HOWTO: create a 100% secure wallet

[pk]

Thanks for all the info guys.

[bitbites]

100% secure doesn't excist D:

That's quite true, and I think the subject is misleading. However, I do think this is a very good guide for decreasing the probability of your bitcoins being stolen.

[godofwar]

replying for future reference

[RTZ143]

Ty for the info

[skEwb]

Thanks for the info. I try to keep mine off on a physical USB device and use at least 3 of these devices in case 1/3 or 2/3 get lost.

[bg002h]

I don't think this is good advice....sorry...I think a much better idea would be to create an address & private key pair on a "live" OS, write both down on paper, attempt an import into a wallet to prove you copied correctly, and then reboot to "hide the evidence"...Now, if you are really nuts, memorize the private key and 6 or so initial chars in the public address (in case you don't trust your paper or ink)...put your paper with the public and private keys in a safety deposit box...That's way more secure than optical or magnetic media (which will degrade faster than paper) and way more resistant to cosmic rays than solid state media....obviously nothing is invulnerable to physical attack

DrGoss
1DrGossc3QidjzgDXzveCAQGiPWsoiDZ8C

[borez]

Thanks for the guide!

[BkkCoins]

Since everyone is posting how they do it I'll add mine. I only have a few Bitcoins so I think this is adequate.

I'm using Ubuntu and gnupg to encrypt the wallet file automatically when I start the client. I'll share my small script for this below. I just edit my Bitcoin menu item and replace it with the name of my script and my personal key id (either name or number but name may need quotes).

eg. script saved as /usr/local/bin/gpgbtc then I call it with "/usr/local/bin/gpgbtc 249AD24C"

Gnupg is already installed by default but for my script you need two more packages. I use "srm" to make sure the non-encrypted version is toasted nicely and I use gnome-gpg so that I can get a gui password prompt.

sudo apt-get install secure-delete gnome-gpg

/usr/local/bin/gpgbtc (be sure to chmod +x so it can be run)

Code:

#!/bin/bash

gnome-gpg ~/.bitcoin/wallet.dat.gpg
chmod 600 ~/.bitcoin/wallet.dat
bitcoin
mv -f ~/.bitcoin/wallet.dat.gpg ~/.bitcoin/wallet.dat.gpg.bak
gnome-gpg -r "$1" -e ~/.bitcoin/wallet.dat
chmod 600 ~/.bitcoin/wallet.dat.gpg
if [ "$?" == "0" ]; then
  srm -fllz ~/.bitcoin/wallet.dat
fi

This script prompts for your gpg key password, decrypts the wallet file, runs Bitcoin. After you close Bitcoin it makes a backup of the last wallet version, just in case something happened, re-encrypts the wallet, and securely removes the decrypted version. If Bitcoin doesn't close properly then it tries to detect that and leave the wallet file for you to check manually.

So far this has been working fine for me and I keep several back up copies of the encrypted wallet (and my gpg stuff too). But if you choose to do like this do so at your own risk. No guarantees from me or anyone else.

This is just for those who may want to do like this but not re-invent the wheel.

[Susantorres]

Thanks for the info guys, if anyone wants to switch to an Managed cloud computing rather than just cloud computing then he can follow the above link.

Managed Cloud Computing | Managed Cloud

[Bebop]

I'm with the others for the idea of simply encrytping the entire OS. The Live boot CDs are somewhat more painful in the long term, due to long load times and needing a USB to persist settings etc. Of course anyone assumed to have the knowledge or skill to do the OS encrypt is also clued up enough to practice safe habbits of web surfing and avoiding trojans.

Live CD is a safe resort, but inferior to the OS encrypt I do agree.

[finchfrank]

and what about some kind of protection by using ubikey or smth similar as does guys from mtgox

[LoupGaroux]

Frankly, I love the dry wit of an Englisher. Being able to use words like twat and cunts in an actual coherent sentence? Priceless. This is the type of post that should be made sticky, but then in my case it is, I snorted iced tea out of my nose when I read it, and now the whole damn keyboard is sticky, not just this invaluable post.

[CurrentB]

Great information, and a great read. Thanks!

[nguoinhaque]

I encrypt the wallet using built-in functions of Win7 and store a backup my wallets & certificates on my google account under a password-protected zip file

[clone4501]

The main theme behind creating a secure wallet is to encrypt it to a strong passphrase and then to shred (rather than delete) the unecrypted wallet.  Next, back up the encrypted wallet ot a number of different physical and virtual locations.  There are risks to this strategy.  The two biggeet are 1) forgetting your passphrase, 2) the encryption software being able to properly decrypt later on, 3) the bitcon client being able to properly read the decrypted wallet.

Also, the above is all for nothing if you are not operating behind a secure firewall that keeps out malware.

To all you newbies, don't trust the software.  Stress test it, before you store a large amount of bitcoins.  Even commerically available encryption software including the bitcoin client does not work 100% on every system configuration.

Stress testing should include:

1) complete removal and reinstall of the bitcoin client,
2) complete removal and reinstall of the encryption software,
3) decrypting a formerly encrypted wallet and allow it to update all the block chains
4) sending and receiving small amount of bitcoin
5) repeating steps 1 to 4 again a week, month, two months later.
6) think of other worst case scenarios for your system and test with the small amounts of bitcoin

Good luck,

[infiniblank]

Thanks for the great info everyone. This helps a lot of people, including myself.

[bitcoinhead]

A yubikey or similar one-time-password (or even out-of-band authentication like an SMS code to your phone) only protects against rudimentary keylogging malware or phishing.  And it only protects the online account where you store bitcoins (clearly doesn't protect a locally stored wallet on your PC).

The problems with this for an online wallet include:
 - man-in-the-middle can get your OTP and password and take over your online wallet
 - man-in-the-browser malware can get your OTP and password and take over your online wallet
 - a hacker can still break into the online wallet service and steal/copy your coins (there are mitigations to this that online wallet services can and slowly are implementing)
 - bitcoin-specific malware can wait until you log into your online wallet and then do a session hijack to allow an attacker to basically become you and be logged in.

For protecting a local wallet, the bootable Linux approach (either on a USB stick or CD) is the most secure.  Store your wallet in an encrypted file partition on a flash drive (you could use a hardware encrypted drive like IronKey or MXI), and inside there, use TrueCrypt to double encrypt your filesystem which contains your wallet.  This is a highly secure approach using both physical crypto, software crypto and a clean OS that is reset every time (because you boot from a CD image).

Not sure how practical this is unless you have LOTs of bitcoins to protect!  And in that case, you should split them up into multiple wallets on different storage devices.

[clone4501]

In securing a wallet, there are some things that you need to do that are applicable to any secure computer.  First and foremast, you need a state-of-the-are firewall!  This will keep away 99.9% percent of the hackers, their trojans and key loggers.  Next, don't download shit unless it is from a reputable source that you can resonably trust. For example, I thought I would be a savy techie and download Kazaan to get free MP3 downloads.  It was not until much later on that I realized that I had downloaded a key logger that most likey was able to read all my PGP passphrases.  Lesson learned here, if you are going to deal with software pirates, remember that age-old adage, "there is no honor among theives."  Also, don't be cheap on your firewall.  Symantec, McAfee, Force 7, Avira, and any of their true competitors is what you should be running.

So lets say 1) you have a secure firewall, 2) you have not downloaded any shit from dubious sources, and 3) done a complete full system scan for viruses and trojans from the above mentioned antiviral programs listed above, and 4) after all that are reasonably confident you have a malware-computer.  Then you are ready to download the Bitcoin client.  If you think you are ready, then you are probably not and should download, let's say another anti-virus client, like Avira, and do a full-system scan again!

Once you download the Bitcoin client, get the hell offline.  Disable your wireless, unplug your usb/ethernet cable.

Now run the client and create your wallet.

TrueCrypt, PGP, or GPG are three good ways to encrypt your wallet.dat file.  Of course, you should have downloaded these earlier, only after you believe (not think) you have a secure firewall and a malware-free computer.

Refer to my earlier post about letting the wallet read all the current block chains.

Then go offline again!

Encrypt the wallet and then shred (rather delete) the unencrypted wallet.dat file.

Read my earlier post about what to do next.

In closing, many have compared Bitcoin to the Wild West of the Internet.  This is true.  So if you are going to be a player in the Bitcoin world, you need to learn a lot about data security and encryption.  It is these two elements that are the real instrinsic value in Bitcoin.

P.S. to all you fucking hackers--I know this site has been compromised, so I have to change my fucking passwords again becuase the host of this forums can't even follow the most basic security... ah fuck off!
 

[Cosbycoin]

Is this process once finished idiot proof?

[Thralen]

Is this process once finished idiot proof?

Regardless of what anyone might claim, nothing is idiot-proof. The world has this sick habit of constantly making better idiots.

Thralen