The best Bitcoin cold storage?

[gollum]

We should ask Mark Karpeles what kind of cold storage he used, so we don't make the same mistake

[DaFockBro]

We should ask Mark Karpeles what kind of cold storage he used, so we don't make the same mistake

I heard he kept all the btc on a waterproof flashdrive at the bottom of an iced coffee.

[Cassius]

Ha.... I don't keep much on my ring.
Wonder if Shrem was wearing it when he was arrested, and if any of the cops was smart enough to copy the private key off it.
I'd like a way of making them that minimises trust. Any ideas?

Trust, security against what?
There are many risks here. Robbery for the ring, robbery for the coins, the goldsmith steals your stuff, you want to quickly access your funds, inheritage, the list goes on and on.. :-)

So, generally speaking, we don't need one solution, but a whole system. And this one will be different depending on use case.

Ente

True, though I mean specifically my case, where I make rings/jewellery etc for other people. I don't like the idea of them sending me encrypted keys, since they will only be as strong as the password they choose (and remember).

[frankenmint]

We should ask Mark Karpeles what kind of cold storage he used, so we don't make the same mistake

I heard he kept all the btc on a waterproof flashdrive at the bottom of an iced coffee.

He forgot about it and threw away the container in frustration.  Now the flashdrive is in a junkyard in the landfill in the UK sharing tea and crupmets with the 7K BTC hard drive.

[Cassius]

We should ask Mark Karpeles what kind of cold storage he used, so we don't make the same mistake

I heard he kept all the btc on a waterproof flashdrive at the bottom of an iced coffee.

It looks like his basic problem was not understanding the difference between cold and hot storage. But I don't know why that surprises me...

[Ente]

Ha.... I don't keep much on my ring.
Wonder if Shrem was wearing it when he was arrested, and if any of the cops was smart enough to copy the private key off it.
I'd like a way of making them that minimises trust. Any ideas?

Trust, security against what?
There are many risks here. Robbery for the ring, robbery for the coins, the goldsmith steals your stuff, you want to quickly access your funds, inheritage, the list goes on and on.. :-)

So, generally speaking, we don't need one solution, but a whole system. And this one will be different depending on use case.

Ente

True, though I mean specifically my case, where I make rings/jewellery etc for other people. I don't like the idea of them sending me encrypted keys, since they will only be as strong as the password they choose (and remember).

For people sending some one else their keys to engrave or similar:

- Trust the creator, like Mike/Casascius
- Encrypt the key, there's a BIP for that (and remember the password)
- Split the key between several rings/engravers (shamirs SSSS, or half a key for each)

In all three cases the user has to trust someone: the engraver, himself or the engravers.
I, personally, don't like to need a password for my cold storage. Cold storage is, for me, the absolute last resort when everything else went up in flames (literally, computer burned away, or I am not able to redeem any coins any more).

Ente

[Cassius]

Ha.... I don't keep much on my ring.
Wonder if Shrem was wearing it when he was arrested, and if any of the cops was smart enough to copy the private key off it.
I'd like a way of making them that minimises trust. Any ideas?

Trust, security against what?
There are many risks here. Robbery for the ring, robbery for the coins, the goldsmith steals your stuff, you want to quickly access your funds, inheritage, the list goes on and on.. :-)

So, generally speaking, we don't need one solution, but a whole system. And this one will be different depending on use case.

Ente

True, though I mean specifically my case, where I make rings/jewellery etc for other people. I don't like the idea of them sending me encrypted keys, since they will only be as strong as the password they choose (and remember).

For people sending some one else their keys to engrave or similar:

- Trust the creator, like Mike/Casascius
- Encrypt the key, there's a BIP for that (and remember the password)
- Split the key between several rings/engravers (shamirs SSSS, or half a key for each)

In all three cases the user has to trust someone: the engraver, himself or the engravers.
I, personally, don't like to need a password for my cold storage. Cold storage is, for me, the absolute last resort when everything else went up in flames (literally, computer burned away, or I am not able to redeem any coins any more).

Ente

Thanks. That sounds about right. I don't like the idea of encrypting cold storage keys either, though I think generally obfuscating them a bit is a good idea. Neither do I like the idea of being trusted: even if I am trustworthy, if the coins get stolen somehow then I'll naturally fall under suspicion.
Myself, I'd plan on several cold/hot wallet variations to spread the risk.
I think this is actually one of the barriers to proper bitcoin adoption at the moment. Until we have more storage and insurance services, most people won't like the idea of "keeping" their coins in the form of a long number somewhere. Most likely that's only really going to appeal to hardened bitcoiners, who understand the protocol well enough to do it properly.

[tomjohndang]

The problem with traditional 'physical' cold storage solutions is yes they may be offline, but they are not immune to natural disaster, theft or loss. I found https://www.cryowallet.com which kinda gives you the best of both worlds. You wallet can be 'evoked' when you login in. Nothing executes on their servers, everything runs locally in your browser memory and when you logout there's no trace left on your machine. Not even they have access to your provate keys/coins. So they cant be hacked, you cant be hacked and in the event of a disaster of some sort, you can evoke your wallet from any device.

[Aido]

Metal Bitcoin firesafes seem to be a good idea. Aluminium and stainless steel ones are available. One poster suggested that a Titanium one would be even better.

I recall seeing a thread somewhere also offering wooden versions.

[DaFockBro]

Metal Bitcoin firesafes seem to be a good idea. Aluminium and stainless steel ones are available. One poster suggested that a Titanium one would be even better.

I recall seeing a thread somewhere also offering wooden versions.

That's a good idea as long is the safe is small and cleverly hidden. 

Having a safe in your closet or behind a picture frame is like putting up a neon sign that says, "here are my valuables!"

[Cassius]

No real need. How easy is it to hide a private key somewhere? A safe just tells people what's in it is valuable. Usually I'd despise security by obscurity; in this case it makes sense.

[ecoinocity]

Everything is explained here http://ecoinocity.com/make-or-buy-metal-offline-cold-storage-hardware-bitcoin-wallet/ on how to make or buy a metal cold storage bitcoin wallet. It will withstand a fire but will be even safer when stored in a safe deposit box in your local bank. Also make a copy and keep it in a fire proof safe in your home. This is hacker proof.
Also once the wallet is created there are particular procedures you need to follow (see the post url listed above). For example you must empty the whole balance and do not reuse the wallet.
http://ecoinocity.com/wp-content/uploads/2014/02/metalbitcoinwalletbest2-300x225.jpg

[Dabs]

Make sure no one is "shoulder surfing" you when you make your cold wallet. Or make sure there are no webcams hidden in your room. Enemy of the State or Anti-Trust or stuff like that. Don't forget to wear your tin foil hat.

Speaking of which, make sure your monitor is properly shielded to prevent signals flying to the white van outside, where they can read everything that you see.

You could argue for the case of using casino grade dice to generate private keys. Alternatively there are hexadecimal dice. Read about diceware, apply the same thought process to private key generation.

Personally, just use an old computer or laptop in a secure room or basement of your location.

[x86Daddy]

Check out the Bitcoin Firesafe.  It's a chunk of Aluminum or Stainless Steel with a QR Code of your BIP-38 encrypted key engraved into it...  so the manufacturer can't have access to your funds, and the instrument is 2-factor secure... i.e. if it is ever stolen from you, it is still useless without the password.  There are discounts for duplicates too.

Stainless:


Aluminum:


Disclosure: I invented and sell this.

[Ente]

Check out the Bitcoin Firesafe.

Steel? Engraved? BIP0038? Finally a commercial solution which does it right!
Good work!

Ente

[Brangdon]

Check out the Bitcoin Firesafe.  It's a chunk of Aluminum or Stainless Steel with a QR Code of your BIP-38 encrypted key engraved into it...  so the manufacturer can't have access to your funds, and the instrument is 2-factor secure... i.e. if it is ever stolen from you, it is still useless without the password. 

If you can remember the password used to encrypt the private key, who not just make the private key the SHA256 hash of the password? Then there's no need to store anything.

[Cassius]

Awesome!

[Ente]

Check out the Bitcoin Firesafe.  It's a chunk of Aluminum or Stainless Steel with a QR Code of your BIP-38 encrypted key engraved into it...  so the manufacturer can't have access to your funds, and the instrument is 2-factor secure... i.e. if it is ever stolen from you, it is still useless without the password. 

If you can remember the password used to encrypt the private key, who not just make the private key the SHA256 hash of the password? Then there's no need to store anything.

True.
With the BIP0038 approach, you have both more risk (you can lose the QR code) and more security ("2 factor").

Also, the passphrase for a direct SHA256 output needs to be *very* secure, as there are already many automated brainwallet harvester out there. I don't want to imagine how much hashingpower they are throwing at this. Your brainwallet is attacked since the instant it exists.

On the other hand, BIP0038 passwords are much more difficult to calculate or to brute-force. Also, attacking your individual QR wallet can only start when someone learned the QR code. Which, normally, you will notice, with enough time to sweep it.

For this, I would recommend to cover the QR code. It's no good idea to let everyone know "hey, I spent a lot of time and money on securing my bitcoins, and here they are!". And with the QR code visible on your keychain, it's too easy for others to scan it.

Glue a picture of your significant other on it:
- Noone will steal it
- You can honestly say "that's my most precious thing I have!" :-)

Ente

[Brangdon]

If you can remember the password used to encrypt the private key, who not just make the private key the SHA256 hash of the password? Then there's no need to store anything.

True.
With the BIP0038 approach, you have both more risk (you can lose the QR code) and more security ("2 factor").

Acknowledged. My real thought here is that many of these storage options seemed designed to outlast their owners. As such they should perhaps be self-contained and not rely on a password stored within a fragile skull.

(Actually, some of them seem designed to outlast the internet.)

Also, the passphrase for a direct SHA256 output needs to be *very* secure, as there are already many automated brainwallet harvester out there. I don't want to imagine how much hashingpower they are throwing at this. Your brainwallet is attacked since the instant it exists.

Really? If I transfer 100 BTC to a new brainwallet, how does anyone know that the address is a brainwallet that is worth attacking? Are people attacking every address that has significant funds?

[Cassius]

If you can remember the password used to encrypt the private key, who not just make the private key the SHA256 hash of the password? Then there's no need to store anything.

True.
With the BIP0038 approach, you have both more risk (you can lose the QR code) and more security ("2 factor").

Acknowledged. My real thought here is that many of these storage options seemed designed to outlast their owners. As such they should perhaps be self-contained and not rely on a password stored within a fragile skull.

(Actually, some of them seem designed to outlast the internet.)

Also, the passphrase for a direct SHA256 output needs to be *very* secure, as there are already many automated brainwallet harvester out there. I don't want to imagine how much hashingpower they are throwing at this. Your brainwallet is attacked since the instant it exists.

Really? If I transfer 100 BTC to a new brainwallet, how does anyone know that the address is a brainwallet that is worth attacking? Are people attacking every address that has significant funds?

Yes. And the attacks are very sophisticated and powerful.