Bitcoin Forum
December 09, 2016, 03:44:22 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: How I manage and protect my wallets (Ubuntu Linux)  (Read 15263 times)
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 11, 2011, 04:00:43 PM
 #1

I want to tell you, how I manage my wallets. The purpose of this thread is to exchange ideas, and to analyse how well the ideas of others work.

Setup:
My main computer is a laptop with a recent version Ubuntu Linux. In addition to my user account, I made a new account for bitcoin only with an encrypted home directory.
- The password is pretty strong (12 characters, including upper and lower letters, numbers and special characters).
- I don't run any programs with this special account except for bitcoin.
- The files of this special user are strongly protected by encryption, when he is not logged in.

Wallets:
My regular user account and my bitcoin user account have a wallet each. My bitcoin user account stores the majority of coins, my regular account has a small amount.
When I want to receive a large amount of bitcoins, I use an address of the better protected wallet.
When I want to send a lot of coins, I login with the bitcoin account and send some. Then I log out again.

Backups:
I make backups of the wallet by the following command:
Code:
tar -c ~/.bitcoin/wallet.dat | gpg -c > $BACKUP_FILENAME
The command asks for a password, and I enter a quite strong one, because I want to be save putting those backups anywhere.

I store those encrypted backups on USB disks and on university computers (which are backuped very systematically and well). It's easy because the wallet files are quite small.

Possible attacks:
- cracking the strong password or the AES encryption keys
- cracking the whole machine with root access and stealing the wallet, while the bitcoin user account is logged in
- stealing my computer while the bitcoin user account is logged in

Do you see any flaws? How do you do it? What can I do better?

Do you see any attacks that I haven't thought of?

Misspelling protects against dictionary attacks NOT
1481298262
Hero Member
*
Offline Offline

Posts: 1481298262

View Profile Personal Message (Offline)

Ignore
1481298262
Reply with quote  #2

1481298262
Report to moderator
1481298262
Hero Member
*
Offline Offline

Posts: 1481298262

View Profile Personal Message (Offline)

Ignore
1481298262
Reply with quote  #2

1481298262
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
lonestranger
Member
**
Offline Offline

Activity: 115


I like long walks on the beach, shaving my head...


View Profile
June 11, 2011, 04:05:44 PM
 #2

I am using ubuntu 10.04. I am new to it. When you "create accounts" and strongly encrypt them you are referring to features that ubuntu provides? As opposed to using a third party product like truecrypt?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 11, 2011, 04:09:07 PM
 #3

I am using ubuntu 10.04. I am new to it. When you "create accounts" and strongly encrypt them you are referring to features that ubuntu provides? As opposed to using a third party product like truecrypt?

Yes, I am talking about the built in "encrypted home directory" feature of Ubuntu.

I typed:
Code:
sudo adduser --encrypt-home bitcoin

It asks for a password, and then you have an account "bitcoin".

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 12, 2011, 09:11:02 AM
 #4

Bump. I am still interested in stories, how other people do it.

Maybe if we collected enough, we could even write a recommended security guideline and some tutorials.

Are there people managing large amounts of bitcoins on Windows or Mac machines? What do you do to protect your coins?

Misspelling protects against dictionary attacks NOT
lonestranger
Member
**
Offline Offline

Activity: 115


I like long walks on the beach, shaving my head...


View Profile
June 12, 2011, 03:49:17 PM
 #5

bump
lonestranger
Member
**
Offline Offline

Activity: 115


I like long walks on the beach, shaving my head...


View Profile
June 12, 2011, 03:50:52 PM
 #6

Since I'm sick of the discussion about the price of bitcoin over ONE weekend. Give me a break. Buy bitcoin and forget about it. It will be one for the ages. Traders should just take their lumps.
gene
Sr. Member
****
Offline Offline

Activity: 252


View Profile
June 13, 2011, 08:03:33 PM
 #7

Air gapped (not networked) computer with bitcoin transferred over via clean USB drive.

Open bitcoin and write down automatically generated address (address x).

From networked computer, open bitcoin and send funds to address x.

Encrypt wallet.dat and shred the original on the air gapped machine. Save encrypted wallet all over the place -- hardcopy too.

The unencrypted wallet never touches a networked computer.

*processing payment* *error 404 : funds not found*
Do you want to complain on the forum just to fall for another scam a few days later?
| YES       |        YES |
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 08:52:03 PM
 #8

Air gapped (not networked) computer with bitcoin transferred over via clean USB drive.

Open bitcoin and write down automatically generated address (address x).

From networked computer, open bitcoin and send funds to address x.

Encrypt wallet.dat and shred the original on the air gapped machine. Save encrypted wallet all over the place -- hardcopy too.

The unencrypted wallet never touches a networked computer.

Yeah, I thought of that, too.

I would certainly do that if I had seriously huge amounts of bitcoins.

Misspelling protects against dictionary attacks NOT
lonestranger
Member
**
Offline Offline

Activity: 115


I like long walks on the beach, shaving my head...


View Profile
June 13, 2011, 08:55:53 PM
 #9

Air gapped (not networked) computer with bitcoin transferred over via clean USB drive.

Open bitcoin and write down automatically generated address (address x).

From networked computer, open bitcoin and send funds to address x.

Encrypt wallet.dat and shred the original on the air gapped machine. Save encrypted wallet all over the place -- hardcopy too.

The unencrypted wallet never touches a networked computer.

Gene, this sentence:
Encrypt wallet.dat and shred the original on the air gapped machine. Save encrypted wallet all over the place -- hardcopy too.

Encrypt wallet.dat on the air-gapped machine, correct?
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 08:58:10 PM
 #10

Encrypt wallet.dat on the air-gapped machine, correct?

Yes, that makes sure that no online machine has ever seen the private information.

Misspelling protects against dictionary attacks NOT
xlcus
Hero Member
*****
Offline Offline

Activity: 518



View Profile
June 13, 2011, 09:06:47 PM
 #11

How do you do it?
That's pretty much what I do.  I have my day-to-day wallet in my main user account, and a separate user account for my "savings" wallet.  If the balance in my day-to-day wallet gets above a certain threshold, I send some coins to my savings wallet.

My savings wallet has also been encrypted and emailed to myself (off site) in case of catastrophic machine failure, house fire, etc.

Faircoin, the coin of the fair economy
Check https://www.fair.coop The Earth cooperative to create a new economic system, based in global fairness
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
June 13, 2011, 09:51:19 PM
 #12

taken that mining leaves you with an already quite serious amount of bitcoins once you get just one block, air gapping serious amounts of btc will not work Sad

in theory (not there yet): i have a fully encrypted (all except boot) usb stick for "serious amount" but do networking with it. it's also my system to do online banking with.
of course the wallet(s) are backed up gpg encrypted with a 30 letters strong password to remote places.

my biggest concern is not that i will ever get my wallet stolen but see this being the advice to friends that will at the same time drive them away from ever using btc.

my hope is that bitcoin wallet for android or similar will work soon so i can also show the easiness of btc handling out on the street - with amounts of cash that i also would carry around in my leather wallet knowing i might loose them any day.

bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 09:55:28 PM
 #13

taken that mining leaves you with an already quite serious amount of bitcoins once you get just one block, air gapping serious amounts of btc will not work Sad

The miner has to be online, but the address receiving the mined coins doesn't.

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 10:08:12 PM
 #14

I added a list of possible attacks, does anybody see an attack I haven't thought of?

Misspelling protects against dictionary attacks NOT
Isosceles
Member
**
Offline Offline

Activity: 71


View Profile
June 14, 2011, 01:09:00 AM
 #15

Software Keylogger? Hardware keylogger?
Vulnerability in the Ubuntu encryption algorithm? From what I read, Truecrypt is supposedly the gold-standard. Can you configure Ubuntu to use it for the home dir?
Vulnerability in Ubuntu? If you update your OS, can your download be redirected to another location with a compromised OS patch?

For those who use an "air gapped" machine, how do you spend the coins? Is it possible to manually enter a Bitcoin transaction by paper, pen & a networked PC?
giszmo
Legendary
*
Offline Offline

Activity: 1568


¡ɥɔʇɐʍ ʇsnɾ &#7


View Profile WWW
June 14, 2011, 01:35:18 AM
 #16

The miner has to be online, but the address receiving the mined coins doesn't.

For exactly this reason I asked it elsewhere but didn't get an answer: how do i define the address(es) the miner should attribute the reward to?? Best would be to share it among all the guys that have shares in my mining rigs.

Steve
Hero Member
*****
Offline Offline

Activity: 868



View Profile WWW
June 14, 2011, 01:59:48 AM
 #17

Software Keylogger? Hardware keylogger?
Vulnerability in the Ubuntu encryption algorithm? From what I read, Truecrypt is supposedly the gold-standard. Can you configure Ubuntu to use it for the home dir?
Vulnerability in Ubuntu? If you update your OS, can your download be redirected to another location with a compromised OS patch?

For those who use an "air gapped" machine, how do you spend the coins? Is it possible to manually enter a Bitcoin transaction by paper, pen & a networked PC?

I had the same question...I may want to adopt this approach myself, but I don't know of an easy way to export/import a transaction.  If such a feature existed, you could generate and export the transaction to a file, copy to USB, and import/broadcast with another connected bitcoin client.  I imagine you could copy the block chain files from a connected client over to the air gapped machine via USB so that the wallet sees the current balance.

It would be nice to add a few features to the client to facilitate this scenario.  It would also be nice if the client supported "receive-only" wallets that have no private keys...this way you could make a "receive-only" copy of a wallet, load that up on a connected client and be able to monitor the balance of your air-gapped, savings wallet without risk of the coins being stolen.

(gasteve on IRC) Does your website accept cash? https://bitpay.com
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 14, 2011, 05:10:43 AM
 #18

1. Software Keylogger? Hardware keylogger?
2. Vulnerability in the Ubuntu encryption algorithm? From what I read, Truecrypt is supposedly the gold-standard. Can you configure Ubuntu to use it for the home dir?
3. Vulnerability in Ubuntu? If you update your OS, can your download be redirected to another location with a compromised OS patch?

4. For those who use an "air gapped" machine, how do you spend the coins? Is it possible to manually enter a Bitcoin transaction by paper, pen & a networked PC?
1. Hardware Keylogger would be a problem. Software Keylogger would require the System to be fully comprimised, which I already mentioned.

2. No, it is not. TrueCrypt has a lot of fanct featues, most of them very useful. That is why it is hyped a lot by people who don't understand it. Even the TrueCrypt manual says almost literally that it is not true that you can easily be secure with TrueCrypt. (I already opened a thread about it: http://forum.bitcoin.org/index.php?topic=16246.0)
Ubuntu home folder encryption is based on ecryptfs, which is a part of the Linux kernel itself. It is based on the very crypto implementations of the kernel - like a lot of other disk crypto solutions (luks/dm-crypt).
I would not use TrueCrypt for this because it is bloated with a lot of features that are not needed here. For a security concept you should always prefer the simpler solution. A more complicated solution just opens the danger of making mistakes.

3. Yes, a vulnerability that allows root access would be a problem, I mentioned that.

Misspelling protects against dictionary attacks NOT
ChupacabraHunter
Member
**
Offline Offline

Activity: 73


Chupacabra = Corrupt Gov't,Lies and Fraud


View Profile
June 19, 2011, 03:15:59 PM
 #19

These are all really nice.  Thanks! Smiley

...but now I must ask:  What do I tell my friend studying philosophy, who has some BTC (due to my convicing him to buy some)?  He doesn't know Ubuntu, and actually I have never used it either.

Please, someone, put a one click, one button, safe, secure download on www.bitcoin.org so all this can be done by my philosopher friend... and myself Smiley

Sorry to be only a 'Hunter' and not a wizz!


---- i know this is for the Bitcoin millionares who were the rightful early adopters and tech-savy super geeks

But what are the rest to do, who put in a few hundred $$$ worth, and are just as fearful to have their little wallet stolen?
kloinko1n
Full Member
***
Offline Offline

Activity: 177


View Profile
July 24, 2011, 07:00:25 AM
 #20

Air gapped (not networked) computer with bitcoin transferred over via clean USB drive.

Open bitcoin and write down automatically generated address (address x).

From networked computer, open bitcoin and send funds to address x.

Encrypt wallet.dat and shred the original on the air gapped machine. Save encrypted wallet all over the place -- hardcopy too.

The unencrypted wallet never touches a networked computer.
This looks like a terrific approach to me. Would it be possible to buy a cheap netbook and put a tiny (core) Linux on it and use that as the off-the-net computer?

Further, although I slightly do understand the concept proposed, for my small and not so computer literate brain it's just a bit too abstracty formulated.
Could someone in non-geek language explain to a common, almost layman, bitcoin user how to exactly implement this step by step?
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!