Best methods for an offsite backup?

[DarkStar_]

I was wondering about the best methods for creating an offsite backup. Most of the suggestions online are to store the seed/private key in some other safe space (bank safe, parent's home, etc). Unfortunately none of these are viable options for me. I have various backups (USBs, seed written down) however if my home was completely destroyed I would most likely lose the majority of my coins. I don't expect it to happen, but I've been thinking of figuring out an offsite backup just in case.

My current thoughts are creating an encrypted version of my wallets locally with a very strong password, and then uploading it online to a storage provider with encryption. Probably ProtonMail as that's that I actively use at the moment. This should be fairly secure as the wallet would be under two layers of encryption if ProtonMail is to be trusted, and still under a single strong layer of encryption if ProtonMail is compromised.

I've also considered getting a CryptoSteel but it's fairly expensive and it still wouldn't be offsite.

Any thoughts on my plan and/or possible alternative options?

Self moderated so that I can delete brainless signature spam

[1714144352]

1714144352

[1714144352]

1714144352

[1714144352]

1714144352

[nc50lc]

You can also add an extension (like .jpg) and rename your encrypted wallets into tentacle_rape.jpg.
Put it in a folder, add a couple of real porn images with unsettling file names then compress it into an encrypted rar/7zip file with a much stronger passphrase.
When someone got his hands on the file and tried to view the contents, he will just see file names of "personal" images and might just leave it since it's encrypted.

That's one example, you can use a different set of "regular" file types of your choice like .mp3 (for 2-5mb wallet files) or .mp4 (for huge wallet files).
[Encrypted rar files can't be previewed, file names are just listed]
One alternative to CryptoSteel™ is to Tatoo your BIP38 Password-encrypted Private key to your Pelvic Area, safe from house fire or tear down.
That way, only your spouse (or a prostitute) can see your encrypted key

[Lakai01]

Uploading your strongly encrypted key/seed to ProtonMail will definitly work for you. As long as you use a safe and strong enryption method with a rather long key to decrypt it wont be broken even if someone finds the file and knows whats in it.

To add an extra layer you could upload a wrong seed, eg swap the 13th and 14th word. I did this with my seed which is stored in a bank safe. Even if someone breaks into the safe and gets my seed its useless as long as you dont know which words have to be swept.

[nakamura12]

I have an idea but i'm not sure how strong the security will be and I hope it's worth to mention. Since the idea I have think of is almost the same as nc50lc but the the difference is that only the file name will be change not the file extension. Anyway you can do what the post above stated, this will be in addition to the post above but make sure you have a back up of your strong password or phassprase for the rar/zip file, there you have a zip/rar file then you have to change the file extension from rar to .jpg, .gif, .mp3 or even .mp4 then add it to new zip/rar file then change the file extension and name then your file would look like a virus to others.

[pooya87]

i would advise against storing sensitive information such as private keys online (specially to any beginners that are reading this topic). but here is my suggestions:

1- use a custom made encryption method instead of the regular ones. by custom i don't mean invent the encryption technique but instead i mean modifying the existing ones (preferably something that was not created by NSA ).
for instance BIP38 is using scrypt to derive the key and uses a silly 4 byte from the "address" of the private key as its salt.
* use a different salt (preferably one that is at least 8 bytes), it can be first 8 bytes of Blake2b_160 hash of your address
* use 32,768 (2^15) as its costparam (must be of form 2^n)
* with parallelisation = 1 and
* blocksize factor as 10
now you have a unique encryption method which you just have to remember these variables. and keep them secret only in your head.

2. split the encryption into two parts!
this is for ultra paranoid but still you can decode the result into bytes if it already isn't bytes. split it into two (like 2x 16 bytes) encode the results with your favorite encoder (base-16, base-64, base-58, ...) and store them separately in two different accounts.

ps. you have to understand the risks of such actions and also know what the changes mean. for example costparam isn't chosen randomly its value is defining the security of your derived key and hardship of brute forcing it. https://tools.ietf.org/html/rfc7914#section-14

pps. changing file's extension is not doing anything for you. a hacker is not going to look at the extension, he will read the file's content.

I've also considered getting a CryptoSteel but it's fairly expensive and it still wouldn't be offsite.

an ugly version of CryptoSteel is if you buy a stainless steel plate, a hammer and one of those metal letter pack thingies (i don't know what they are called in English, it is a small metallic cylinder with a letter on its head. you put it on the plate and hit it with a hammer and it leaves the mark on the plate) and "write" your encrypted key on it.

[Awesomus Maximus]

I have to ask a question. You say one could BIP38 Password-encrypt one's Private key. How should one deal with the password itself? Sure, you may have no problems remembering the password, but what about in 10 or 20 years. Will you still remember it? You could write it down, but then is the problem really solved? Or am I missing something.

To add an extra layer you could upload a wrong seed, eg swap the 13th and 14th word.

I like this idea. You may also try to make a more elaborate, but pretty straight forward permutation that includes more of the seed words.

[Lakai01]

1- use a custom made encryption method instead of the regular ones. [...]
now you have a unique encryption method which you just have to remember these variables. and keep them secret only in your head.

Thats a pretty smart idea, but definitly nothing for the non-programmer type of person reading this :-D
Regarding your second advice ... wouldnt it be already safe enough if he splits his seed into 2 pieces, encrypts every piece by itself and stores it in two accounts, eg. dropbox and onedrive? Chances are next to impossible that someone cracks into two accounts, steals both of the encrypted files, gets both of the decryption keys and is able to merge the seeds, especially if he scrambles the seed, too (eg. swaps the first and the last word).

[pooya87]

1- use a custom made encryption method instead of the regular ones. [...]
now you have a unique encryption method which you just have to remember these variables. and keep them secret only in your head.

Thats a pretty smart idea, but definitly nothing for the non-programmer type of person reading this :-D

of course having some programming background helps in this a lot but it is not a requirement. all you need to understand is the variables of these algorithms for example the hashing function i changed from SHA256 to Blake! or the rounds of these KDF functions. then you can simply ask a programmer to modify one of the tools already available (like any BIP38 implementation) in a way that it takes more inputs that can cover things you changed.

Regarding your second advice ... wouldnt it be already safe enough if he splits his seed into 2 pieces, encrypts every piece by itself and stores it in two accounts, eg. dropbox and onedrive? Chances are next to impossible that someone cracks into two accounts, steals both of the encrypted files, gets both of the decryption keys and is able to merge the seeds, especially if he scrambles the seed, too (eg. swaps the first and the last word).

as long as those two accounts (dropbox, onedrive,...) are created under different accounts (like with different email address and completely different passwords) then it can be safe otherwise you should expect both to be hacked at the same time.

[PrimeNumber7]

The best method to store an offsite backup is a safety deposit box, or a second property you own that is separate from your house. Period. Anything else is going to be inferior to either of these options.

Using a cloud storage provider or email is complicated, and is much less ideal. I will examine them below.

I will assume you access your email from the same physical location you access your wallet, so if your on-side wallet backups are destroyed, chances are the computer you normally access your email account will also be destroyed. This means you will need to be in a position to memorize your email password, or memorize the password manager password that can be accessed from the cloud. If you cannot memorize your email password, then you will need to be in a position to reset your email password, and if your email provider allows this, anyone who knows the answers to your reset questions can potentially reset your password.

Similarly, if you use 2FA to secure your email account, chances are high whatever device you use to generate a 2FA code will also be destroyed if your on-side backups are destroyed. Although this may not be the case if you use your phone for 2FA, that you keep on your personal at all times. If you lose access to the device you use for 2FA, then you would need to use some kind of off-site backup of your 2FA codes, but this ultimately would need to be kept someplace separate, and not protected via 2FA. If your 2FA off-site backup is stored in the same place as your off-site backup for your bitcoin keys, you will not be able to access your 2FA keys or your bitcoin keys. If you use SMS as 2FA, you will be able to procure a new phone with your existing number, but your number may also be stolen via social engineering.

Using a cloud storage provider will be incrementally more secure, but not by very much. There are similar issues with accessing your cloud storage provider as an email account discussed above. If your on-site computer is destroyed, and cannot access your password, you could reset your email password, and use your email to access your cloud storage account password, both without using 2FA. This will mean you will be faced with challenges from two entities, and two entities will possibly be suspicious of attempts to reset passwords to your accounts.

You can hide your backup keys within another file, but if someone is hacking your email/cloud storage account, there is a good chance they are doing so because they think they have a good reason to believe there is valuable information stored in your account. In general, a hacker will not want to invest a lot of resources into hacking an account that they don't believe will reveal something valuable. This means, anyone with unauthorized access to your account will know to look in creative places.

You can use an encryption password to secure files stored in an email/cloud storage account, but this must to memorized because this password cannot be reset. As discussed above, if your password is too complex, you may forget it in a year when you have not used it for a long time.

In summary, you should keep off-site backups in a safe deposit box, or a property you own that is separate in location from where your on-side backups are located. If you are not in a position to use either of these, you should put yourself in a position to use one of these options.

[pooya87]

But IMO Asymmetric Encryption should be enough as long as the private key is always used on secure and offline device.

the usage of "asymmetric cryptography" (example elliptic curve cryptography) is for when you want to have a public key which you share with others publicly and give them the ability to verify your signatures. for "encryption" aka password protecting some secret you use "Symmetric cryptography" (example: AES, GOST,...).

[r1s2g3]

What do you think about creating a excel sheet in which you can take the specific word of your seed from a book. For example if my first word in seed in "submit"  then I know it is  100th word on page 4 of my specific book so I will make excel entry like.

100.4

In the end , I will sum it up, so it will look like genuine expense calculation.

Just make it sure that you have saved enough Pdf copies of that book.

[whotookmycrypto]

A few posters above mentioned seed splitting, cloud storage etc. Don't claim to be an expert but this isn't good advice.

To understand why do see this vid by Andreas: https://www.youtube.com/watch?v=jP7pEgBpaO0. To summarize, there are two reasons for this. Edited the transcribed text a little as without watching the entire vid, some context would be missing. Would encourage all to watch the vid in full.

1) You reduce the security of the seed

The most important rule in cryptography is "don't roll your own crypto". Don't try to do smart things because you will make mistakes because you will not understand the impact on the complexity of solving the problem. Let me give you another classic example. I've read this all the time where they say okay all you have to do is take your 24 words and cut it in half and store 12 words in one place in 12 words in another place.

That's not the standard and there's a reason why that's not the standard. It's not the standard because that is not secure. So next time you hear that, ask the simple question "how much less effort is it to find one half of a seed if you split it in two and I managed to compromise one of this twelve word packs? How hard is it for me to crack the other twelve words is it half as difficult as 24 words?"

No it's not it's 10^35 times less difficult. Why? Because what you cut in half is not the base it's the exponent of the complexity so you took something that had 256 bits of complexity and you converted it to a 128 bits of complexity and 128 bits of complexity isn't half of 256 bits it's 10 with 30 some zeros after it or 40 some zeroes after it less complex within 256 bits.

Pamela Morgan, who wrote the great book on Cryptoasset Inheritance Planning, also explains this in a different way.

(Source: https://twitter.com/BrianLockhart/status/1039871320496857088)

2) Complicates inheritance planning

You're far more likely to lose your money because you simply forgot the scheme because it wasn't standard (ie. in accordance to BIP 39). Something could happen to you and your heirs or your family can't get to it or simply because you forgot a password which we've seen again and again and again.

And when users try to do the following....

I cut it into 24 bits I mix them up I encrypted them I put them on Dropbox I took that Dropbox I then erased it from the web and I can only access it on the archive ... your money's gone you lost it because you made it too complex you buried your money in the desert without a map or you created the other way and then you end up with something that's too easy to break because you didn't realize that what you were changing in the complexity was a big change, not a small change. Don't roll your own crypto unless you are an experienced cryptographer.

What's the solution then? It seems to be Shamir's Secret Sharing.

(Source: https://twitter.com/aantonop/status/1039862926134439938)

[Artemis3]

I was wondering about the best methods for creating an offsite backup. Most of the suggestions online are to store the seed/private key in some other safe space (bank safe, parent's home, etc). Unfortunately none of these are viable options for me. I have various backups (USBs, seed written down) however if my home was completely destroyed I would most likely lose the majority of my coins. I don't expect it to happen, but I've been thinking of figuring out an offsite backup just in case.

My current thoughts are creating an encrypted version of my wallets locally with a very strong password, and then uploading it online to a storage provider with encryption. Probably ProtonMail as that's that I actively use at the moment. This should be fairly secure as the wallet would be under two layers of encryption if ProtonMail is to be trusted, and still under a single strong layer of encryption if ProtonMail is compromised.

I've also considered getting a CryptoSteel but it's fairly expensive and it still wouldn't be offsite.

Any thoughts on my plan and/or possible alternative options?

In my opinion, don't bother with the wallets, just backup the seed words (privkeys), you can put those in a file encrypted.

It happens that password managers encrypt their database file, so you could just use one to store your keys an upload that to google drive, an usb thumb or anywhere else you like. This way you only need 1 very good password instead of many.

You could just use KeepassX or similar. It uses a common (encrypted) file format that many password managers can handle in many platforms. Of course you should do the same with your passwords.

If you don't trust that, good ol' GnuPG works just fine to encrypt anything, including text files. Once encrypted it doesn't matter if you store it online, no one will be able to decipher it without your password. Assuming you use a secure OS when handling such files Ie. booting Tails from live iso in a thumb drive, same discipline as in handling cold wallets.

[efrenbilantok]

I have various backups (USBs, seed written down) however if my home was completely destroyed I would most likely lose the majority of my coins. I don't expect it to happen, but I've been thinking of figuring out an offsite backup just in case.

You probably did the best possible options already, but if you are thinking about scenarios like your home getting completely destroyed you can put all your backups in a waterproof bag to be safe and start to dig underground for your backups to be placed in, just like a real treasure. This way you will be worryless about your house getting rekt. Sounds stupid but you may become the very first to plant a crypto treasure in history.

[PrimeNumber7]

1) You reduce the security of the seed

The most important rule in cryptography is "don't roll your own crypto". Don't try to do smart things because you will make mistakes because you will not understand the impact on the complexity of solving the problem. Let me give you another classic example. I've read this all the time where they say okay all you have to do is take your 24 words and cut it in half and store 12 words in one place in 12 words in another place.

That's not the standard and there's a reason why that's not the standard. It's not the standard because that is not secure. So next time you hear that, ask the simple question "how much less effort is it to find one half of a seed if you split it in two and I managed to compromise one of this twelve word packs? How hard is it for me to crack the other twelve words is it half as difficult as 24 words?"

No it's not it's 10^35 times less difficult. Why? Because what you cut in half is not the base it's the exponent of the complexity so you took something that had 256 bits of complexity and you converted it to a 128 bits of complexity and 128 bits of complexity isn't half of 256 bits it's 10 with 30 some zeros after it or 40 some zeroes after it less complex within 256 bits.

Splitting keys up and storing them in two locations will increase security from that of the location with the lessor security that holds each of the 12 words. I will explain why:

If an attacker is able to obtain 12 of the 24 words of your BIP 39 seed, they will not immediately have knowledge of your seed. The attacker will need to do additional work to determine your seed, but as you note, the work is less than is required to determine a seed without knowledge of any of the words. This is opposed to storing the entire 24 word seed in the less secure location, and as soon as the attacker breaks into this location, they have knowledge of your entire seed.

Splitting up private keys, and word seeds is actually common for big businesses to employ. I cannot speak to their current setup, and should not speak to specifics, but Coinbase used to do something very similar to splitting up the private keys to their cold storage into multiple parts, except it was not stored online in any way, and it was split up into more than two parts.

If you have a robust way to detect unauthorized access into whatever medium of storage your backups are behing held in, you should have enough time to move your coins into an address controlled by private keys that are not compromised.

[whotookmycrypto]

Splitting keys up and storing them in two locations will increase security from that of the location with the lessor security that holds each of the 12 words. I will explain why:

If an attacker is able to obtain 12 of the 24 words of your BIP 39 seed, they will not immediately have knowledge of your seed. The attacker will need to do additional work to determine your seed, but as you note, the work is less than is required to determine a seed without knowledge of any of the words. This is opposed to storing the entire 24 word seed in the less secure location, and as soon as the attacker breaks into this location, they have knowledge of your entire seed.

Splitting up private keys, and word seeds is actually common for big businesses to employ. I cannot speak to their current setup, and should not speak to specifics, but Coinbase used to do something very similar to splitting up the private keys to their cold storage into multiple parts, except it was not stored online in any way, and it was split up into more than two parts.

If you have a robust way to detect unauthorized access into whatever medium of storage your backups are behing held in, you should have enough time to move your coins into an address controlled by private keys that are not compromised.

If your concern is that you don't want to lose all your coins because your entire seed was kept in one place, then why not implement a multi-sig solution instead? Much better than having to split keys and deal with weakened security?

[pooya87]

Splitting keys up and storing them in two locations will increase security from that of the location with the lessor security that holds each of the 12 words.

it will increase the security but also it will decrease it. the increase however is tiny while the decrease is gigantic so the total is not acceptable.
note that what i said above about splitting was about splitting the encrypted result not the seed itself. when you split the seed your choice is still from 2048 words but when you split the encrypted result your choice is the missing bytes. so for example if you split a 32 byte result into two 16 bytes and one part is compromised you still have 2^128 choices to then decrypt! and that is only for the paranoid.

Splitting up private keys, and word seeds is actually common for big businesses to employ.

then those businesses are doing a wrong thing. if they want to increase security they should use multi signatures not silly ways of splitting seeds.

If you have a robust way to detect unauthorized access into whatever medium of storage your backups are behing held in, you should have enough time to move your coins into an address controlled by private keys that are not compromised.

you can never rely on things like this. it is just an assumption that your setup will let you know of unauthorized access. what if it didn't? when speaking of security that should be your assumption not its correct behavior.

[Pmalek]

It is not offsite but you can still consider the following.

Get two different brands of USB sticks. Put your files on both. Encrypt the USBs and password protect them. Put both, in so called Portable Security Boxes or other metal boxes that you can lock. Hide one at your property where it can't easily be found.



For the other one you can do one of the following.
If you have a dog bury the box under his dog house.
If you have a garden with bushes, roses etc. bury it deep under your bushes.

[whotookmycrypto]

It is not offsite but you can still consider the following.

Get two different brands of USB sticks. Put your files on both. Encrypt the USBs and password protect them. Put both, in so called Portable Security Boxes or other metal boxes that you can lock. Hide one at your property where it can't easily be found.

For the other one you can do one of the following.
If you have a dog bury the box under his dog house.
If you have a garden with bushes, roses etc. bury it deep under your bushes.

This looks interesting. But would rather use this with a tool like crypto steel instead of USB. The issue with USB sticks is that they are susceptible to data rot so if you are planning for long term storage, don't think they would be a good solution. And since the OP is looking for a backup, believe he wants something that can last long.

Furthermore, by placing it outdoors, not sure how good the tool would be in protecting the USB from moisture and heat, both of which could damage the USB.

[Pmalek]

Furthermore, by placing it outdoors, not sure how good the tool would be in protecting the USB from moisture and heat, both of which could damage the USB.

For extra protection you can always wrap the box in aluminium foil or put it in an additional plastic container. Put rice all around the box to absorb moisture.
There should be many other ways to protect the content in the box.