If it is not air-gapped all the time, you again have the problem with the rootkit scenario.

Also.. if it is not completely offline all the time, why did you reply like this:



If a computer is not air-gapped all the time, you can't call that truly air-gapped.

As i said.. truly air-gapped = good; sometimes air-gapped / sometimes online = bad.




The topic is not whether it is for people with a low budget or not.
The point is that this is not even close to a hardware wallet, and you made the impression that it is not much less secure than a hardware wallet.

A hardware wallet consists of a secure element which handles the signing and where private keys can not be extracted. Anything else is not a hardware wallet.

There are ways to securely store coins without a hardware wallet, yes. But you should never compare an USB flash disk to a hardware wallet the way you are doing it.

The top reply in the reddit post you linked is from the CTO of ledger, stating:



My assumption is, that if you update your nano s via the ledger manager from 1.3.1, it automatically first updates to the needed version, before finally updating to 1.5.5. Like incremental updates.

Ledger live manager should handle the firmware updates automatically, so no user intervention (regarding firmware updates) should be necessary.
Just plugging in and updating firmware.

Most of ledgers code is open source.
The only thing which isn't is are parts of the firmware of the secure element (due to NDAs, they are working on open sourcing everything).

Trezor, on the  other hand, is completely open source. So that's not an argument.




No, that's simply wrong.

Malware can infect the MBR / BIOS. Booting from a live USB does not protect against that.




Are you really trying to say that it is more convenient to use a wallet on an completely air-gapped computer than plugging in a hardware wallet to your main OS and use this as your wallet  ?

I hope that was a joke.




I am sorry too, that i didn't get that.
I assumed what you say has to make sense (therefore assumed that the computer is only air-gapped when accessing the wallet).. but obviously it doesn't have to fully make sense.

Why should one use an USB if the computer is completely air-gapped (all the time) ?
There is no reason to use an USB in this case.. simply use the computer (with its hard drive) then. This reduces the possible attack vectors compared to when additionally using an USB flash drive.

Not even close to a hardware wallet. Neither security- nor usability-wise.




Uff.. that's a very extreme statement to make..

Anything which holds sensitive information is vulnerable. The question is.. vulnerable to what?

A system which is completely offline is not vulnerable to threats from the internet.. but that's it.
Is your computer infected with a root kit -> Doesn't matter what you boot, doesn't matter if you are offline when booting from the USB, your keys can get stolen.

Also, there is no reason to install kali if you just want to have private keys stored + bootable OS. There are better options available in this case.




Practical ? Usability ?

Air-gapped wallets are one of the least-convenient wallets to use.
They might be more secure than a hardware wallet (but only with a true air-gapped computer, not a stupid bootable USB.. that idea is not even close to being as secure as a hardware wallet), but lacks lots of convenience.

Was your 'first' electrum wallet a mobile wallet ? Or how did you scan the QR to send the funds ?

In case you were sending from desktop wallet to desktop wallet: Can you briefly describe the process ?




That's now how the gap limit works.
The gap limit describes a look-ahead. It tells electrum how many (empty) addresses it has to check before stopping searching further.

For example (with a gap limit of 20):
1) If you have used the first 25 addresses, and restore the wallet, electrum will check the first 45 (25 used + 20 gap limit) addresses.
2) If you have used the 1, 2nd and 21st address and restore the wallet -> electrum will check the 1st, 2nd -> then up to 22 (finds funds at your 21st) -> then up to your 41st address.

Your recommendations do not mentioned what Pmalek said.. in any word.

Virustotal and any other AV software can only recognize malware by 2 approaches:

• Heuristics
• Behavior analysis

Regarding Heuristics:
If the malware is either 1) new or 2) modified so that these AV's don't have it in their database yet -> No Heuristic to match the malware with.

Regarding Behavior analysis:
If the malware does not run malicious code when being analyzed (can be done with multiple techniques, e.g. checking whether being run in a sandbox) -> Not triggering the behavior analysis.


Now, if we combine these two statements, it becomes clear that it is quite easy to create malware which is completely undetected from AV's (at least until enough people have been infected with it and AV's have manually reviewed and sigged the malware as such).


Using AV's (whether paid ones on your computer, or online services like virustotal) does only protect you against 1) known and very wide-spread malware and 2) malware created by script-kiddies or any other non-commercial cyber criminals.

No. Noone can confirm this for you.

If the update works as expected, no issues -> You don't have to reenter it.
However, if something fails, you will need to reenter your mnemonic code again.

You should NOT attempt to do an upgrade without having the 24 words. If you are not sure whether the words you have are the correct one, boot a live linux syste via USB on an disconnected computer (no internet) and check whether the words 1) are valid and 2) generate your addresses.




Simply start ledger live, and do the firmware upgrade. It will handle everything itself.

I'd also think that after 7 years you'd be able to correctly speak whether you imported a private key or an address.. But unfortunately that's not the case either..


You might start off with telling what you exactly did. 'I tried importing' doesn't tell what and how you tried to accomplish it.

You can import private keys in the section: Wallet properties -> Import.

Also, as nc50lc already said, you wan't to import the key, not sweep it.


Note, that this private key will NOT be included in the backup you have of your armory wallet. It has to be backed up separately.

Not necessarily.

If the application allows to be run in debug mode, there is a better way doing it (instead of rooting):

• Enable developer options on android
• Connect phone to computer
• Access phone via adb shell
• Run the app in debug mode (via adb) -> Voila. You can access all files of this application

I'd also recommend everyone to never root your phone if it is not absolutely necessary. You compromise a lot of security when rooting your mobile.
You are basically disabling all security measurements regarding application- / data- encapsulation.

That's simple. Money.

Scammers are everywhere where money can be made.

That's the reason it is important to only use well-known exchanges and not some new ones or ones with extremely low volume.
The lower the volume is, the easier it is to manipulate the price.

Depending on your country of residence, you might not have access to all exchanges. But choose the most suitable for you (trading the coins you need, large enough, reputable).

Since when is this the case ?

Unfortunately i am not at home currently, so can't test it. Did it happen after an update for something ? Or did it randomly occur ?
I will definitely test signing a transaction via nano s + electrum when at home and report the result here.

Well, pooya87 already mentioned your two options.

The question is.. do you want to offer your customer the chance to buy your shirts with BTC while you receive euros ?
Or do you want to receive bitcoins and decide for yourself whether / when to sell them ?

It is mandatory to know what kind of currency you want to receive. Any subsequent step depends on this.

Usually this is done pretty fast.

How many inputs is your transaction consuming ? A (very) large amount of inputs can delay the process of signing by a lot.

Additionally, please answer these questions:

• What OS are you using ?
• What electrum version are you using ?
• What nano s firmware version are you using ?
• Is your BTC app (on the nano s) up-to-date ?

This is quite old already.

Exodus is not a wallet which is very security-orientated. And neither is jaxx.




Anyone who can afford it should go for a hardware wallet.
They cost around 60$. That's not too much considering the security and convenience it combines.

If you have BTC worth 200$+, i would spend 60 of them for a hardware wallet.
Better have 120$ worth of BTC protected, than risking losing all 200$ equivalent of BTC.

You do not have to actively do something to receive a transaction.

As TryNinja already said, check your transaction on a blockchain explorer.
If it shows as confirmed there (note: will show as unspent then -> unspent means you didn't spent them yet), you don't see it because you are not connected (indicated by the orange/red circle).

If you aren't using a VPN and are not from a country which heavily restricts the internet, the electrum server you are connected to is under attack or otherwise not accessible.
In this case, you might ask mocacinno to whitelist your IP for his private electrum server.


Note: As long you have a backup of your seed (12 word mnemonic code), you will always have access to your BTC, regardless of the wallet used.

With quantum computing 

It is magic machine.

Whether it is a 12- or 24- word mnemonic code doesn't matter, i think.
It matters how many combination you have to try out, and this is dependent on the amount of missing words.

Since the base character set is 2048, the difference between guessing 4 compared to 5 words should be 2048 times less time consuming.
Which would mean that it should take 240 (months in 20 years) / 2048 = ~ 0.12 months. So about 3,5 days (given that 20 years for 5 words is the correct amount of time).


But the 20 years were calculated according to this:

This might not be the actual time it takes. I currently don't know how many mnemonics are possible per second on which machine.

So it additionally depends on the machine from OP and the program / algorithm used.


My calculation above obviously assumes that all known words are in the correct order and the position of the missing words are known.

Whether it is recoverable with 8 of 12 words depends on two things:

• Are the positions of the missing words known ?
• Is the Order of the 8 words known ?

If you know the position of the missing words AND the position / order of the known 8 words is correct -> It is possible.
If you know the position of the missing words, but the order of the 8 known words is unknown -> Not possible.
If you do NOT know the position of the missing words, but know the order of the 8 known words -> Should be possible (didn't calculate yet).

We can give you a definite answer after you reply to these 2 questions (Order of 8 words known? / Position of missing words known?)

There it is again. The magic everything-solving-machine called quantum computer 

I like how people - who are extremely far away from that topic - believe that quantum computers are a magic machine which can solve almost any mathematical problem in a short amount of time.


So.. quantum computing will break ECDSA in like a couple years ?    Wtf dude, what did you smoke ?
Quantum computing is BY FAR not developed enough to be used for something useful yet. And it definitely won't be in 'a couple of years'..

Even if quantum computers would be ready to do that by then.. there first has to be an efficient algorithm developed. There aren't much quantum computing algorithms available yet..
It is not like you say 'Hey quantum computer, give me private key of satoshi' and 10 minutes later you get the result.. It is slightly more complicated than that.. even if non-techy people like you can't believe it..

This would make it necessary to keep the backup up-to-date with the latest 'version' of your HD password manager file.
Which.. destroys the purpose one want to use a HD password manager (to not having to update all backups after changing / updating a password).




Again, both of these approaches need you to update your backup file regularly after changes.
If you need to do this, you don't have a reason to use a HD password manager.

The whole sense of a HD password manager is to have 1 backup file generated, and not having to update it anymore.
Without this advantage, there is no good reason to use a HD manager instead of a standard password manager.




But you still can't add other sensitive information which you want to be stored inside there.
If i want to store my private key to a specific address there.. i can't. Obviously i do not want to create a new one in this scenario.. i want to save a specific one saved there.
This works in standard password managers, but not in a HD one.


In the end, if you need to update the backup file, you only have disadvantages - and no advantages - using a HD password manager compared to a 'normal' one.