Looking for a way to add extra security

[HCP]

Can't say I would recommend that method unless you have some way to guarantee that the PC you've used to create the encrypted file is (and always will be) kept 100% offline.

Otherwise, the "traditional" offline methods of securely and safely storing your seed backups on (waterproof) paper and/or steel plates, using a fireproof safe, multiple offsite backups etc are probably your best option.

Having said that, whatever you do end up doing, make sure you actually do make backups of your wallet phrase!

[1715406392]

1715406392

[1715406392]

1715406392

[ABCbits]

Store your seeds in .doc .zip or .rar file do look extra secure with strong password, but the truth isn't. Those software offer bad and low encryption, you don't even have any idea how those software compress your file isn't?

To be fair, most people doesn't know how encryption or compress actually works even if it's open source. But i agree those software usually have weak encryption.

If you want to encrypt your seeds to add extra security, better to learn and use BIP38 rather than "trusting" those closed source software.

BIP 38 is intended for private key. I doubt there are any user-friendly software which let you use seed/mnemonic phrase as input (rather than private key).

[gagux123]

It depends on what aspect of your set up you are looking to increase the security for. For a seed phrase, then generate it on a permanently airgapped computer which is running a fresh install of a reputable open source Linux distro, or a reputable open source hardware wallet. Do not back it up digitally, but write it down on paper only. You should have a minimum of two back ups in two different geographical locations. If you want to make it so that if your seed phrase is compromised your coins are not immediately stolen, then use a multi-sig set up (backing up each seed phrase and xpub multiple times separately), or create multiple additional hidden wallets by using passphrases (again backing up your passphrases on paper and separately). Alternatively, encrypt your seed phrase and also back up the decryption key on paper, but again separately to your seed phrase back up.

This is all great for increasing the security of generating and storing seed phrase, but that is only one piece of the puzzle, so to speak. If you then import that seed phrase in to a hot wallet, for example, then you have negated everything I have listed above.

Hmm, I confess... this is a very valuable information, thank you so much to share with us 
Some of these methods you mentioned I already knew about and others I didn't. But I think it's valid to use these tools that you said to increase the security.

[LoyceV]

BIP 38 is intended for private key. I doubt there are any user-friendly software which let you use seed/mnemonic phrase as input (rather than private key).

I haven't seen it, but someone should make it! How cool would it be to convert 12 or 24 words into maybe 15 or 30 words with very CPU-intensive encryption?
I'd love to see a new standard developed for this.

[larry_vw_1955]

Store your seeds in .doc .zip or .rar file do look extra secure with strong password, but the truth isn't. Those software offer bad and low encryption, you don't even have any idea how those software compress your file isn't?

To be fair, most people doesn't know how encryption or compress actually works even if it's open source. But i agree those software usually have weak encryption.

Another thing i dont know if anyone brought up but the doc format is kind of proprietary to microsoft and i wouldnt bet on that being readable by any software oneday...openoffice can't even read some doc files properly...

[ABCbits]

Another thing i dont know if anyone brought up but the doc format is kind of proprietary to microsoft and i wouldnt bet on that being readable by any software oneday...

Not completely proprietary though, microsoft partially open .doc specification under Microsoft Open Specification Promise. Although OpenDocument Format (such as .oodt) is better option if you want completely open format.

openoffice can't even read some doc files properly...

FYI, openoffice is very outdated. Check libreoffice instead.

[JohanM]

I see no problem in putting it in a file, but it needs to be done securely.
So do it on an airgapped pc, and install VeraCrypt on it.

Create an encrypted container with VeraCrypt (successor of TrueCrypt), ideally with 2 passwords: 1 standard that is a decoy, 1 that opens the hidden container.
There is no way to tell if this file is an encrypted container, but if forced you can always provide the standard password to give them the decoy files.

Put the file with the keys inside the container. Use a standard .txt file, no need for specials like .doc or .ods. You can also copy wallet.dat files, whatever ...
Dismount the container when done.

This file you can move anywhere even in unprotected places.
Encrypted containers in a dozen places online and offline on usb sticks/cd's offer a reliable backup. It's highly unlikely someone can find every single copy.

Remember: paper or metal backups can be found, stolen or confiscated easily.

[o_e_l_e_o]

I see no problem in putting it in a file, but it needs to be done securely.

"But it needs to be done securely". That's the problem right there. Most people cannot do it securely. The average person does not know what an airgapped device is, let alone how to open up a computer and physically remove all the necessary hardware. The average person does not know what Linux is, let alone how to format their new airgapped device and install a clean open source OS on it. The average person does not know what encryption is, let alone how to get Veracrypt downloaded, verified, safely transferred over to their airgapped device, installed, and used to create a hidden container. The average person does not know what open source is, let alone being able to review the code of Veracrypt and the encryption algorithm they choose to ensure their encrypted files are safe and secure. The number of steps which could go wrong is huge, and the average person will not be able to identify any steps which have gone wrong or any points in which they have compromised their security.

However, the average person is able to very securely write down 24 words on a piece of paper.

So yes, if you know what you are doing then go ahead and use encrypted airgapped wallets or back ups (I do), but you must realize there is a significant learning curve compared to paper back ups.

Remember: paper or metal backups can be found, stolen or confiscated easily.

If your paper back ups can be easily found and stolen, then you need to find a more secure storage location. I have far more trust in my physical storage locations than I would in, for example, a cloud storage provider not closing my account and losing my files.

[Asiska02]

Saving your recovery seed online can be prone to attack by other users, it can never be guaranteed 100% safe as long as it is online. It is prone to attackers, virus or even system damage and you’ll eventually lose everything. The best way to keep it safe is to get it written down in a safe place. You can write it down with a code only you understand in order to be able to access it by yourself even if someone sees where you kept it.

[larry_vw_1955]

Saving your recovery seed online can be prone to attack by other users, it can never be guaranteed 100% safe as long as it is online. It is prone to attackers, virus or even system damage and you’ll eventually lose everything. The best way to keep it safe is to get it written down in a safe place. You can write it down with a code only you understand in order to be able to access it by yourself even if someone sees where you kept it.

and yet people occasionally come to the forum with a "a rat ate part of the paper my seed phrase was stored on" or some other story about how part of the paper got destroyed or is unreadable...i bet those people wish they would have saved a backup online somewhere.

[pooya87]

and yet people occasionally come to the forum with a "a rat ate part of the paper my seed phrase was stored on" or some other story about how part of the paper got destroyed or is unreadable...i bet those people wish they would have saved a backup online somewhere.

Just because some people used a bad medium (paper instead of laminated paper or metal sheet, etc.) to store their key on and they weren't careful when storing it, that doesn't mean a very terrible method of storing backups such as online storage is suddenly a good idea.

[larry_vw_1955]

Just because some people used a bad medium (paper instead of laminated paper or metal sheet, etc.) to store their key on and they weren't careful when storing it, that doesn't mean a very terrible method of storing backups such as online storage is suddenly a good idea.

i'm not sure where i read this but just because you store something on fire resistant metal or something doesn't mean it can't become inaccessible to you. online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages. if i encrypt my seed phrase and store it in my gmail, to me, that's pretty solid. otoh, if i store it unencrypted in my gmail, that's not very solid. assuming gmail doesn't go out of business, i should be good right?

[pooya87]

i'm not sure where i read this but just because you store something on fire resistant metal or something doesn't mean it can't become inaccessible to you. online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages. if i encrypt my seed phrase and store it in my gmail, to me, that's pretty solid. otoh, if i store it unencrypted in my gmail, that's not very solid. assuming gmail doesn't go out of business, i should be good right?

There is a higher chance of you not being able to access your Gmail account for different reasons than you losing your paper wallet.
And when it comes to encryption, it all comes down to what kind of password and what algorithm you used to encrypt it. There is no BIP for encryption mnemonics so you'll have to come up with your own and security of that method may not be enough. Not to mention that now you would have to write down the password on a piece of paper so that you don't forget it! In other words we are back where we started.

[larry_vw_1955]

There is a higher chance of you not being able to access your Gmail account for different reasons than you losing your paper wallet.

That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.

And when it comes to encryption, it all comes down to what kind of password and what algorithm you used to encrypt it. There is no BIP for encryption mnemonics so you'll have to come up with your own and security of that method may not be enough.

You can use whatever password you want to when using AES-256. Nothing to invent there.

 Not to mention that now you would have to write down the password on a piece of paper so that you don't forget it! In other words we are back where we started.

Well I don't write down passwords on paper. not my thing. I would store the pw online too but not in the same place the encrypted seed is stored. problem solved.

[o_e_l_e_o]

online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages.

I don't see that as an advantage at all, but rather a significant disadvantage. I don't want my seed phrase to be able to be accessed from anywhere. I want it securely locked down in one or two specific and secure locations, and not attackable by anyone in the world with a computer.

That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.

Then just use redundancy with your paper back ups for the same but more secure outcome.

You can use whatever password you want to when using AES-256. Nothing to invent there.

Use a weak one and it will be brute forced.

Well I don't write down passwords on paper. not my thing. I would store the pw online too but not in the same place the encrypted seed is stored. problem solved.

Problem not solved at all. If anything, you've just made it significantly more likely your coins are stolen.

[larry_vw_1955]

online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages.

I don't see that as an advantage at all, but rather a significant disadvantage. I don't want my seed phrase to be able to be accessed from anywhere. I want it securely locked down in one or two specific and secure locations, and not attackable by anyone in the world with a computer.

Something that is properly encrypted is not attackable by anyone in the world with a computer is how i see it. So i'm not worried.

That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.

Then just use redundancy with your paper back ups for the same but more secure outcome.

Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?

You can use whatever password you want to when using AES-256. Nothing to invent there.

Use a weak one and it will be brute forced.

who uses weak passwords? not me.

Problem not solved at all. If anything, you've just made it significantly more likely your coins are stolen.

they never have been and so there you go.

[pooya87]

Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?

Same thing could be said about any other storage method for example what happens when you forget your login password to your gmail account or wherever else you stored it online!

they never have been and so there you go.

Said every single person who has ever lost their coins.

[o_e_l_e_o]

Something that is properly encrypted is not attackable by anyone in the world with a computer is how i see it. So i'm not worried.

Did you encrypt it on an airgapped live OS to ensure you left no traces? Did you use an open source piece of software which you have personally examined the code to ensure it is secure and bug free? Did you use a long and completely random encrypted key generated by a true source of entropy? Did you ensure the connection between your computer and the server you are uploading it was completely secure? Did you physically visit and examine the server to ensure it is physically secure? Have you examined all the software it is running and its electronic security? Do you know all the people who have physical or electronic access to it?

There is literally no system in the word which is invulnerable to being attacked. Pretty much every email provider in existence has been hacked at some point. Google were caught storing passwords in plain text for 14 years without any of their security team noticing. Plenty of encryption software have had flawed implementations or critical bugs, including very popular ones like TrueCrypt.If you upload something to the internet, then it is at risk.

Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?

Far less of a hassle than securely storing something online. And what happens if you forget your email password? Or your decryption key? Or your email provider shuts down your account? Or wipes their servers?

who uses weak passwords? not me.

Most people.

they never have been and so there you go.

And I could drive with no seat belt or airbags for 10 years and suffer no harm from it. Doesn't mean it's a smart idea.

[kalihunter]

I suggest using Veracrypt , it encrypts and u also can put 21 longs password too. encrypted files is non readable. second way is to write seeds on papers and save it.

[larry_vw_1955]

Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?

Same thing could be said about any other storage method for example what happens when you forget your login password to your gmail account or wherever else you stored it online!

gmail has ways to recover an account if you forgot your pw. they are called backup recovery methods. you should check it out.

Said every single person who has ever lost their coins.

that guy that has his bitcoins stored on a hard drive. the whole world knows where the hard drive is located. he does too. problem is, he can't get access to the hard drive because they won't let him go near the garbage dump and he probably has anxiety knowing that maybe someone else has a plan to try and dig up his hdd out of that trash dump. seems to me, if he would have just used gmail to store his btc private keys, he would be good to go. but he wanted to store them offline to keep them safe. they're safe alright. safe from his reach.

Did you encrypt it on an airgapped live OS to ensure you left no traces? Did you use an open source piece of software which you have personally examined the code to ensure it is secure and bug free? Did you use a long and completely random encrypted key generated by a true source of entropy? Did you ensure the connection between your computer and the server you are uploading it was completely secure? Did you physically visit and examine the server to ensure it is physically secure? Have you examined all the software it is running and its electronic security? Do you know all the people who have physical or electronic access to it?

I don't waste time with live OS's. But I do use open source for encryption and no I didn't examine the code but I'm reasonably certain it is not phoning home because other people have no doubt audited it. And I could if I wanted to, although I may not have the expertise to really understand if there are less obvious bugs. But that's why I test the software. make sure it works before I start using it in a "production environment". I use long passwords so no one is going to guess them. They are generated by software in many cases. But I don't have a radioactive decay detector hooked up to my windows machine if that's what you're asking. I do assume though that things I upload to the cloud are inspected and people are actively trying to take a look at it and decrypt it to find out what is inside the container. thanks for the comment!