Backing up multisig wallet used for cold storage

[frankjj]

I'm looking into doing a variation of the Glacier protocol for cold storage (https://glacierprotocol.org/) using an Electrum multisig wallet. The main aspect I'm trying to replicate is setting up a 2 of 4 wallet with paper backups in different locations.

Once it is set up, if I needed to send some bitcoin I would restore one of the wallets and create an unsigned transaction from the multisig wallet. I could then travel to one of the other backups, restore that wallet, and then make the second signature. At that point I could transmit the transaction as soon as I get it to an online computer.

Here is my question: What data would I need in each location in order to completely restore the wallet and sign a transaction by visiting just two of the locations? I've created a 2 of 4 wallet while experimenting with Electrum, and for each copy (i.e. wallet 1, wallet 2, wallet 3, wallet 4) of the multisig wallet I needed the wallet seed and the master public keys of the other three wallets.

So, am I correct in assuming that these 4 pieces of information would be needed for each signing wallet to restore the multisig wallet?
Location 1: wallet seed 1, master pub key 2, master pub key 3, master pub key 4
Location 2: master pub key 1, wallet seed 2, master pub key 3, master pub key 4
Location 3: master pub key 1, master pub key 2, wallet seed 3, master pub key 4
Location 4: master pub key 1, master pub key 2, master pub key 3, wallet seed 4

Is there any additional information that would be needed at each location? Or is there any information I actually wouldn't need to store of the above?

[1713878298]

1713878298

[1713878298]

1713878298

[1713878298]

1713878298

[Abdussamad]

you have it absolutely correct.  you don't need to store anything else.

[frankjj]

Abdussamad, thanks!

nerioseole, I appreciate the thoughts, and I've wondered how complicated is too complicated myself. But since all you need to take all the bitcoins from a wallet is a small bit of information, doesn't it seem like some neuroticism might be reasonable if you could potentially be holding large amounts of money in the wallet? I'm asking that seriously, not sarcastically.

If I were to leave a trezor and unlocking pin or seed words, what's to stop the person (lawyer?) keeping them from taking sending the money to their own bitcoin wallet? Nobody would ever know who took it. Or would you keep it in a safe deposit box? What would happen if the government decided it needed to seize assets like has happened in some countries over the past decade. Once again the money could just be gone if the wrong person gets their hands on it.

What is a reasonable amount of precaution for longer term cold storage?

[aplistir]

I have also been wondering, what needs to be saved, when backing up a multiSig address. Clearly just backing up the private & public keys is not enough, because you also need the script.

If you have at least 1 outgoing transaction from your multiSig address, then you do not need to store the script, because it will then be visible in the blockchain. Also the public keys will be visible in the blockchain. so you don't need to save those either, but you will need to be able to copy those from blockchain if you do need them...

But personally I decided to forget multiSig. The reason I was interested in multiSig was increased security, because I thought that to be able to spend from multiSig you would need to have several private keys, and that would make it much safer than normal addresses. And that would protect from someone accidentally generating the same address and using my coins.

Then I found out that multiSig addresses are only as safe as normal addresses with 160 bit security.
An attacker does not even need to find your private keys. He can just try to generate any script that will hash to your multiSig address to be able to spend your coins. (hence the 160 bit security)
And yes. I know it is currently completely impossible, but I was expecting more from multiSig.  

[aplistir]

One of the safest ways to store bitcoins is paper wallet(s) with encrypted private key
You can create them eg. in www.bitaddress.org (just do not create them while connected to the internet. You need to download bitaddress to your own machine first.)

With those you will have 2*security. You can store the paper wallets in one place (eg. in a safety deposit box or lawyer?) and have the private keys encrypt keys in another place. For example you can tell that key to your family.
If the encrypt key is long enough it is impossible to use your coins without having both the key and paper wallet.

I do not really get the point of Trezor or other hardware wallets for long time storage. You would still need to save the seed somewhere, probably on paper, and if someone gains access to that paper then they can spend your coins without needing the Trezor.

On the other hand Trezor is very good for a wallet that is in active use. Gives an extra layer of protection, if a hacker has already gained access to your computer...

PS. if you decide to choose multiSig. Be sure to test it first with small sums. Or do the testing in testnet. You have to  be sure you have indeed saved enough data to be able to use your coins.

[frankjj]

aplistir, thanks for your thoughtful comments.

I'm not sure I follow you regarding the script. In order to generate a multisig wallet in Electrum, each of the individual signers needs their own wallet seed and the master public key of the other three signers. If each of the signers creates a wallet using their respective wallet seed and public keys of the others, then they all generate the same wallet with the same address. I've tested and verified this. I've also verified that 2 of 4 wallets can be signed by any two of the signers used to create the multisig wallet. Assuming I back up the pieces that I described in the first post of this thread, I can recreate the same wallets using electrum. I have already tested that I am able to use these wallets to send bitcoin when signed by two of them. Where does your script comment fall into this scheme? I assume electrum will regenerate any script needed to spend the bitcoin in the wallet when restoring using the original pieces.

I'm not really in love with the idea of storing on a single use paper wallet like those from bitaddress.org because it doesn't handle change addresses and things like that. The addresses generated by that site even suggest sweeping the key into a wallet in order to use. With an electrum multisigniture wallet, it is possible to use the wallet to transfer funds and keep the funds in the wallet although at a new address within the wallet.

That's the part I haven't really understood about hardware wallets like Trezor either. Yes, the private keys never leave the wallet even when connected to an online computer, but the seed words are a single point of failure. If anybody gets a hold of those, your money is gone isn't it?

Test with small sums --- ABSOLUTELY!

[aplistir]

I'm not sure I follow you regarding the script. In order to generate a multisig wallet in Electrum, each of the individual signers needs their own wallet seed and the master public key of the other three signers. If each of the signers creates a wallet using their respective wallet seed and public keys of the others, then they all generate the same wallet with the same address. I've tested and verified this. I've also verified that 2 of 4 wallets can be signed by any two of the signers used to create the multisig wallet. Assuming I back up the pieces that I described in the first post of this thread, I can recreate the same wallets using electrum. I have already tested that I am able to use these wallets to send bitcoin when signed by two of them. Where does your script comment fall into this scheme? I assume electrum will regenerate any script needed to spend the bitcoin in the wallet when restoring using the original pieces.

MultiSig  uses pay to script protocol.
The private & public keys are not enough. You need to know that it is 2 to 4 address and you also need to have those keys always in the same order for the wallet to be able to create the same address and script. If you change the order it wont work. (I admit that with 4 keys there are not that many possibilities even if you have to guess them  )
Luckily the wallets take care or all the real work, and using them is quite easy.

When I played with multiSig wallet for the first time I did not save everything I would have needed. I created a 2 to 5 multiSig address, then destroyed one key completely (private and public keys) and tried to pay out from the address with the remaining 4 private/public keys. And I could not do it! Even though I had understood that I would only need 2 keys to be able to do it.
To be able to pay out from that address I would have needed the public key from the 5th key too.
If I had made 1 payment from that address all the public keys (and the script)  would have been visible in the blockchain, but I had not, so could not access that address any more.  

It looks like you have saved everything you need to save  
  

[HCP]

That's the part I haven't really understood about hardware wallets like Trezor either. Yes, the private keys never leave the wallet even when connected to an online computer, but the seed words are a single point of failure. If anybody gets a hold of those, your money is gone isn't it?

Yes, if someone has your seed, they have access to all your coins.

However, you can also do something like "shamir secret sharing" to encrypt your seed words and split the parts across multiple sites like you have done with the MultiSig wallet. The plus side to this it that instead of needing to travel to a different site just to send bitcoins, you'd only need to do it to recover/restore your wallet in the event that your hardware device failed. Day to day, the coins are secured by the hardware wallet and your PIN/Passphrase etc.

As usual, a lot of this comes down to the trade offs between convenience and security...

Hardware wallet - Convenience for spending, arguably just as secure (ie. remote sites need to be unaware of each other)
"modified" glacier using offsite MultiSigs - Inconvenient for spending, very secure if executed properly (ie. remote sites are unaware of each other)

[Abdussamad]

another option is to extend your seed with custom words. you keep those in your head while the seed gets put down on paper. if you forget the custom words then you'll lose your bitcoin so it's risky. it's like a password for the seed.

[_ERROR_LOADING]

I'm looking into doing a variation of the Glacier protocol for cold storage (https://glacierprotocol.org/) using an Electrum multisig wallet. The main aspect I'm trying to replicate is setting up a 2 of 4 wallet with paper backups in different locations.

Once it is set up, if I needed to send some bitcoin I would restore one of the wallets and create an unsigned transaction from the multisig wallet. I could then travel to one of the other backups, restore that wallet, and then make the second signature. At that point I could transmit the transaction as soon as I get it to an online computer.

Here is my question: What data would I need in each location in order to completely restore the wallet and sign a transaction by visiting just two of the locations? I've created a 2 of 4 wallet while experimenting with Electrum, and for each copy (i.e. wallet 1, wallet 2, wallet 3, wallet 4) of the multisig wallet I needed the wallet seed and the master public keys of the other three wallets.

So, am I correct in assuming that these 4 pieces of information would be needed for each signing wallet to restore the multisig wallet?
Location 1: wallet seed 1, master pub key 2, master pub key 3, master pub key 4
Location 2: master pub key 1, wallet seed 2, master pub key 3, master pub key 4
Location 3: master pub key 1, master pub key 2, wallet seed 3, master pub key 4
Location 4: master pub key 1, master pub key 2, master pub key 3, wallet seed 4

Is there any additional information that would be needed at each location? Or is there any information I actually wouldn't need to store of the above?

I've been mulling over this same thing for the past few weeks. I currently have all my BTC in a single-signature wallet but plan to move everything into a 2-of-4 multi-sig wallet, but I want to make damn sure that if all but two of the seeds are destroyed, I can still recover funds. So far I've reached the same conclusion as you. There is a shamir39 project from Ian Coleman that would work even better, as you'd only need to write down four 12-word phrases, and any two of those 12-word phrases would recreate the same 12-word seed which can be used to recover and spend funds.

[frankjj]

I've been thinking more about this and experimenting. I think I've settled on a pretty good idea, but want to see other people's thoughts on it before I implement it.

Similar to my OP above, I still have four separate locations that each hold a piece of the 2 of 4 information I need to restore the wallet. This is intended to be very cold storage, so inconvenience to spend is good.

The information I would keep at each site is:

• The wallet seed phrase of one of the four wallets that are part of the multisig wallet. Each site would have a different seed.
• A paper containing the QR codes for the four master public key of all four wallets, and the text version of all four in case a QR code reader is not available on the device I need to restore the wallet to and entering the key by keyboard is necessary. A copy of the same page could go to each site.

I think this is a good setup because information about all four wallets that make up the multisig wallet is needed to create any of the individual signing wallets, but the public keys can be leaked and it's ok because they're public keys. It's easy to create a document that could be printed with the qr codes, and it doesn't matter too much if they fall into the wrong hands (I think) as long as the seed phrases are still safe. The only potential downside I see is that the presence of four qr codes / public keys could tip off an attacker to the arrangement of the wallet as a 2 of 4. However, they still wouldn't have access to two of the four pieces. And if they did manage to get that, I'd pretty much be in trouble no matter what system I used.

I lean toward this method over some of the other suggestions because the only software that's needed to create the backups or restore them is electrum wallet. I wouldn't have to track down multiple software projects that may or may not be compatible with today's version of those projects, or could be defunct, and get a bunch of software packages back in alignment before being able to restore my wallet.

Does anybody see any major holes in my thinking?