Separate public and private key wallets

[bswamina]

Is it possible to setup bitcoind such that it only uses a wallet with public keys and have a separate local (does not talk to the world) bitcoind with a wallet that has the private keys ? Want this setup so only transactions originating from my application will sign the raw transaction using the local bitcoind (using rpc) and then forward the signed transaction to the bitcoind connected to the internet. Any pointers/help appreciated

[bob123]

Want this setup so only transactions originating from my application will sign the raw transaction using the local bitcoind (using rpc) and then forward the signed transaction to the bitcoind connected to the internet.

This sounds risky if you don't know exactly what you are doing.
In order to this approach being secure, you definitely need to setup your bitcoind connected to the internet in a DMZ.

And firewalls between your subnetworks is a must-have. Preferably append a signature (not a bitcoin-signature) to the unsigned transaction when transferring it to the signing machine to guarantee integrity and authentication.

Also, note that this approach is NOT fully cold-wallet. In order to be a true cold setup, your signing machine should be not connected to any network at all.
As i understand from your post, your signing machine is in the same network as the online-machine?

[bswamina]

The full-node (bitcoind) connected to the internet is in the DMZ. The signing private node (bitcoind with private keys - cold wallet) is inside behind a firewall.

[achow101]

Is it possible to setup bitcoind such that it only uses a wallet with public keys and have a separate local (does not talk to the world) bitcoind with a wallet that has the private keys ?

Yes, but it is somewhat annoying to setup and it doesn't really work in the way that you would want it to.

On your offline wallet, get a bunch of addresses by using getnewaddress. Import these addresses into your online wallet using importmulti. Your online wallet will now track those addresses and your balance will update when those addresses receive coins.

Because those addresses are imported and are watching only, any time you do any wallet command, you must set whatever watching only option for that command to true, otherwise it will pull things from the online wallet itself and not the things you are watching.

HOWEVER, you cannot use getnewaddress or the GUI equivalent on the online wallet as that will actually give you keys generated in the online wallet. Furthermore, in order to have your offline wallet sign the transactions, you will need to provide additional information from the online wallet besides the transaction being signed. You will need to provide the scriptPubKey's of the outputs being spent, the amounts, and some other stuff I can't remember right now.


Note that the above HOWEVER only applies to versions prior to 0.17. The upcoming 0.17.0 release fixes these problems. You can create a wallet that has no private keys thus eliminating the need to be careful about getnewaddress as getnewaddress will not work when private keys are disabled for a wallet. Furthermore, 0.17 introduces BIP 174 Partially Signed Bitcoin Transactions which solves the issue of having to provide additional information as part of the command arguments. Instead that information will be packed into a PSBT which you can create and send to the offline wallet.