Paper wallets from Mac

[sisenor]

First, please tell me if the following procedure for creating a paper wallet from my Mac sounds bulletproof:

1)Boot to Ubuntu live dvd
2)Run bitaddress.org html file from flash drive
3)Create bip38 encrypted keys from six-word, diceware-derived passphrase
4)Print keys with networkless label maker
5)Keep keys in safe deposit box

Is there anything wrong with this? Might anything be compromised? The bitaddress.org html file?

Next, I'm wanting to create a Truecrypt-encrypted flash drive as a secondary means of storage of paper wallet that I can keep at home. I haven't been able to figured out how to do it from the Ubuntu live cd while generating keys, although that would be ideal if possible. I tried having a linux truecrypt install file on the flash drive with the bitaddress.org html file but couldn't get that to work. So what if, after generating keys as per above, I:

1)Unplug my router and login as guest on my Mac
2)save keys in text file to Truecrypt-encrypted flash drive

Thanks!

[Cubic Earth]

Bitaddress.org could easily be compromised. 

Ask yourself:

How do you know the random number generator is truly random?
I would throw in a few manual changes to the private key it gives you.

How do you know the address are being correctly derived from the supposedly random private keys?
I would check the private key / address pair against other bitcoin software to make sure they match.

That's what I do at least.

[sisenor]

Bitaddress.org could easily be compromised. 

Ask yourself:

How do you know the random number generator is truly random?
I would throw in a few manual changes to the private key it gives you.

How can I go about doing that while making sure it's still a valid address?  I know there is a checksum at the end or something but I don't know what I can change in the address.

How do you know the address are being correctly derived from the supposedly random private keys?
I would check the private key / address pair against other bitcoin software to make sure they match.

That's what I do at least.

Thanks, that sounds like a good idea.  Maybe grab html from brainwallet.org, bitaddress.org, and a third like

[Cubic Earth]

Paste the private key under the 'Wallet Details' tab on bitaddress.org.  Make a change or three, then tell it to generate the new address.  If gives you an address, you made valid changes, if it says 'invalid private key', try some other changes instead.  There are just a few things you cant do, like using I, 0, l, 0,o.

I've used armory and the QT client to double check addresses, but it can be hard getting them to run off a live CD.  You could do all of this with a spare drive, then when you are finished, boot off the live CD and overwrite the drive with zeros several times.

[theecoinomist]

Bitaddress.org could easily be compromised. 

Ask yourself:

How do you know the random number generator is truly random?

Don't rely on RNG, use brain wallet option to generate a keypair

[sisenor]

Paste the private key under the 'Wallet Details' tab on bitaddress.org.  Make a change or three, then tell it to generate the new address.  If gives you an address, you made valid changes, if it says 'invalid private key', try some other changes instead.  There are just a few things you cant do, like using I, 0, l, 0,o.

I've used armory and the QT client to double check addresses, but it can be hard getting them to run off a live CD.  You could do all of this with a spare drive, then when you are finished, boot off the live CD and overwrite the drive with zeros several times.

But this won't work with a bip38-encrypted key will it?

Don't rely on RNG, use brain wallet option to generate a key pair

Likewise, this won't work with bip38 either.

I wonder if using bip38 offsets concern over bitaddress.org's RNG.

Also, what about my question about creating a Truecrypt flash drive?

[sisenor]

Bump please

[theecoinomist]

With BitAddress, I can see you kinda have to choose, I would rather keep my private key unencrypted (offline that is) than have it generated by RNG and encrypted.. (I hear great things from great people about the Armory wallet used on an offline computer, perhaps that is worth looking into)

Also, why TrueCrypt? Isn't Gpg more suited for this?

[sisenor]

With BitAddress, I can see you kinda have to choose, I would rather keep my private key unencrypted (offline that is) than have it generated by RNG and encrypted.. (I hear great things from great people about the Armory wallet used on an offline computer, perhaps that is worth looking into)

Also, why TrueCrypt? Isn't Gpg more suited for this?

I think last time I looked into Armory it was windows only?  Doesn't it also fetch the entire blockchain?  I already run Bitcoin-Qt so maybe that's why I started exploring other options.  But I'll take another look...

As for Truecrypt, I'm just using it to encrypt a drive.  I'm not familiar with Gpg or encryption standards in general really.  Why would it be better?

[ralree]

With BitAddress, I can see you kinda have to choose, I would rather keep my private key unencrypted (offline that is) than have it generated by RNG and encrypted.. (I hear great things from great people about the Armory wallet used on an offline computer, perhaps that is worth looking into)

Also, why TrueCrypt? Isn't Gpg more suited for this?

I think last time I looked into Armory it was windows only?  Doesn't it also fetch the entire blockchain?  I already run Bitcoin-Qt so maybe that's why I started exploring other options.  But I'll take another look...

As for Truecrypt, I'm just using it to encrypt a drive.  I'm not familiar with Gpg or encryption standards in general really.  Why would it be better?

Armory's not windows only - works in Linux and I even recently tried an OSX version, but it's not "there" yet.  I does fetch the blockchain using bitcoind, so if you've already done that, you're good.  I really like multibit - even in the Linux machine I use for bitcoin it works great.

Truecrypt will help if your computer gets stolen, but if you get hacked while it's running (much more likely) then they'll be able to keylog you and get your bitcoins.

Consider getting VMWare Fusion and making a rather hardcore Linux VM to keep your coins in.  It provides yet one more layer hackers would have to get into to get your money.

[sisenor]

Armory's not windows only - works in Linux and I even recently tried an OSX version, but it's not "there" yet.  I does fetch the blockchain using bitcoind, so if you've already done that, you're good.  I really like multibit - even in the Linux machine I use for bitcoin it works great.

Truecrypt will help if your computer gets stolen, but if you get hacked while it's running (much more likely) then they'll be able to keylog you and get your bitcoins.

Consider getting VMWare Fusion and making a rather hardcore Linux VM to keep your coins in.  It provides yet one more layer hackers would have to get into to get your money.

Thanks for your replies but this seems to have drifted towards a computer/client-based solution.  Still wanting best way to generate paper wallet.  And best way to encrypt a flash drive (although I'm now seeing that it makes sense to use Armory/Electrum/Multibit for local large sum storage).  I probably will move towards Armory/Electrum/Multibit if I see myself needing to move significant funds around, but right now I just have big chunks in a safe deposit box and pocket change I use blockchain.info/mycelium/Satoshi client.  I can see the use of Armory/Electrum/Multibit if you draw from cold storage frequently.

I use OS X primarily but run Parallels for Win 7 and Ubuntu and boot to a live dvd for anything dealing with keys.  My qt is running on my old computer, just serving a node and don't really want to mess with the blockchain on my main machine.  And I just use Truecrypt on my external backup drives to keep them off-limits.

P.S. Armory/Electrum/Multibit use RNG to generate their addresses anyway, why not do a 99 dice roll brainwallet?

[whiskers75]

Download bitcoinpaperwallet.com from GitHub.
Put on USB, and verify source if you're that paranoid.
Boot Ubuntu LiveCD.
Load bitcoinpaperwallet from USB.
Follow the easy steps.