Restriction Possibilities?

[Atrax]

Hi all,

is there any possibility that one can use Electrum in a shared environment, but users are not able to see the Seed?

When we use Electrum in a corporate environment, I do not want that every person who potentially has access to the server also can see the seed... for reasons

[HCP]

Hold the seed offline and only have a "watching only" wallet on the server created using the xpub. They'll be able to see ALL addresses/transactions/balance etc... but won't be able to send/sign anything nor see the seed or private keys.

Or you can password protect the wallet but NOT fully encrypt it... so that anyone can open the wallet to view, but only someone with the password can view the seed/private keys and/or sign transactions/messages etc.

You might also want to consider using a MultiSig wallet arrangement, which may or may not be useful depending on your "reasons"

[Atrax]

Hold the seed offline and only have a "watching only" wallet on the server created using the xpub. They'll be able to see ALL addresses/transactions/balance etc... but won't be able to send/sign anything nor see the seed or private keys.

Or you can password protect the wallet but NOT fully encrypt it... so that anyone can open the wallet to view, but only someone with the password can view the seed/private keys and/or sign transactions/messages etc.

You might also want to consider using a MultiSig wallet arrangement, which may or may not be useful depending on your "reasons"

Thanks for the quick response. So the background is as follows:

We want to make a setup where transactions have to have four out of four sigs. So we set up multisig wallets. Now if someone would get, for example, the seed of one wallet at a time, he would be able - if he had all seeds - to copy the wallets at home, wait until there is a substantial amount on the wallets and then make a transaction.

I do not exclude that I totally misunderstand how multisig has to be organized, or maybe I am just overly paranoid? Or both?

[HCP]

That is correct... if you have created a 4-of-4 wallet and someone can get each of 4 seeds (or 4 xprvs) used to create this multisig, they'll be able to create a copy of the wallet that has all 4 private master keys and can effectively "self sign" a transaction to drain the wallet.

The 4 seeds should have been created independently on different machines, by different people... each seed should only be known to the person who created it. Each person should password protect and encrypt their wallet file using secret passwords known only to them. Then each person shares their XPUB with the other 3... and each user can  create their own local copy of the 4-of-4 MultiSig wallet using their seed + 3 xpubs.

If a transaction needs to happen, then one person needs to create the transaction (and partially sign it), then it should be passed to each of the other 3 to sign, and the last person can broadcast it.


With this setup someone would need to get the passwords to ALL of the 4 wallets to be able to extract all 4 seeds to be able to steal everything.

[Atrax]

The 4 seeds should have been created independently on different machines, by different people... each seed should only be known to the person who created it.

Thanks. This is basically the case. However, on Electrum, you always can show the seed. So if four people would collude - they would be able to drain the wallet. Seems there's no way to prevent this on a technical level then.

[HCP]

Thanks. This is basically the case. However, on Electrum, you always can show the seed.

Each user will ONLY see their seed (and the 3 other xpubs) in the multsig... they won't be able to see anyone elses seed (unless they get access to the other persons copy of the wallet file AND their wallet password).

So if four people would collude - they would be able to drain the wallet. Seems there's no way to prevent this on a technical level then.

Well of course... if you have 4 people colluding on a 4-of-4 wallet then it doesn't matter if they can see the seed or not... they could simply just create a transaction, everyone could sign it and then they can broadcast it!

Nothing will be able to prevent theft if the minimum number of co-signers in a multisig wallet are colluding... ie. if you have 6-of-10 and 6 people are willing to collude, then the funds can be stolen. So, either the 4 people who have been chosen to control this multisig are not the people who should be controlling this multisig, or you're just being overly paranoid.

[Atrax]

Each user will ONLY see their seed (and the 3 other xpubs) in the multsig... they won't be able to see anyone elses seed (unless they get access to the other persons copy of the wallet file AND their wallet password).

So as far as I see, there's no way to disable the possibility to see the seeds, right? Because this would basically solve all problems...

[Abdussamad]

He told you how to disable it - by creating a watch only wallet using just the 4 xpubs. You can get the xpub of a wallet via wallet menu > information.

[Atrax]

He told you how to disable it - by creating a watch only wallet using just the 4 xpubs. You can get the xpub of a wallet via wallet menu > information.

I'm afraid I'm too stupid for this world... I tried this, but with watch only wallets I'm not able to sign transactions, right?

[Rath_]

I tried this, but with watch only wallets I'm not able to sign transactions, right?

Yes, you are only able to prepare transactions with them which later need to be transfered to a PC with the private keys corresponding to the used addresses.

[igor72]

So as far as I see, there's no way to disable the possibility to see the seeds, right? Because this would basically solve all problems...

You can use the BIP39 seed generated by another BIP39-compatible software. BIP39 seed will not be shown.

[Abdussamad]

Another option is to simply set a password on the wallet via wallet menu > password. If you uncheck encrypt wallet file in that window they can view the transactions and get receive address but only people who know the password will be able to see the seed.

If non of these are good enough perhaps you can explain what your scenario is?

[HCP]

I'm still very confused as to why being able to see the seed is a problem?

To see the seed from each wallet, one needs the wallet password (assuming one is set... because it should be!!?!)... if one has the wallet password, they can also sign transactions. So, if you have enough people willing to collude to collect all the passwords/seeds, you also have enough people willing to collude to be able to simply create a transaction and take all the coins.

You can use the BIP39 seed generated by another BIP39-compatible software. BIP39 seed will not be shown.

And as above... if you have users who would be willing to share seeds, you have users who would be willing to share wallet files/passwords or simply sign transactions... in which case, the funds are as good as gone.


Like I said earlier, if you cannot trust at least one of the 4 people in control of this multisg to behave, then you have the wrong 4 people in control of this multisig.

[Atrax]

If non of these are good enough perhaps you can explain what your scenario is?

I try to figure out a scenario which leaves no security gap in a corporate environment (and keep in mind that I try to go to the max of paranoia level...)

So we have three offline computers and one computer to broadcast transactions.

For installing Electrum, you need one person per computer. Here we have the first security gap: If they would memorize the seeds AND collude, the total of the four would be able to steal all the coins.

Now you chose four other people who randomly have to perform a transaction. The scenario would be:

a) Transaction is made on the online computer
b) Transaction is signed by the three offline computers
c) Transaction is signed by the online computer and broadcasted

IF the guys at the computers can see the seed, they potentially could memorize it and steal the funds later.

They also could get the private key, memorize it and steal the funds later.

So the more transactions that are being made, the more the risk that seeds can be stolen.

Now one could say: Don't let people operate the computers who you don't trust. True. But over the course of years, things may change. And: Don't trust, verify.... Fact is: If one keeps the seeds in mind, he can access the funds years later, and nobody would find out it was him.

In an ideal world, the persons installing the seed would be able to verify them without ever seeing them. This is, currently, not possible.

Also: If the three offline wallets are set as watch only wallets, they can't be used to sign a transaction.

In a corporate environment, it would make sense to have several levels of segregation where the persons signing the transactions would have no possibility to get even close to the seed, the master private keys or the private keys.

Maybe this already is somehow implemented and I just don't see it. Or maybe my reasoning just has flaws?

[Abdussamad]

If all the cosigners collude then they can steal your money. Being able to see the seed or not see the seed doesn't change that. Like HCP said above they could just sign a transaction to move your coins. They can also use the debug console to get to your master private key.

If you're worried that employees who have left the firm will steal from you in the future what you could do is periodically move your coins to a fresh multisig wallet.

Another option is to be one of the cosigners yourself. Even if you don't trust the others you trust yourself right?

Ultimately this is a question about internal controls in a business. Maybe study how other businesses manage money.

[moejoejay]

@Atrax

Does the Cosigner have to be also made Transactions ? or do u need these just for signing.

If so create only one multisig wallet and 3 Standard  Legacy Wallet and set them with the private key as cosigners.

Then no one can see the seed from the multisig wallet , even the one which need access to.

But is if so much criminals energy in ur company than u have to think about ur hole security concept not even only for an Bitcoin Wallet.

What u can do:

1. Use only one Multisig Wallet for Signing Transactions and the other ones just legacy standard Wallets so the others are not able to see the amount in the Multisig Wallet.

2. Use BIP 39

3. Use Passwords.

4. Use an Hardware Device like Ledger Nano

May these Constellation does also fits for u: https://medium.com/@tiero/how-to-bitcoin-multi-signature-wallet-using-electrum-and-several-ledger-nano-s-225867e3b726



Or u looking for the Armory Wallet which u can use Watch only Wallet for signing with an Lockbox but with this im not really comfortable with.


And another hint  if u want to playing around with electrum or bitcoin use the possibility to use the testnet first.

best regards  

[AltcoinBuilder]

If non of these are good enough perhaps you can explain what your scenario is?

I try to figure out a scenario which leaves no security gap in a corporate environment (and keep in mind that I try to go to the max of paranoia level...)

So we have three offline computers and one computer to broadcast transactions.

For installing Electrum, you need one person per computer. Here we have the first security gap: If they would memorize the seeds AND collude, the total of the four would be able to steal all the coins.

Now you chose four other people who randomly have to perform a transaction. The scenario would be:

a) Transaction is made on the online computer
b) Transaction is signed by the three offline computers
c) Transaction is signed by the online computer and broadcasted

IF the guys at the computers can see the seed, they potentially could memorize it and steal the funds later.

They also could get the private key, memorize it and steal the funds later.

So the more transactions that are being made, the more the risk that seeds can be stolen.

Now one could say: Don't let people operate the computers who you don't trust. True. But over the course of years, things may change. And: Don't trust, verify.... Fact is: If one keeps the seeds in mind, he can access the funds years later, and nobody would find out it was him.

In an ideal world, the persons installing the seed would be able to verify them without ever seeing them. This is, currently, not possible.

Also: If the three offline wallets are set as watch only wallets, they can't be used to sign a transaction.

In a corporate environment, it would make sense to have several levels of segregation where the persons signing the transactions would have no possibility to get even close to the seed, the master private keys or the private keys.

Maybe this already is somehow implemented and I just don't see it. Or maybe my reasoning just has flaws?

if seeing seed is only problem, you can edit electrum and remove `show seed` option. but still possible to empty wallet with just one transaction or installing original electrum etc.

[nc50lc]

@Atrax

Does the Cosigner have to be also made Transactions ? or do u need these just for signing.
If so create only one multisig wallet and 3 Standard  Legacy Wallet and set them with the private key as cosigners.
Then no one can see the seed from the multisig wallet , even the one which need access to.

What is this? To "hide" the funded multisig address from them? If so, it won't work.
If they plan collude, they can still make a transaction by re-creating the multisig address & redeem script using their wallet's public keys.
It's possible online (coinb.in), through Bitcoin Core, etc.

This is the best solution to OP's "security issue":

Another option is to be one of the cosigners yourself. Even if you don't trust the others you trust yourself right?

[HCP]

I try to figure out a scenario which leaves no security gap in a corporate environment (and keep in mind that I try to go to the max of paranoia level...)
...
In a corporate environment, it would make sense to have several levels of segregation where the persons signing the transactions would have no possibility to get even close to the seed, the master private keys or the private keys.

The problem is that you need the private keys to be able to sign transactions... so you need a way to "hide" the seed/private keys... but still let people sign transactions!

Hmmm.... The only way I can think of that would allow you to do this, would be to use a hardware wallet like a Trezor or Ledger. Generally, after initial setup, these devices do not allow you to view or export the seed or private keys. You can also create a MultiSig in Electrum that uses hardware wallets.

You're still going to have issues with how to initialise the devices in the first place... at least one person will "see" the seeds used to initialise these devices... you also need someway to safely AND securely back those seeds up so that if one of the devices is lost/stolen/damaged (or the person holding the device leaves the company and refuses to return it etc), coins can still be recovered.

Also, when a transaction needs to occur, the signers would need to have physical access to the hardware wallets to be able to sign the transaction... so while any "random" employee could then create a transaction (using a watching-only wallet)... only the 4 people in possession of the hardware wallets could sign it.

There is still the (obvious) flaw that if the 4 hardware wallet holders collude, then the funds can be stolen... which is true of ANY multisig arrangement. You simply cannot prevent this unless you have at least one 100% trusted signer in your 4-of-4 setup (basically ((M-N)+1) 100% trusted people in an N-of-M setup) to be able to "veto" any attempts to create a transaction that steals the funds.