Paper wallet withdraw security question

[mrkfdr]

Hi all
Trying to figure out something,

Have a certain amount in a paper wallet and i want to withdraw half of it.

Using an HD wallet on my mobile and i scan the private code of the paper wallet.

at this stage the private code has been scanned and it's on my device so its not really private anymore. 

Am i missing something ?
Or the thumb rule is to withdraw all the amount from the paper wallet to avoid this situation ?

thanks
Mark

[1714899006]

1714899006

[1714899006]

1714899006

[mocacinno]

Hi all
Trying to figure out something,

Have a certain amount in a paper wallet and i want to withdraw half of it.

Using an HD wallet on my mobile and i scan the private code of the paper wallet.

at this stage the private code has been scanned and it's on my device so its not really private anymore.  

Am i missing something ?
Or the thumb rule is to withdraw all the amount from the paper wallet to avoid this situation ?

thanks
Mark

You are right, as soon as your private key touches a device that's been online, you should consider your paper wallet to be compromised.

If you have multiple unspent outputs funding the address on your paper wallet, you should use them all...

Make a new paper wallet, import the private key of your paper wallet into electrum (for example, do check electrum's signature before using it, download only from the official site), create a new transaction spending all unspent outputs, pay whoever you have to pay and send the change to the NEW paper wallet.

If you're really security-contious you can even use an airgapped setup: create a watch-only online wallet where you import the ADDRESS, create the transaction spending all unspent outputs funding this address (change going to a NEW paper wallet that was created in a SECURE fashion), then install electrum on an offline machine where you import your private key, transport the unsigned tx from the online machine to the offline machine for signing, and back to the online machine for broadcasting.

I'm having a meeting right now, i'll try to answer any extra questions in ~0.5-1 hr.

[mrkfdr]

Got it , Thnx !!

[odolvlobo]

Have a certain amount in a paper wallet and i want to withdraw half of it.

Using an HD wallet on my mobile and i scan the private code of the paper wallet.

at this stage the private code has been scanned and it's on my device so its not really private anymore.  

Am i missing something ?
Or the thumb rule is to withdraw all the amount from the paper wallet to avoid this situation ?

A paper wallet should not be reused. There are two issues.

1. The primary benefit of a paper wallet is physical security, and that benefit is gone once the private key has been scanned.

2. You cannot send an arbitrary amount from a paper wallet. The bitcoins stored at an address are stored in discrete amounts and you can only send those amounts. For example, an address may contain 10 BTC, but if the bitcoins were sent to the address in two transactions of 3 BTC and 7 BTC, you can only send 3 or 7 or 10 BTC. If you want to send 5 BTC, the wallet will send 7, but 5 will go to the receiver and 2 will go to a "change" address, and the paper wallet will now have only 3 BTC. See https://en.bitcoin.it/wiki/Change

[hosseinimr93]

2. You cannot send an arbitrary amount from a paper wallet. The bitcoins stored at an address are stored in discrete amounts and you can only send those amounts. For example, an address may contain 10 BTC, but if the bitcoins were sent to the address in two transactions of 3 BTC and 7 BTC, you can only send 3 or 7 or 10 BTC. If you want to send 5 BTC, the wallet will send 7, but 5 will go to the receiver and 2 will go to a "change" address, and the paper wallet will now have only 3 BTC. See https://en.bitcoin.it/wiki/Change

Generally you are right about not reusing a paper wallet since it has been used online. But there will be no problem with change address if you use an imported private key wallet in Electrum. The remaining fund will be sent to the paper wallet address. In other words, in an imported private key wallet in Electrum, the change address will be same as paper wallet address.

So, if you receive 3 BTC in one transaction and 7 BTC in another transaction into your paper wallet and use an imported private key wallet in Electrum (only Electrum, no other wallet) to send 5 BTC, after the transaction you will have 5 BTC in your wallet.

Despite of this, I agree that the paper wallet shouldn't be reused especially if the transaction is made through a tool other than Electrum.

[hatshepsut93]

at this stage the private code has been scanned and it's on my device so its not really private anymore. 

"Private key" comes from cryptography terminology and it means a key that is only known to the user and is not shared with anyone, because it's knowledge is all that is needed to do some operation, in our case spending coins. So, strictly speaking, when you move it to your smartphone, it's still a private key. You're right to be worried, because it's more dangerous to store private keys on an online device, but if you are worried about malware, then you might as well be worried that your device is already compromised and the keys will be snatched as soon as they touch the device.

If you have really high security requirements, you should research hardware wallets or cold storage setup.