Bitcoin Forum

Do you write your Prive Key to a paper or any media?

What if an image file, looks nothing special might contain a Prive Key inside it?
Even more, if the PrivateKey or any message inside it is encrypted?

If you secure both the paper notes and an image file saved in external media in the same Safe,
which do you think is safer?

You can do it with your phone.

[Android]
https://play.google.com/store/apps/details?id=com.ethereummiddleman.secretimage

[iPhone]
https://apps.apple.com/app/id1489854686

[Web Service]
http://www.ethereummiddleman.com/secretimage.html
(in WebService case, all your data is encrypted first on your machine and transferred to the WebService, so fear not)

Hope this helps.

Are you sure ? ::)
In the cases of importing PK, we are strongly recommended not to be connected to the internet at all. And here you recommend handing over PK people to a new platform owned by random people and through internet as well.
If you mean to insert any message code into an image, you can do it yourself offline using the hex editor. That has less risk than your tips.

I don't recommend your way.

Thanks @noorman0

Regarding the Web Service, even though it's encrypted, it's delivered.
So I understand your concern.

But regarding the mobile App, is there any reason you think it will be delivered to somebody else?

By the way, even with the Web Service, it's encrypted with 256bit AES and deleted after a while.

It seems you are accusing somebody or some product even without checking the fact,
resulting in a false impression over the whole service.

What do you think?

Thanks :)

There's malware out there that will screen capture android phones.
https://www.forbes.com/sites/zakdoffman/2019/07/08/warning-for-users-of-android-banking-apps-new-malware-is-recording-password-screens/

So, when you're thinking about creating private keys on a phone: don't.

Fact is: you are asking people for their private keys, while claiming it's encrypted. Let me guess: you can and will decrypt the private keys.

Reminder: member never trust anyone with your private keys!

Private keys should never be casually handed, period. The current best practice is to use the seed words, and copy that with your hands avoiding electronic devices.

Once copied, you could in a secure disconnected PC do things like typing them in a text file, and encrypt that, or steno-graph it yourself in one of millions ways, then encrypt that, etc, etc. No apps, no sending things to others.

There are various free open source tools that can help you do this, if you are inclined to do so electronically, but you could just do it physically as well. Pick a book, mark some words, done.

Ideally you should never watch the actual pk ever yourself, only once when you create the wallet and type the seed words but never make the pk display anywhere. The practice of the old paper wallets have been discontinued for its dangers.

I don't find it safe.
What is the guarantee that this file is not being compromised?
Still saving your PK in a paper and keep it in a safe place is the best choice for me.

So why do you think this APP is related to creating keys or involves that specific moment?

Ok, so you are worried about the situation that
"I can somehow bruteforce to find the key for the encryption and decrypt yours?"

Got your point.
Technically possible, even though I am not that kind of guy and got no time&resource for that.
That latter word means nothing to the users so I will revise the WebSite with warnings.
Not to test serious data on the WebSite.

But my point was rather about the mobile Apps, which seems you guys just worrying that I leak your data somehow.
You can simply spoof the network packet if it ever sends any data while it's doing it.
Basically, this is not just an assumption but seems false accusation to me. :)

I agree that proposition.

Tough you do use metamask or other tools right?
the role of the App is to save any data to an image.
Once it's saved once your phone encrypted, I believe users can save it somewhere.

Are you suggesting to revise function to cover that 'afterward' scenario
, or suggesting that this kind of encryption and steganography is meaningless anyway?

I wouldn't save too much with this method. It's quite risky. By the way, is this open source project... been tested by others?

None, I guess. as long as you copy from the  internet.

I don't think we should have personal keys with phones because it's too risky for us Never call personal information at work Save your PK or any message to an image file and then encrypt it at a lower risk Keep it safe and do not charge any product without verification And it's better not to use PK.

Thank you @Ucy, @Negotiation

I think there are 2 points here.

1. Level of security.

If you guys think 'even just copying the PK string from the Internet' is not safe, all the PC/Mobile S/Ws are not safe.
Though you guys use PC wallets, Metamask, other S/Ws.
And this App doesn't create PKs, just work based on the value given from the user or QRcode scan.
Even if saving in a Safe is not enough, I doubt how do you guys think cold-wallet (storage) is better.

2. Verified?
Even though it's simple codes, why would you reveal all your codes if you want to make profits even just from an Ad?
B.t.w, From WebService site you can get all encryption/decryption source code from JS script there. Anyone can see that from web browser.
So, Let alone GooglePlay and AppStore, what will be the organization that you think will do some verification for this kind of S/Ws?

I'm just asking your opinion.

thanks

With those apps?

No.

Writing on a paper is the most secured way of keeping our PK if not for the others.

Thanks,
Just curious. Don't you trust Crypto Exchanges and their Cold Storages also?

Yes it's not safe at all, copying any sensitive data including PK is not recommended when the internet is active.

There you have it, pasting PK to other sites (including the web you mentioned) is also not recommended except for wallet service sites where PK is generated. Maybe you already understand what the "Clipboard Hijacking" is.

A valid ad won't ask customers for any sensitive data.

Not sure, can you name one of the sites? can i also see it. If there are, then they dont last long because it destroys the "privacy" of customers.

I don't know, but I'm not sure if big companies like Google and Apple would do would do something so insignificant. Not that I trust 100% in them.


The Exchange doesn't provide PK to customers, so I think this is a bit off topic.

Thanks, @noorman0 for very constructive comments.

Regarding the code, here on my web site, you can see the code from any web browser in developer mode.
http://www.ethereummiddleman.com/secretimage.html

And regarding this comment as far as Mobile App concerned,
I think it's a bit unlikely because you will usually type in, or scan the QRcode from the App.


Well, I meant whether you trust what they manage PK there.