

IR ports. Block them all with black tape. Or paint them.

TrueCrypt vs. Offline wallet. I think for both you should have a computer that has never had any connection to the internet or local network. (Which is kinda impossible).
But even so you'll need to get TrueCrypt or any offline wallet generator from the internet on to that computer somehow.

I think that this a way to do it:
Using a Linux live CD distro on a dedicated computer without any harddrive in it or any other storage attached to it.
Get a brand new trusted brand USB stick and store your tools from the internet on there using this Live Linux environment. You'd only have to do this once. Never plug it into any other computer.
Then shutdown the pc entirely, unplug the networkcable, boot into Live Linux again so that anything that was loaded in the RAM during the previous online session gets erased.
And then use the tools offline.

still not used TrueCrypt

still all fine and secure

but is there must need use TrueCrypt ?