Security of Paper Wallets

[Ford]

Hello All

If i am using a paper wallet to safely store bitcoins in, offline.
And then need to transfer some of the funds held in the paper wallet to another address.
In order to maintain maximum security would i be best to then transfer the remaining funds into a NEW paper wallet?

Also what is the best way of generating multiple paper wallets, and can this be done on an off-line pc in order to maintain maximum security?

Best Regards & Thanks
Ford

[1713955751]

1713955751

[1713955751]

1713955751

[Akka]

In order to maintain maximum security would i be best to then transfer the remaining funds into a NEW paper wallet?

Yes

Also what is the best way of generating multiple paper wallets, and can this be done on an off-line pc in order to maintain maximum security?

I like Amory. Works offline as well.

[Ford]

In order to maintain maximum security would i be best to then transfer the remaining funds into a NEW paper wallet?

Yes

Also what is the best way of generating multiple paper wallets, and can this be done on an off-line pc in order to maintain maximum security?

I like Amory. Works offline as well.

Thanks Akka

Always good to have my plans confirmed, just in case 

Ford

[DannyHamilton]

If i am using a paper wallet to safely store bitcoins in, offline.
And then need to transfer some of the funds held in the paper wallet to another address.
In order to maintain maximum security would i be best to then transfer the remaining funds into a NEW paper wallet?

Yes.

Also what is the best way of generating multiple paper wallets

Best? or Easiest?

I use Bitcoin-Qt running in an offline computer, but Armory is a good idea.

and can this be done on an off-line pc in order to maintain maximum security?
[/quote

Yes.

[Ford]

Best? or Easiest?

I use Bitcoin-Qt running in an offline computer, but Armory is a good idea.

Ideally both 
+ i would also need to create multiple paper wallets (all on a PC that has NO network connection at all)
I have read about and installed Armory, but need to take a better look at it.

How would Bitcoin-QT create multiple wallets, as i have not worked out how to do this yet
+ will i need the full blockchain before i can create a wallet?

[DannyHamilton]

Best? or Easiest?

Ideally both  

Unfortunately, the best way isn't necessarily easy.  It involves wiping a hard drive, then installing a known good, clean, version of an operating system, then installing some trusted address generating software, then hand writing the addresses and private keys on paper, then destroying the hard drive (or at least making sure it is sufficiently wiped to avoid recovery of data).

There are several choices of offline address generating software out there.  I haven't had a chance to check on the code of any of them, so I'm not ready to trust them yet.  Others may stop by with their own suggestions of which software they trust.  Some of them will generate QR-Codes and print in a nice formatted template. For now, I only trust Bitcoin-Qt.

How would Bitcoin-QT create multiple wallets, as i have not worked out how to do this yet

Paper wallets are not exactly user functionality for Bitcoin-Qt, but with some effort it can be done.

• Install Bitcoin-Qt on a PC that has NO network connection at all
• Click on the "New Address" button in the "receive coins" section
• Write the new address down on a piece of paper
• Choose "Console" in the "Debug Window" found under the "Help" menu
• Enter the following command where bitcoinAddress is the address you wrote down in step 3:
            dumpprivkey bitcoinAddress
• Write the private key on the same piece of paper

Viola! You now have a paper wallet.

You can delete the installation of Bitcoin-Qt and wipe the hard-drive if you like.

+ will i need the full blockchain before i can create a wallet?

No.

[Ford]

Best? or Easiest?

Ideally both  

Unfortunately, the best way isn't necessarily easy.  It involves wiping a hard drive, then installing a known good, clean, version of an operating system, then installing some trusted address generating software, then hand writing the addresses and private keys on paper, then destroying the hard drive (or at least making sure it is sufficiently wiped to avoid recovery of data).

There are several choices of offline address generating software out there.  I haven't had a chance to check on the code of any of them, so I'm not ready to trust them yet.  Others may stop by with their own suggestions of which software they trust.  Some of them will generate QR-Codes and print in a nice formatted template. For now, I only trust Bitcoin-Qt.

How would Bitcoin-QT create multiple wallets, as i have not worked out how to do this yet

Paper wallets are not exactly user functionality for Bitcoin-Qt, but with some effort it can be done.

• Install Bitcoin-Qt on a PC that has NO network connection at all
• Click on the "New Address" button in the "receive coins" section
• Write the new address down on a piece of paper
• Choose "Console" in the "Debug Window" found under the "Help" menu
• Enter the following command where bitcoinAddress is the address you wrote down in step 3:
            dumpprivkey bitcoinAddress
• Write the private key on the same piece of paper

Viola! You now have a paper wallet.

You can delete the installation of Bitcoin-Qt and wipe the hard-drive if you like.

+ will i need the full blockchain before i can create a wallet?

No.

Thank you very much for the details, although not what i wanted to hear 

I am working on a "bitcoin based website idea" and will need to be able to generate (not on the website) multiple paper wallets... ideally around 100 a go..... and then input the public keys into the website.
Wiping the Hard Drive will not be required (i dont think) as the PC that generates the addresses would never connect to the internet and will be stored in a very large secure and fireproof safe (i could also encrypt the drive).
(at present i am still working on the website coding, and was assuming that generating multiple paper wallets would be easy.....)

Working with or coding for bitcoin is fun, but extremely testing at times  ...........

Thanks Ford

[DannyHamilton]

Thank you very much for the details, although not what i wanted to hear 

I am working on a "bitcoin based website idea" and will need to be able to generate (not on the website) multiple paper wallets... ideally around 100 a go..... and then input the public keys into the website.
Wiping the Hard Drive will not be required (i dont think) as the PC that generates the addresses would never connect to the internet and will be stored in a very large secure and fireproof safe (i could also encrypt the drive).
(at present i am still working on the website coding, and was assuming that generating multiple paper wallets would be easy.....)

Working with or coding for bitcoin is fun, but extremely testing at times  ...........

Thanks Ford

Note there are several sources of programs that already exist that can generate paper wallets, I simply choose not to trust them.

As long as they are running on a computer that is and will remain offline, you just need to be sure that they are using a sufficiently random source for the private key (that the creator of the program isn't working from some private key generation that they can recreate separately).  Some of the solutions available are open-source, so you can review them yourself.

[flatfly]

Shameless plug for NoBrainr... With just 25 lines of Python code and address generation seeded by /dev/urandom, it's probably the easiest tool to review and analyze, even for non-developers

See signature...

[kramble]

Note there are several sources of programs that already exist that can generate paper wallets, I simply choose not to trust them.

Even if you don't trust the likes of bitaddress.org, there is no need to install an operating system then wipe the hard drive. A livecd of ubuntu (or some other linux) will do the job perfectly well. Boot it up, install the dependencies off the web (to the ramdisk that it is running on), then compile bitcoind (bitcoin-qt is unnecessary if you are just going to dump the privkey, but it would do the job just as well). Disconnect from the internet, start the daemon and dump your virgin private key(s). Print them off or copy them down by hand then power off and all trace is wiped (though I wouldn't necessarily trust a modern printer not to have some residue of the print job, but perhaps that's taking paranoia too far).

Its not novice-level stuff, but there are howto guides to help out. (And I'm mentioning this because I was doing just this thing today, albeit with Blakecoin rather than Bitcoin, and to a VM rather than a standalone PC, and no, it wasn't quite as straightforward as I'd have liked, the dependencies took some googling to sort out).

[imrer]

Note there are several sources of programs that already exist that can generate paper wallets, I simply choose not to trust them.

Even if you don't trust the likes of bitaddress.org, there is no need to install an operating system then wipe the hard drive. A livecd of ubuntu (or some other linux) will do the job perfectly well. Boot it up, install the dependencies off the web (to the ramdisk that it is running on), then compile bitcoind (bitcoin-qt is unnecessary if you are just going to dump the privkey, but it would do the job just as well). Disconnect from the internet, start the daemon and dump your virgin private key(s). Print them off or copy them down by hand then power off and all trace is wiped (though I wouldn't necessarily trust a modern printer not to have some residue of the print job, but perhaps that's taking paranoia too far).

Its not novice-level stuff, but there are howto guides to help out. (And I'm mentioning this because I was doing just this thing today, albeit with Blakecoin rather than Bitcoin, and to a VM rather than a standalone PC, and no, it wasn't quite as straightforward as I'd have liked, the dependencies took some googling to sort out).

Could you please share howto guides that helped you? I'd like to know how to generate paper wallets and then how to use bitcoins from that wallet if necessary.

[Thursday]

Speaking of paper wallets can someone explain to me how to download the bitaddress.org wallet generator for offline use?

[kramble]

Speaking of paper wallets can someone explain to me how to download the bitaddress.org wallet generator for offline use?

Go to https://github.com/pointbiz/bitaddress.org (its linked from bitaddress.org), click on "Download Zip" on the right hand side of the page. Copy the zip archive to your offline computer, unzip it and click on bitaddress.org.html.

[DannyHamilton]

there is no need to install an operating system then wipe the hard drive.

I suppose it all depends on just how paranoid you are and how secure you want to be.

install the dependencies off the web (to the ramdisk that it is running on),

You're not suggesting actually connecting the computer to the internet, right?

Disconnect from the internet

Oh!  You are!  Sorry, at that point you might as well just run it connected to the internet.  Why bother disconnecting?

[kramble]

there is no need to install an operating system then wipe the hard drive.

I suppose it all depends on just how paranoid you are and how secure you want to be.

install the dependencies off the web (to the ramdisk that it is running on),

You're not suggesting actually connecting the computer to the internet, right?

Disconnect from the internet

Oh!  You are!  Sorry, at that point you might as well just run it connected to the internet.  Why bother disconnecting?

Indeed, this was somewhat of a quirk of the task I was attempting to accomplish (to whit compiling blakecoin-qt from github).

Its less of a problem with bitcoin as the installation procedure on ubuntu would appear less painful (and I'm not the expert here as I haven't actually done one). So it appears you download the ubuntu PPA from http://bitcoin.org/en/download (though even that looks pretty scary at first sight), then copy that onto your offline livecd ubuntu PC (via USB stick I guess, or burn it to a CD). Pretty much the same task as if you're installing to hard disk. Does it have all the dependencies sorted out? I'll have to try it out to see.

Anyway, the reason for disconnecting from the internet before running bitcoind/bitcoin-qt was to eliminate any back-channel. Of course if the OS has already been compromised due to the internet connection used during the installation, then the private keys generated may have been pre-compromised in some way (say a hacked RNG), but that's is a risk however you source your OS/bitcoin.

I'll have a play with it tomorrow (getting past my bedtime here), and add some links to the howtos (I was mainly following the instructions in https://github.com/bitcoin/bitcoin/blob/0.8.5/doc/readme-qt.rst which don't actually work on ubuntu 11.10 as libdb4.8++-dev is not available and you need libdb5.1++-dev instead)

[Thursday]

Speaking of paper wallets can someone explain to me how to download the bitaddress.org wallet generator for offline use?

Go to https://github.com/pointbiz/bitaddress.org (its linked from bitaddress.org), click on "Download Zip" on the right hand side of the page. Copy the zip archive to your offline computer, unzip it and click on bitaddress.org.html.

Thanks

[wachtwoord]

Best? or Easiest?

Ideally both  

Unfortunately, the best way isn't necessarily easy.  It involves wiping a hard drive, then installing a known good, clean, version of an operating system, then installing some trusted address generating software, then hand writing the addresses and private keys on paper, then destroying the hard drive (or at least making sure it is sufficiently wiped to avoid recovery of data).

There are several choices of offline address generating software out there.  I haven't had a chance to check on the code of any of them, so I'm not ready to trust them yet.  Others may stop by with their own suggestions of which software they trust.  Some of them will generate QR-Codes and print in a nice formatted template. For now, I only trust Bitcoin-Qt.

How would Bitcoin-QT create multiple wallets, as i have not worked out how to do this yet

Paper wallets are not exactly user functionality for Bitcoin-Qt, but with some effort it can be done.

• Install Bitcoin-Qt on a PC that has NO network connection at all
• Click on the "New Address" button in the "receive coins" section
• Write the new address down on a piece of paper
• Choose "Console" in the "Debug Window" found under the "Help" menu
• Enter the following command where bitcoinAddress is the address you wrote down in step 3:
            dumpprivkey bitcoinAddress
• Write the private key on the same piece of paper

Viola! You now have a paper wallet.

You can delete the installation of Bitcoin-Qt and wipe the hard-drive if you like.

+ will i need the full blockchain before i can create a wallet?

No.

Thank you very much for the details, although not what i wanted to hear  

I am working on a "bitcoin based website idea" and will need to be able to generate (not on the website) multiple paper wallets... ideally around 100 a go..... and then input the public keys into the website.
Wiping the Hard Drive will not be required (i dont think) as the PC that generates the addresses would never connect to the internet and will be stored in a very large secure and fireproof safe (i could also encrypt the drive).
(at present i am still working on the website coding, and was assuming that generating multiple paper wallets would be easy.....)

Working with or coding for bitcoin is fun, but extremely testing at times   ...........

Thanks Ford

I would very much advise you use Armory for paper wallets. For true security use the offline method. I was going to link you but etotheipi has changed the site and the wonderful tutorials are gone....

I'm messaging him now.

Edit:

Here it is: http://bitcoinarmory.com/about/using-our-wallet/#offlinewallet

[kramble]

This is somewhat off topic to the OP, but since the question has been asked...

To recap: Danny Hamilton is concerned about "unoffical" privatekey/address generators and prefers bitcoin-qt installed on the hard disk of an offline PC. I suggested that a livecd would do the job perfectly well without the need for a hard disk install, but my suggested method requires an internet connection to install. So I took a further look.

I concluded that this is unavoidable for the casual user. The ubuntu installation needs an internet connection to install the official sources of bitcoin-qt plus their dependencies (whether installing to a livecd or a hard disk).

While an expert user may be able to download the various packages online via a separate computer, then copy them onto the offline PC for installation via sneakernet, its not a simple procedure (and I'm not even going to try as I'm not that expert).

Interestingly a windows installation to hard disk may be possible completely offline, but then you have the issue of activating the license without an internet connection (plus the cost of said license).

So I went with the official bitcoin-qt from http://bitcoin.org/en/download
Selecting Ubuntu PPA goes to https://launchpad.net/~bitcoin/+archive/bitcoin

And technical details about this PPA ...
Choose your Ubuntu version offers ...
Raring(13.04), Quantal(12.10), Precise(12.04), Lucid 10.04

Looking at the ubuntu http://www.ubuntu.com/download/desktop ...
this offers 12.04 LTS and 13.10 (others are available via previous version link)

So lets go with 12.04 LTS (32 bit) a 707MB download

For testing I installed it onto a VirtualBox VM with 2048GB Ram (no hard disk)
Since we'll need it for the installation I left the network option enabled.

Once it boots select "Try Ubuntu"
We're going to need a terminal shell, which Ubuntu unhelpfully hides, so click on the top left icon "dash home" and type terminal" in the search box, select the first option, which opens a terminal and adds an icon for it. Its useful to have more than one, so right click on the icon and open a few more.

Now type:
sudo apt-get-repository ppa:bitcoin/bitcoin
Press enter to accept, and note that the key 8842CE5E has been imported.

Type (perhaps in the other terminal so we don't lose the previous message):
sudo apt-get update

Its not at all obvious what to do next, so lets try:
sudo apt-get install bitcoin-qt

And we get a bunch of errors about dependencies. This is fixed as follows...
We want "software sources" which used to be in "system settings", but its missing in this version of ubuntu, so go to "dash home" and search for "update manager" and start it. Click on settings, uncheck the updates (unless you really want them), then on the Ubuntu Software tab select all of the checkbox options. Now we can do:

sudo apt-get update
sudo apt-get install bitcoin-qt

Right click on the network icon (next to the clock on top right) and disable otherwise it will download the blockchain and fill up the ramdisk (this is a livecd).

Go to "dash home" and search for "bitcoin", and run it.

Press ALT, help then debug window, console tab
getaccountaddress ""
dumpprivkey ADDRESS

Now I prefer to use bitcoind, so exit bitcoin-qt, reenable the network and...

sudo apt-get install bitcoind

Disconnect from the network again.

cd .bitcoin (it already exists since we ran bitcoin-qt, note the "dot" prefix before bitcoin)

nano bitcoin.conf (I prefer vi myself, but that's definitely not for novices)
server=1
daemon=1
listen=1
rpcuser=username
rpcpassword=password
CTRL-O (enter)
CTRL-X

bitcoind (starts the server)
bitcoind getinfo (check its working)
bitcoind getnewaddress
dumpprivkey ADDRESS

This can easily be automated via a simple shell script, eg
for i in $(seq 1 100);
do
ADDR=$(bitcoind getnewaddress)
KEY=$(bitcoind dumpprivkey $ADDR)
echo $ADDR $KEY >> keyfile.txt
done

Enjoy (and if I've made any mistakes here, just let me know)

[DannyHamilton]

- snip -
my suggested method requires an internet connection to install. So I took a further look.

I concluded that this is unavoidable for the casual user. The ubuntu installation needs an internet connection to install the official sources of bitcoin-qt plus their dependencies (whether installing to a livecd or a hard disk).

While an expert user may be able to download the various packages online via a separate computer, then copy them onto the offline PC for installation via sneakernet, its not a simple procedure (and I'm not even going to try as I'm not that expert).
- snip -

And now we see why I stated:

Best? or Easiest?

Ideally both 

Unfortunately, the best way isn't necessarily easy.

It really comes down to just how paranoid you are and exactly what you are trying to protect against.

Really, the "best" method would probably be to write your own program that takes a private key as input and generates a bitcoin address as output.  Then run that on the computer that never has been and never will be connected to the internet.

Use measurements of radioactive decay to generate your private keys.

Hand write the private keys and bitcoin addresses on paper.

Make sure you use a single sheet, and that whatever surface you are writing on will not hold an impression of the writing.

Make sure there are no windows, or cameras in the room that can see any of what you are doing.

But really, we're getting a bit excessive here.

That's sort of my point.  When someone asks for:

the best way of generating multiple paper wallets . . . to maintain maximum security?

They rarely mean what they've said, and they've almost never given enough information to determine exactly what they actually mean.

[kramble]

They rarely mean what they've said, and they've almost never given enough information to determine exactly what they actually mean.

Yes, and I agree with everything you've said (you're quite right as usual). I wasn't having a pop at you earlier, just putting forward an alternative to a full hard disk install (which has its own security implications for one-off key generation).

The private key to address conversion is actually quite easy (pywallet has some very readable code for the ECDSA algorithm, and converting the resulting public key to an address is straightforward). The thing that is difficult to be certain of is the random number generation for the 256 bit private key, and I would baulk at coding this (you're generally relying on the OS for a good implementation of /dev/random). For a professional setup a hardware RNG is to be preferred.