Can non-techies keep their Bitcoin secure easily?

[Ulysses1994XF04]

I discovered Bitcoin earlier this week and this forum shortly after; I've wanted to dip my toes in it, but in all honesty, I've been afraid to buy even one mBTC because of all the stories of hacking and scams I've read on here.

I've been trying to learn about how to set up a safe, secure Wallet, but when I read about people doing things like running Unix to access Apache servers on the Tor Network and encryption and writing subroutines in Java, it's all alien to me; I have no idea how any of these things work.

I just have an ordinary, Windows 8 laptop; I have no idea what kind of security features it has or if it's secure; I don't know if I've ever been hacked or had a virus. I have no idea if it's safe to set up a wallet on my computer. What can I do? What can an average computer user do to set up a safe, secure Wallet and keep their Bitcoins as hack/scam-proof as possible?

[Gerain]

Hi there,
My suggestion would be to encrypt your wallet with Passphrase.

[hope4me]

Dont know if still active, but look for hardware wallet project:

[PREORDER] Trezor: Bitcoin hardware wallet
https://bitcointalk.org/index.php?topic=122438.0

[Ulysses1994XF04]

Hi there,
My suggestion would be to encrypt your wallet with Passphrase.

Is Passphrase a program or an app? Or are you asking me to assign a password to my wallet?

I setup a blockchain.info account, and I was required to assign a password from the start. I think it's pretty strong, but I have no idea how secure that site is or if my computer is secure; that's why I'm afraid to get started.

[MAbtc]

At this point, I would say that wallet security is definitely still beyond the average person. Hopefully, sooner than later, options will emerge that make securing your coins less technical.

Check out this link for some information: http://bitcoin.org/en/secure-your-wallet

The best way to secure your coins is to keep them offline. So, ideally you would have an offline machine or storage medium (flash drive, or paper, for instance) that cannot be reached through the internet.

When I decided to get serious about security, I bought a cheap Ubuntu notebook to keep strictly offline. I verified the PGP signature of my wallet download and transferred the install to the notebook. Offline, it can still generate a wallet and address -- I use this address on my online machine to send coins to cold storage.

If you keep coins on an online machine, make sure you encrypt your wallet with a strong password, set firewall to deny incoming connections, and ensure that your antivirus software is adequate/operational and fully updated. And don't keep your passwords saved on your machine. (All of this is still true with an offline machine)

You may look into running Linux/Ubuntu as a LiveCD on your Windows machine (disable networking/unplug all cables upon mounting), so you can simulate an offline machine without affecting your Windows OS.
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Also, take a look into PGP/other encryption. I prefer to keep the directory that houses my wallets/backups encrypted as an extra layer of security. It's complicated, though, and may take some time to get the hang of using it. You can encrypt single files using terminal commands (http://askubuntu.com/questions/98443/encrypting-files-and-folder-through-terminal) or look into something like TrueCrypt.

Damn it. I made this sound even more complicated. The fact is, it may take some time and frustration to understand everything. I still feel lost, myself, much of the time.

[MAbtc]

Hi there,
My suggestion would be to encrypt your wallet with Passphrase.

Is Passphrase a program or an app? Or are you asking me to assign a password to my wallet?

I setup a blockchain.info account, and I was required to assign a password from the start. I think it's pretty strong, but I have no idea how secure that site is or if my computer is secure; that's why I'm afraid to get started.

Blockchain.info is good for getting your feet wet. Don't fund too much in there, though. It is definitely inherently less secure than a desktop wallet.

I think the post earlier was suggesting that you assign a passphrase to your desktop wallet (like Bitcoin QT), if you have one. Encrypting your wallet is the first step.

[Ulysses1994XF04]

At this point, I would say that wallet security is definitely still beyond the average person. Hopefully, sooner than later, options will emerge that make securing your coins less technical.

Check out this link for some information: http://bitcoin.org/en/secure-your-wallet

The best way to secure your coins is to keep them offline. So, ideally you would have an offline machine or storage medium (flash drive, or paper, for instance) that cannot be reached through the internet.

When I decided to get serious about security, I bought a cheap Ubuntu notebook to keep strictly offline. I verified the PGP signature of my wallet download and transferred the install to the notebook. Offline, it can still generate a wallet and address -- I use this address on my online machine to send coins to cold storage.

If you keep coins on an online machine, make sure you encrypt your wallet with a strong password, set firewall to deny incoming connections, and ensure that your antivirus software is adequate/operational and fully updated. And don't keep your passwords saved on your machine. (All of this is still true with an offline machine)

You may look into running Linux/Ubuntu as a LiveCD on your Windows machine (disable networking/unplug all cables upon mounting), so you can simulate an offline machine without affecting your Windows OS.
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Also, take a look into PGP/other encryption. I prefer to keep the directory that houses my wallets/backups encrypted as an extra layer of security. It's complicated, though, and may take some time to get the hang of using it. You can encrypt single files using terminal commands (http://askubuntu.com/questions/98443/encrypting-files-and-folder-through-terminal) or look into something like TrueCrypt.

Damn it. I made this sound even more complicated. The fact is, it may take some time and frustration to understand everything. I still feel lost, myself, much of the time.

I have no idea what encryption actually is; if it's just assigning a password, I've already done that. I'm fairly confident in my password; long, mixed-case letters, numbers and symbols. If you're asking me to do some actual programming, that's beyond my skill set. I really don't want to risk screwing up this computer.

I already have a blockchain.info wallet (albeit an empty one). I had asked on another thread if it's possible to set up a wallet on a 2.0 GB USB drive; didn't get any answers. Could I set up an "offline" Wallet on that?

Could I try buying a few mBTC, put it on a USB Wallet and bounce it back and forth between the USB Wallet and my blockchain.info Wallet, just to get a feel for how BTC transactions work? Is that a good idea?

[hilariousandco]

At this point, I would say that wallet security is definitely still beyond the average person. Hopefully, sooner than later, options will emerge that make securing your coins less technical.

Check out this link for some information: http://bitcoin.org/en/secure-your-wallet

The best way to secure your coins is to keep them offline. So, ideally you would have an offline machine or storage medium (flash drive, or paper, for instance) that cannot be reached through the internet.

When I decided to get serious about security, I bought a cheap Ubuntu notebook to keep strictly offline. I verified the PGP signature of my wallet download and transferred the install to the notebook. Offline, it can still generate a wallet and address -- I use this address on my online machine to send coins to cold storage.

If you keep coins on an online machine, make sure you encrypt your wallet with a strong password, set firewall to deny incoming connections, and ensure that your antivirus software is adequate/operational and fully updated. And don't keep your passwords saved on your machine. (All of this is still true with an offline machine)

You may look into running Linux/Ubuntu as a LiveCD on your Windows machine (disable networking/unplug all cables upon mounting), so you can simulate an offline machine without affecting your Windows OS.
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Also, take a look into PGP/other encryption. I prefer to keep the directory that houses my wallets/backups encrypted as an extra layer of security. It's complicated, though, and may take some time to get the hang of using it. You can encrypt single files using terminal commands (http://askubuntu.com/questions/98443/encrypting-files-and-folder-through-terminal) or look into something like TrueCrypt.

Damn it. I made this sound even more complicated. The fact is, it may take some time and frustration to understand everything. I still feel lost, myself, much of the time.

Good advice. A paper wallet maybe the best option for op, or blockchain.info if you're prepared to keep 'em online, I've had no problems with it and the two factor authentication which sends a code to my mobile phone which I need to log in is reassuring.

[qwertyGuy]

A paper wallet maybe the best option for op

Yes, but it is too complicated to generate secure paper wallet for average person

[hilariousandco]

A paper wallet maybe the best option for op

Yes, but it is too complicated to generate secure paper wallet for average person

Hmm... maybe, It's definitely daunting at first. Just try send a little bit of BTC to test it out; if nobody nabs it after a while, keep topping it up bit by bit and you should be fine. The first thing to remember is just read as much info as you can about wallets and safely storing them. It seems impossible to be able to store them safely at first, but you quickly gain confidence.

Could I try buying a few mBTC, put it on a USB Wallet and bounce it back and forth between the USB Wallet and my blockchain.info Wallet, just to get a feel for how BTC transactions work? Is that a good idea?

Yes, you could do that, or get another cheaper Cryptocoin to play around with. FTC and IFC both use the same wallet applications, so if you get used to one you'll be used to 'em all, and if you do somehow lose the coins it wont be as bad as losing any BTC. You can usually get free IFC sent to you from people on these forums. Just keep an eye out for giveaways.

[Ulysses1994XF04]

A paper wallet maybe the best option for op

Yes, but it is too complicated to generate secure paper wallet for average person

That and I do not have a printer; all I have is my laptop, a 2.0 GB USB drive and a Windows smartphone.

[hilariousandco]

A paper wallet maybe the best option for op

Yes, but it is too complicated to generate secure paper wallet for average person

That and I do not have a printer; all I have is my laptop, a 2.0 GB USB drive and a Windows smartphone.

You can write the public and private keys down instead. Just go with blockchain.info for now and/or get an electrum wallet and encrypt it and back it up on the usb.

http://electrum.org/

[Kam800]

You don't need to encrypt your wallet. What if you forget the passphrase or maybe even die - your family can't reach into your cold dead brain and retrieve the passphrase! This would be worse than having your wallet stolen as the coins would be gone forever.

https://bitcointalk.org/index.php?topic=17240.0

This is all you need, and you have all the tools at hand to do it.

Spend a little time on it and make sure you're happy with the process. You are now 100% responsible for securing your own coins so it's worth the time investment. Heck, after Cyprus this will be even more secure than keeping your money in a bank.

[hilariousandco]

You don't need to encrypt your wallet. What if you forget the passphrase or maybe even die - your family can't reach into your cold dead brain and retrieve the passphrase! This would be worse than having your wallet stolen as the coins would be gone forever.

Not encrypting your wallet and keeping it on a computer is suicide. You could always tell your parents or somebody you trust with your password.

Apparently on the Armory wallet you can split your wallet into three parts and you only need two of the parts to retrieve your balance, but I need to read in to that more, but sounds pretty cool.

[Ulysses1994XF04]

A paper wallet maybe the best option for op

Yes, but it is too complicated to generate secure paper wallet for average person

That and I do not have a printer; all I have is my laptop, a 2.0 GB USB drive and a Windows smartphone.

You can write the public and private keys down instead. Just go with blockchain.info for now and/or get an electrum wallet and encrypt it and back it up on the usb.

http://electrum.org/

I just installed Electrum on my USB drive. There's a tab that says "Receive" and there are 5 BTC Addresses (or what look like Bitcoin addresses) underneath. Are these my offline, USB addresses?

[MAbtc]

At this point, I would say that wallet security is definitely still beyond the average person. Hopefully, sooner than later, options will emerge that make securing your coins less technical.

Check out this link for some information: http://bitcoin.org/en/secure-your-wallet

The best way to secure your coins is to keep them offline. So, ideally you would have an offline machine or storage medium (flash drive, or paper, for instance) that cannot be reached through the internet.

When I decided to get serious about security, I bought a cheap Ubuntu notebook to keep strictly offline. I verified the PGP signature of my wallet download and transferred the install to the notebook. Offline, it can still generate a wallet and address -- I use this address on my online machine to send coins to cold storage.

If you keep coins on an online machine, make sure you encrypt your wallet with a strong password, set firewall to deny incoming connections, and ensure that your antivirus software is adequate/operational and fully updated. And don't keep your passwords saved on your machine. (All of this is still true with an offline machine)

You may look into running Linux/Ubuntu as a LiveCD on your Windows machine (disable networking/unplug all cables upon mounting), so you can simulate an offline machine without affecting your Windows OS.
https://en.bitcoin.it/wiki/How_to_set_up_a_secure_offline_savings_wallet

Also, take a look into PGP/other encryption. I prefer to keep the directory that houses my wallets/backups encrypted as an extra layer of security. It's complicated, though, and may take some time to get the hang of using it. You can encrypt single files using terminal commands (http://askubuntu.com/questions/98443/encrypting-files-and-folder-through-terminal) or look into something like TrueCrypt.

Damn it. I made this sound even more complicated. The fact is, it may take some time and frustration to understand everything. I still feel lost, myself, much of the time.

I have no idea what encryption actually is; if it's just assigning a password, I've already done that. I'm fairly confident in my password; long, mixed-case letters, numbers and symbols. If you're asking me to do some actual programming, that's beyond my skill set. I really don't want to risk screwing up this computer.

Sorry in advance for the book. As I thought about it, it felt easier just to go through the motions of thinking about why this is important and how it works.

OK, on PGP. Yes, it is complicated, but I doubt it is beyond your skill set. Simply a new process to learn. Before thinking about encryption, it would be good practice now to consider learning how to ensure that what you think you are downloading is what you are actually downloading. This is especially important when dealing with software that could potentially target your wallet(s).

This is a taste of what it means to verify the integrity of and to authenticate certificates for files downloaded. In turn, that will necessitate creating a PGP keypair, and may prime you for working with PGP keys to encrypt your files.

So, a Windows user would go to http://gpg4win.org/ and download the full version. You can google the site for its web reputation. You can verify the integrity of the download using Microsoft's fciv utility found here: http://support.microsoft.com/kb/841290

When you unzip fciv, drop fciv.exe into C:\Windows. That way you can pull up Command Prompt (Accessories) and run fciv.exe from any location. So to verify the integrity of your gpg4win download, pull up Command Prompt, and enter "fciv [____.exe] -sha1" where [] = the exact file location of the gpg4win binary. This should produce a sha1 checksum that you can compare with the checksum found here: http://gpg4win.org/package-integrity.html

If your binary downloaded properly, these sums should match. That is about the extent of due diligence you can do prior to using encryption/decryption. Now that you have verified the integrity of the download, install gpg4win and run Kleopatra. You can now authenticate the download from gpg4win. You would create a new certificate, select PGP keypair, and input your desired user information and password. Once the certificate has been created, back it up and keep your information safe. You can now use this certificate to certify the earlier download.

You do this by downloading (and subsequently verifying) the release signature of the download, found next to the file you downloaded, here: http://gpg4win.org/package-integrity.html Download the corresponding .sig file into the same folder as the original download.

As stated, the signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key (Key ID: EC70B1B8) -- if you go to that source, you can scroll down to "Intevation-Distribution-Key" and download it (it is an .asc file). Then you "import certificate" and select that file. Verify that the fingeprints match, then you can certify it with your own key.

Now, you can go to File | Decrypt/Verify. Select the .sig file that you downloaded (you'll see that it corresponds to the .exe file in the same folder) and verify. You should now be able to validate the certificate -- giving you confidence that you have the original and unmodified file and not some malicious replacement.

......So now you know how to verify the integrity of your downloads and create a PGP certificate to authenticate those downloads.

Now, encrypting files with PGP is very easy and only one step away. But before encrypting anything -- make sure that your keypair is backed up and your password is SAFE and will not be lost. (It would be tragic to encrypt the directory housing your wallet without realizing the importance your PGP password in decrypting it later on.) Also, when encrypting, remember to encrypt to your own certificate  -- otherwise your private key is useless to decrypt it.

Here is a straight-forward tutorial on signing and encrypting files in Kleopatra: http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html

Again, I know it is a lot to take in. But if you are going to be holding an amount of money significant to you on your machine, another layer of encryption can provide great peace of mind.

I already have a blockchain.info wallet (albeit an empty one). I had asked on another thread if it's possible to set up a wallet on a 2.0 GB USB drive; didn't get any answers. Could I set up an "offline" Wallet on that?

Could I try buying a few mBTC, put it on a USB Wallet and bounce it back and forth between the USB Wallet and my blockchain.info Wallet, just to get a feel for how BTC transactions work? Is that a good idea?

You can set up cold storage on a USB drive, sure. With QT, for instance, just back up the wallet.dat file on the USB -- preferably, the wallet should be generated initially offline, the wallet should be encrypted before stored, and all files on the drive encrypted.

Yes, I would recommend playing around with this a bit. Don't risk much when playing around with cold storage for the first time -- make sure that you are confident in your ability to retrieve your coins from storage before sending much.

Once you have transacted back and forth a few times and feel more confident, I would start over with a newly generated cold storage wallet that has never made outputs before.

[Ulysses1994XF04]

Sorry in advance for the book. As I thought about it, it felt easier just to go through the motions of thinking about why this is important and how it works.

OK, on PGP. Yes, it is complicated, but I doubt it is beyond your skill set. Simply a new process to learn. Before thinking about encryption, it would be good practice now to consider learning how to ensure that what you think you are downloading is what you are actually downloading. This is especially important when dealing with software that could potentially target your wallet(s).

This is a taste of what it means to verify the integrity of and to authenticate certificates for files downloaded. In turn, that will necessitate creating a PGP keypair, and may prime you for working with PGP keys to encrypt your files.

So, a Windows user would go to http://gpg4win.org/ and download the full version. You can google the site for its web reputation. You can verify the integrity of the download using Microsoft's fciv utility found here: http://support.microsoft.com/kb/841290

When you unzip fciv, drop fciv.exe into C:\Windows. That way you can pull up Command Prompt (Accessories) and run fciv.exe from any location. So to verify the integrity of your gpg4win download, pull up Command Prompt, and enter "fciv [____.exe] -sha1" where [] = the exact file location of the gpg4win binary. This should produce a sha1 checksum that you can compare with the checksum found here: http://gpg4win.org/package-integrity.html

If your binary downloaded properly, these sums should match. That is about the extent of due diligence you can do prior to using encryption/decryption. Now that you have verified the integrity of the download, install gpg4win and run Kleopatra. You can now authenticate the download from gpg4win. You would create a new certificate, select PGP keypair, and input your desired user information and password. Once the certificate has been created, back it up and keep your information safe. You can now use this certificate to certify the earlier download.

You do this by downloading (and subsequently verifying) the release signature of the download, found next to the file you downloaded, here: http://gpg4win.org/package-integrity.html Download the corresponding .sig file into the same folder as the original download.

As stated, the signatures have been created with the following OpenPGP certificate:
Intevation File Distribution Key (Key ID: EC70B1B8) -- if you go to that source, you can scroll down to "Intevation-Distribution-Key" and download it (it is an .asc file). Then you "import certificate" and select that file. Verify that the fingeprints match, then you can certify it with your own key.

Now, you can go to File | Decrypt/Verify. Select the .sig file that you downloaded (you'll see that it corresponds to the .exe file in the same folder) and verify. You should now be able to validate the certificate -- giving you confidence that you have the original and unmodified file and not some malicious replacement.

......So now you know how to verify the integrity of your downloads and create a PGP certificate to authenticate those downloads.

Now, encrypting files with PGP is very easy and only one step away. But before encrypting anything -- make sure that your keypair is backed up and your password is SAFE and will not be lost. (It would be tragic to encrypt the directory housing your wallet without realizing the importance your PGP password in decrypting it later on.) Also, when encrypting, remember to encrypt to your own certificate  -- otherwise your private key is useless to decrypt it.

Here is a straight-forward tutorial on signing and encrypting files in Kleopatra: http://www.gpg4win.org/doc/en/gpg4win-compendium_24.html

Again, I know it is a lot to take in. But if you are going to be holding an amount of money significant to you on your machine, another layer of encryption can provide great peace of mind.

Currently downloading Gpg4win; just before I continue, what exactly is this going to do? I'm not sure I understand why I've got to do this.

Because I already have passwords for my Electrum wallet, and the wallet names I was assigned seem pretty complex. Is this whole process just going to add another layer of passwords around the software, the file or both?

You can set up cold storage on a USB drive, sure. With QT, for instance, just back up the wallet.dat file on the USB -- preferably, the wallet should be generated initially offline, the wallet should be encrypted before stored, and all files on the drive encrypted.

I actually cannot find a wallet.dat file; I did a full hard drive search. It's not on my USB drive either; all that appears on my USB is the Electrum program; and yet there appears to be Wallet ID's under the received tab.

[GillyPony]

I'm not sure, most of us don't even know what we have installed that could be dangerous.

We could try and make a fake file called wallet.dat that is 2GB and trick the virus, furthermore, we would know if it is trying to upload the wallet as your internet connection would be very slow.

[Ulysses1994XF04]

So, a Windows user would go to http://gpg4win.org/ and download the full version. You can google the site for its web reputation. You can verify the integrity of the download using Microsoft's fciv utility found here: http://support.microsoft.com/kb/841290

When you unzip fciv, drop fciv.exe into C:\Windows.

I successfully got up to this stage; I downloaded fciv.exe and when I tried to click on it, the black box with white text that kinda looks like really old MSDOS pops up for a few milliseconds and the box closes automatically.

The next part I can't figure out

That way you can pull up Command Prompt (Accessories) and run fciv.exe from any location.

Windows 8 doesn't have Accessories; you have to click on Search on the right side of the screen type Command Prompt.

I pull up the Command Prompt; it's another black box with white text that kinda looks like MSDOS and I type "fciv.exe." Nothing happens; it says "fciv.exe is not recognized as an internal or external command, operable program or batch file."

[thewayshegoes]

The Piper paper wallet printer might be a good option for someone who is non-techie.  It's a completely offline printer that will print paper Bitcoin and Litecoin wallets.  It will even let you plug in a usb and backup the keys to that as well.  The website is piper.pw.