Show Posts
|
Pages: [1] 2 »
|
LUKS will only benefit you if someone like your local police department physically takes the hard drive out of the computer and takes it away. It's more likely to give you headaches with data recovery because restoring LUKS partitions is convoluted. A single bad modification to the partition can cause total data loss, which you do not want to deal with on a disk with wallet.dat files. That's exactly the sort of thing I can live without!! I'm quoting a relevant comment from Dave McKay from an excellent tutorial on the use of gocryptfs at https://www.howtogeek.com/686779/how-to-encrypt-files-with-gocryptfs-on-linux/Simple systems have the advantage of being used more often, while more complicated processes tend to fall by the wayside. Using gocryptfs is not only simple, it’s also secure. Simplicity without security wouldn’t be worthwhile.
|
|
|
No offense taken, timeshift isn't great tool for those who can use rsync directly and know a bit about linux directory structure. IMO timeshift is worth for newbie (which uses default partition configuration without LVM/LUKS) or lazy users (who know how to restore the OS manually if timeshift break something).
I know it's easy, but it's annoying especially if you use LVM, LUKS or both of them.
I haven't used LVM (yet). When I started my current linux project I was (and still am) afraid of loosing mission critical data with LVM. Do be honest, I have to do some additional learning concerning LVM. I might try it in a future project without grouping physical volumes. At the moment I use gpt partitioning with ext4 partitions. Haven't tried LUKS either or any other block device encryption (yet). To this respect I am also worried about an additional point of failure, possible increase of hardware wear, ... For now I like the simplicity of a stacked FS, and the option of having certain folders encrypted, while actually operating the system. Having said all that, I am always open to new ideas and reconsidering my points of view.
|
|
|
I don't use scripts with gocryptfs. Its commands are very simple. Mount the cipherdir with gocryptfs <cipherdir> <mountdir> Unmount it with
|
|
|
I have to say it's quite a bit of work, especially manually changing UUID on fstab. Do you prioritize having OS with all application and files in any condition over convenience offered by backup software (such as timeshift)?
No offence, but after trying to recover a system state with timeshift once, and got left with an unbootable system, I do not want to try it again. IMHO, timeshift is not worth anything, and the same goes for Mint that has timeshift as a pre-installed application; Mint that embraces MS concepts, like not being able to exclude certain updates. Rsync options cannot fit in a gui in any sane way. Using a gui for critical tasks is way more dangerous than the cli. There's a reason why Ubuntu will not let you edit files as root in a gui text editor any more. Changing UUIDs in /etc/fstab is just copying and pasting three strings, and nano editor is very easy to use, especially since I use a persistent (customizable) live USB, which you can create in debian based distros with https://help.ubuntu.com/community/mkusb.
|
|
|
You can get the masterkey any time with $ /usr/bin/gocryptfs-xray -dumpmasterkey myfs/gocryptfs.conf Whenever you print passwords in the terminal delete history with $ cat /dev/null > ~/.bash_history ; history -c But what happens if Electrum won't start for some reason (or your computer dies) and you must manually copy the wallet file somewhere else?
It looks like each wallet file is encrypted by itself, so now there's an AES-encrypted file that you somehow have to decrypt before you can open it.
How can the wallet be decrypted in such cases? I have read from the tool website that there is a master key which allows for access but I'm not quite sure how to use it off-line if it's only printed at mount time:
Wallets definitely sound like important data to me. Does this mean we're also going to have an offline wallet backup stashed away somewhere on an external disk or USB?
If you decide to use the gocryptfs for any data, there is a gocryptfs.conf file that you have to backup in case it gets corrupted, or you can you use the masterkey instead. My concept to avoid being sorry as much as possible is make copies, copies, copies ...I always have 3 bootable OSs with all their programs (home dir, etc) on my hard disk. I also have 2 external disks and each one has another 3 copies of the complete OS with everything. So at any given time I have 9 copies of everything that I try to update 3 times per month. Every time I update, I boot a different clone just to make sure everything works. By the way you can copy the OS partition without loosing any file attributes from anywhere with # rsync -aAHXsh --delete --preallocate --info=progress2,stats2 <source> <dest> You have to run this as root from a live USB. After doing this you have to change UUIDs of the updated partitions to get the UUIDs $ sudo nano <clone-path>/etc/fstab to update UUIDs for /, /boot/efi and [SWAP] (if you have a swap partition) You can boot with the http://www.rodsbooks.com/refind/ bootloader and install grub again with sudo grub-install /dev/sdX sudo update-grub This means I also have 9 functional copies of my electrum wallets always. In older times that I did not have the above concept, when I got a new hard disk, I created a new wallet with my seed. Mind you external clones are not portable to other systems. They are bound to the system they were copied from.
|
|
|
From the man page description: Fusermount(1) Filesystem in Userspace (FUSE) is a simple interface for userspace programs to export a virtual filesystem to the Linux kernel. It also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations. From the gocryptfs https://github.com/rfjakob/gocryptfs/blob/master/Documentation/MANPAGE.md -allow_other By default, the Linux kernel prevents any other user (even root) to access a mounted FUSE filesystem. Settings this option allows access for other users, subject to file permission checking. Only works if user_allow_other is set in /etc/fuse.conf. This option is equivalent to "allow_other" plus "default_permissions" described in fuse 8. Only if you pass the gocryptfs -allow_other option can root access the fuse mount, otherwise it's impossible, and as you see, it requires additional config to achieve this.
|
|
|
No problem Make sure to pick a somewhat random password (no sentences, words, special dates, etc..). 16 chars is already a pretty good length. Depending on the charset, this should be sufficient already. I use passwords with a lot of special chars that don't make any sense. A somewhat modern system won't get slowed down much by full disk encryption. The bottleneck most likely still will be the disk itself, instead of the additional operations required for encrypting/decrypting. But this obviously completely depends on your actual system.
I use ubuntu 20.04 lts. The disk has many partitions with OS clones, KVM virtual machines .... I am afraid, based on my current skills, to complicate things any further.
|
|
|
Electrums built-in password protection is already an encryption, no further encryption mechanisms required. Thanks, I'll do as you suggest! I have a wallet password that is 16 chars long, I'll add a few more chars to it. If that's your concern, you better encrypt whole disk/partition rather than specific directory. If you only encrypt specific directory, the theft still can access your personal data (e.g. browsing history) and log file (could be used to analyze your behavior).
For the moment I prefer a hybrid solution, as it does not slow down the system, and being a newbie with encryption systems, I am afraid I might ruin my whole OS installation.
|
|
|
Well I guess then, my idea is excessive , bob123. A different attack vector, is if the laptop is stolen.
|
|
|
How about encrypting /home/user/.electrum/wallets for the case of unauthorized system access, with the stacked cryptographic fs https://nuetzlich.net/gocryptfs/? The idea behind a cryptographic stacked file system https://wiki.archlinux.org/index.php/Data-at-rest_encryption#Stacked_filesystem_encryption is to selectively encrypt sensitive folders. Move the directory wallets into a cipherdir, the lower directory, create an empty wallets directory at ~/.electrum/, the upper directory, where we mount the cipherdir before accessing our wallets and unmount the cipherdir after we close our wallets, with fusermount. I've used gocryptfs for some weeks now, first on trivial data, and now on important data without any problems so far. It has a option to check the cipherdir for corruption. Is this a good idea?
|
|
|
AFAIK, not all wallets support import master private key. so the best way is generate a new wallet using your new wallet and dump your old wallet by sending all your bitcoins to your new wallet. Very good explanation, thank you!
|
|
|
But keep in mind that you should never import keys from one wallet into another or you would be increasing your risk of losing your coins to possible bugs or other issues. Good to know! So the best thing is actually to send the funds with a transaction This means that if you export a "master private key" from Electrum and import it in to a BIP39 wallet, you may run in to problems with the derivation path and deriving the wrong set of addresses. Excellent elaboration; I will avoid doing this.
|
|
|
Thanks again, it is all clear now!
|
|
|
Thanks hosseinimr93 for the info! Yes, you can derive all your private keys using the master private key. Could you elaborate how it is done?
|
|
|
From the reading I've done so far, I came to understand that we cannot use the seed, as it is not compatible with other wallets. Do not really understand if the master private key (mpk) can do this. Is then exporting the private keys from electrum and inserting them on another non-electrum wallet, the best way?
|
|
|
I appreciate all the help. All of you clarified the issue from all possible angles.
|
|
|
So as I understand it, since I used "freeze coin" on the "dust", I can spend the 0,00008 I still have on the same address without being tracked by the dust.
|
|
|
Thanks guys, I froze the input with the "freeze coin option"
but does it make a difference that it was received on the same address I received the 0,00008 from the rbf transaction?
|
|
|
Being a newbie that wants to test rbf, I sent 0,00008 btc from my legacy to my segwit wallet with around 15 sat/byte, I think initially, and after couple of days increased with rbf to 20 sat/byte. I now see, that one day before the 0,00008 finally confirmed in my receiving wallet, there was another receiving transaction at the same address with 0,00000547, and clicking at " view transaction" it shows 1 input, but 608 outputs. The first ones look unusual, to me at least 1Lets1xxxx1use1xxxxxxxxxxxy2EaMkJ 0.00000547 1fuLL1xxxx1power1xxxxxxxxxxzatvCK 0.00000547 1of1xxxxx1anonymity1xxxxxxxz9JzFN 0.00000547 1See1xxxx1memo1xxxxxxxxxxxxxBuhPF 0.00000547 1dot1xxxxx1sv1xxxxxxxxxxxxxwYqEEt 0.00000547 1topic1xxx1hmwyda1xxxxxxxxxvo8wMn 0.00000547 1xxxxxxxxxxxxxxxxxxxxxxxxxy1kmdGr 0.00000547 1hxGEmBzgq5ajxV3Bwok3ZoznbDvVnMKS 0.00000547 1QFSqoGYvRt14BjLy4uW4uYyd3eXtx46kn 0.00000547 1Kq3u251CDLWA9Q1QxfgV7bniPPyVY8Vd8 0.00000547 and the last ones show this very large amount 1CgcHCJLpmv9smAHACawqjngUNXfTK2vnW 0.00000547 32ZyPi4mcCyQzzimPFx7CzaNFpqo4NZQAe 0.00000547 38VxrMr6uqBw9LiTwfA7KRUJYw5ta3P4y3 0.00000547 bc1q5lp47pgt3tnjr6p9pmnrgxdnf2usswusp0n7kg 0.00000547 1Lcijfte9ZhMKwMZFnXtxMj7x16ezx2Dgi 0.00000547 3HgC1PThXfvngoAzmaYaQybRc1foTebFrQ 0.00000547 1PRZKLnosh28cMHQBTopVWY9VsThCPMuds 0.00000547 39gMkotoGo163ke5fxsoifdq4BKBHTmK8w 0.00000547 bc1qrhy27g74l8x5zakjn9hq8zmk8gmzjuqtjnhpa4 [b]16.38010065[/b] Is this normal? Is it like change leftover from the fee? I'm planning to move all my funds from my legacy to my segwit wallet, so I am wondering if it would be safe to use rbf with a large amount.
|
|
|
I used the following command successfully. python3 -m pip install -U pycryptodomex Collecting pycryptodomex Downloading pycryptodomex-3.9.9-cp38-cp38-manylinux1_x86_64.whl (13.7 MB) |████████████████████████████████| 13.7 MB 5.2 MB/s Installing collected packages: pycryptodomex Successfully installed pycryptodomex-3.9.9
The part, is from the instructions at https://electrum.org/#downloadI also tried without the flag, but it wouldn't work. Thanks a lot guys
|
|
|
|