This is a suggestion for a best practice
key management technique for everybody, using tools available today!
At the end I am also suggesting a corresponding feature enhancement for clients/apps that support key control.The situation
You are printing a paper wallet and store it somewhere in your house or flat.The Problem
A thief may rob your paper wallet and steal your bitcoins, just the same way he could steal your gold treasure.A first solution today
You print an encrypted paper wallet (BIP38), see e.g. bitaddress.org, current version 2.6.5 (or later)But the Problem
The thief may hold a gun against your head and kindly ask you to disclose the password. Now the encryption is of little help for you, the only thing you could do is to say you forgot the password, but this may not seem plausible to the thief.The SOLUTION
Combine the concept of "paper wallet" with the concept of "my own password" and "brain wallet", as follows:
1.) You print out your paper wallet, with e.g. Private Key = "5MyPrivatePaperWaLLetKey
2.) You are making up yourself a 1st (easy) dummy password, e.g. "MyFirstSimplePW
" and create the following concatenated string "5MyPrivatePaperWaLLetKeyMyFirstSimplePW
2b.) You use this as the input of the brainwallet tool (which just calculates priv key = SHA256(input). This gives you (after format conversion to WIF) the second private key "5MySecondPrivateKey
3.) You are thinking of a 2nd (difficult) serious passphrase, e.g. "My_very-s3ri0UsP4s5PhRA5e
" and create the following concatenated string "5MyPrivatePaperWaLLetKeyMy_very-s3ri0UsP4s5PhRA5e
3b.) You use this as the input of the brainwallet tool. This gives you the third private key "5MyThirdReaLLySafePrivateKey
4.1) You transfer a very small amount (e.g. 1%
of your total BTC savings) to the Address of Key 1
4.2) You transfer a bigger amount (maybe 10%
of your total BTC savings) to the Address of Key 2
4.3) You transfer the vast amount (e.g. 89%
of your BTC savings) to the Address of Key 3
Note: Of course you print out at least two copies of this paper wallet and deposit them at very different places.
With this best practice you now enjoy the following nice features:
- Your keys are immune against brain wallet brute force attacks, even if your password/passphrase is weak, because it is salted with the "private key 1"!
- Theft detection and avoidance: In case that your paper wallet gets secretly stolen, you will still realize this theft as soon as the thief redeems the balance of "Key 1" (you can configure a watch-only wallet on your smartphone, e.g. Android app "wallet balance" or "bitcoin balance", to monitor this "indicator address")! Now you will have enough time to move the funds of Key 2 and Key 3 to a new safe address. Probably the thief will never know that there exist further keys that can be derived from that paper wallet's private key and a password, so you would not have to bother about key 2 and key 3 at all. But even if he knew, he would have to brute-force and check against the blockchain every time he tries a new password, because any password that he tries yields a valid key. So he does not know when to stop because he does not know how many times you have performed "step 2" (see above) with different password. So this would be a hopeless task for the poor thief.
- If a thief puts a gun at your head and asks you for the paper wallet, you give him the paper wallet and he is probably happy.
- Plausible deniability: If the thief knows about this "best-practice trick", he may ask you for the password/passphrase that is to be salted with this paper wallet's private key to yield the "hidden" private key. So you tell him your "simple password" from step 2 above. There is no way the thief can tell how many other such passwords exist. There could be none, or only one. There could be two. There could be hundreds. So you will for sure never tell the thief your third safe passphrase, so the 89% of your BTC savings (in this example) are save against even violent theft.
Finally, the same scheme can also be applied to electronic wallets of course. One suggestion for bitcoin client developers: It might be nice and really useful to incorporate this in any bitcoin client that supports key control (coin control), i.e selection of the keys were to spend from:
- In the "spend" dialog, user selects the own address from which to spend.
- Then there is an optional field called something like "salt priv key with a password". If this field is filled with some content, then the client will create the concatenation "<WIF_format_of_selected_key><password>" and calculate the SHA256 hash from that. The resulting 256 bit sequence is the new private key! The client checks the balance of this key's address, and if there is indeed a balance, it can spend from it.
- This is nice because I can carry with me an ARBITRARY number of hidden keys per each "obvious key" in my wallet. And nobody can prove how many keys I really have.