Protecting my offline wallets from physical theft

[bitcoinrocks]

Currently I have my BTC, LTC, NMC, PPC, and XPM in each of the clients on my Linux computer.  This worries me because if my computer is physically stolen, I would lose access to my coins permanently.  I've read about the various procedures for protecting coins from online attackers, but right now I'd like to protect my coins in the event my computer is stolen.  Should encrypting and backing up each wallet to a series of safe computers somewhere accomplish this?  It's OK if one of the backups is stolen since the backed up wallet is encrypted, right?

The procedure for this in the *-qt clients seems to be Encrypt Wallet and Backup Wallet, and for multibit it seems to be Add Password and Export Private Keys.  Is that correct?

[bitpop]

Do that but put them in a encfs file, rar file or truecrypt. Then publish publicly

[bitcoinrocks]

I've encrypted each wallet and backed them up.

If the password I use to encrypt my wallets is compromised or otherwise deemed non-secure at some point, do I need to hunt down and delete all backed up copies which used that password?

Why is /home/user/MultiBit/multibit.key only 132 bytes when the wallet backups from all of the other clients are over 50 KB?

Multibit asks me if I want to password-protect the exported file when I Export Private Keys.  Is that redundant if I've already added a password via Add Password?

[bitpop]

Add all the passwords you can, different ones. Double or triple rar.

Also no hunting, simply sweep into new wallet.

[StevenS]

If the password I use to encrypt my wallets is compromised or otherwise deemed non-secure at some point, do I need to hunt down and delete all backed up copies which used that password?

If the password is deemed non-secure, and the wallet (private key) that is protected by that password could be available to leaks, then your only choice is to transfer all the BTC from that compromised address to a new, secure one.

If you know the wallet that is protected by that password is still secure on your machine, then you only need to change to a more secure password.

Why is /home/user/MultiBit/multibit.key only 132 bytes when the wallet backups from all of the other clients are over 50 KB?

MultiBit separates the private key from other wallet data (which may include transactions, balance, etc.) Only the private key is needed to completely restore a wallet.

Multibit asks me if I want to password-protect the exported file when I Export Private Keys.  Is that redundant if I've already added a password via Add Password?

No. If the private key is exported without a password, then you'll have the encrypted copy in the wallet, and an unencrypted copy in the multibit.key file.

When you export a private key from MultiBit, you choose to add a password or not depending on what you will do with that file. If you will be transferring it over a network, then you should choose a password. However, if you are merely sending it directly to a printer, you can save it without a password, as long as you make sure it is securely deleted after you have printed it. Then store the printout in a safe.

Mycelium is another client I use that has a unique method of backing up. It creates a PDF file with encrypted private key(s) and displays the (secure) encryption password on the screen only. After you print the PDF file, you write the password on the printout with a pen, then store it in a safe. This method ensures that anyone who intercepts the printout before you have it will be unable to use it without the password that is only shown on the screen of your smartphone.

[Dabs]

I'm just wondering about your computer. Is it a desktop? Is it a laptop?

When you talk about physical theft, it brings to mind physical security and access to where you actually have your computer.

In any case, you need redundant encrypted backups as theft is only one problem, and probably not your biggest problem. If some disaster hits, you've got it covered. And regardless, as soon as you can, you should sweep all your coins to a new wallet after anything happens.

[antimattercrusader]

Hard drive failure is the biggest threat. I'd recommend encrypted DVD, and flash disks in several locations, as well as at least one paperwallet hidden somewhere

[bitcoinrocks]

If the password is deemed non-secure, and the wallet (private key) that is protected by that password could be available to leaks, then your only choice is to transfer all the BTC from that compromised address to a new, secure one.

If you know the wallet that is protected by that password is still secure on your machine, then you only need to change to a more secure password.

What if you back up your private keys along with the rest of your system backups which are then versioned via rdiff-backup?  I would think you'd have to delete all remnants of your private keys from your versioned backups in case they are compromised in the future and used with your non-secure password?  I'm not sure if rdiff-backup will do that but hopefully.

No. If the private key is exported without a password, then you'll have the encrypted copy in the wallet, and an unencrypted copy in the multibit.key file.

But on *-qt clients, if the wallet is encrypted with a password then the exported wallet will also be encrypted?

[bitcoinrocks]

Can anyone confirm the above two things for me?

I also noticed the following:

http://bitcoin.org/en/secure-your-wallet

Backup your entire wallet

Some wallets use many hidden private keys internally. If you only have a backup of the private keys for your visible Bitcoin addresses, you might not be able to recover a great part of your funds with your backup.

Make regular backups

You need to backup your wallet on a regular basis to make sure that all recent Bitcoin change addresses and all new Bitcoin addresses you created are included in your backup. However, all applications will be soon using wallets that only need to be backed up once.

Are these both non-issues with Multibit and the *-qt wallets?

[LiteCoinGuy]

Hard drive failure is the biggest threat. I'd recommend encrypted DVD, and flash disks in several locations, as well as at least one paperwallet hidden somewhere

yes, please dont store all coins on that pc  !

[bitpop]

Multibit might be an issue. Qt and armory are seeded

[7Priest7]

Hard drive failure is the biggest threat. I'd recommend encrypted DVD, and flash disks in several locations, as well as at least one paperwallet hidden somewhere

Modern hard drives are not realistically susceptible to a full fledged crash.
At a software/os level hdd issues can occur, usually due to improper shutdowns.

First of all, I would suggest hdd encryption on the system you are using for offline storage.
That will protect the bitcoins/wallets.

Having a hidden/possibly encrypted private key in paper form would be wise.
You can store a private key with some extra encryption.
Do not disclose how the printed key is encrypted and run it through various algorithms.
Only you would you would how-to decrypt the paper copy and to a observer of the paper it would like nonsense.
It should be pretty darn safe.
You would be able to decrypt and transfer LONG before a thief could.

[bitcoinrocks]

I would suggest hdd encryption on the system you are using for offline storage. That will protect the bitcoins/wallets.

Why encrypt the hard drive to protect the wallet when only the wallet itself needs to be encrypted which is done via the client?

[Dabs]

I would suggest hdd encryption on the system you are using for offline storage. That will protect the bitcoins/wallets.

Why encrypt the hard drive to protect the wallet when only the wallet itself needs to be encrypted which is done via the client?

Encrypted wallets (by the client) do not protect privacy. They only protect the private keys. The bitcoin addresses are still in the open.

If you encrypt your hard drive, no one sees anything.

[jbreher]

Modern hard drives are not realistically susceptible to a full fledged crash.

I would argue strenuously against this assertion. If employed indefinitely, every HDD will fail. Every. Damn. One.

[Soros Shorts]

Here is a simple solution that I use:

Place the encrypted wallet into an encrypted RAR/ZIP file protected by a strong passphrase. Put one copy of the file in a safe deposit box (USB drive) and the another copy on some online cloud storage or webmail account. Use a non-obvious name for the file.

Delete all other copies of the wallet. You can optionally do a DoD 3 wipe of the disk that held the wallet.

If it is a savings wallet, you can continue send BTC to the receiving address(es) in the wallet and check the balance on Blockchain.info.

If you ever restore the wallet to spend BTC, make sure to update all the cold backups so that you capture all the change addresses.

[bitcoinrocks]

If you ever restore the wallet to spend BTC, make sure to update all the cold backups so that you capture all the change addresses.

This worries me.  So if I back up my private key and continue to use my wallet, the backed-up private key does not back up my entire balance at some point?

[xrturbs]

I have my pc setup with 2x hard drives in a raid mirror , if one drive fails(and hard drives all fail at some point) I put another in and it rebuilds the image. I also backup my wallet .dat files to a USB stick and hide in case pc is stolen

[RoxxR]

If you ever restore the wallet to spend BTC, make sure to update all the cold backups so that you capture all the change addresses.

This worries me.  So if I back up my private key and continue to use my wallet, the backed-up private key does not back up my entire balance at some point?

Depends on your client. If you re using electrum or armory, you re ok.

[XBBlade]

Harddrive faillure odds are bigger than theft. So backup your wallet on 2 USB sticks to be sure.