Hardware wallets vs paper wallets

[hZti]

I know what airgaped means, but I thought my coldcard already meets these criteria

Yes, a ColdCard is an airgapped hardware wallet.

The issue with the coldcard and paper wallets is, that you need to save them on a Micro SD card and open them on a Computer to be able to view them. This will always compromise the wallets if you dont use a special computer for it. Almost seems like they dont want you to use that feature.

[1715363646]

1715363646

[Vampobit]

I know what airgaped means, but I thought my coldcard already meets these criteria

Yes, a ColdCard is an airgapped hardware wallet.

The issue with the coldcard and paper wallets is, that you need to save them on a Micro SD card and open them on a Computer to be able to view them. This will always compromise the wallets if you dont use a special computer for it. Almost seems like they dont want you to use that feature.

I haven't really thought about it. I mean if the computer is connected to the internet, or it uses a problematic OS, then there will be a problem no matter what type of wallet you choose to use.

[Ryker1]

I know what airgaped means, but I thought my coldcard already meets these criteria

Yes, a ColdCard is an airgapped hardware wallet.

The issue with the coldcard and paper wallets is, that you need to save them on a Micro SD card and open them on a Computer to be able to view them. This will always compromise the wallets if you dont use a special computer for it. Almost seems like they dont want you to use that feature.

I haven't really thought about it. I mean if the computer is connected to the internet, or it uses a problematic OS, then there will be a problem no matter what type of wallet you choose to use.

Well exactly --but I think it is far different from the hardware wallets, correct me if I am wrong but hardware wallets have a security feature that can protect themselves against malware infection or an OS that is already infected with malware.
I will hardware wallet over a paper wallet, but of course --it will vary always be in your hand how to protect it in a safe place.

[witcher_sense]

I haven't really thought about it. I mean if the computer is connected to the internet, or it uses a problematic OS, then there will be a problem no matter what type of wallet you choose to use.

Air-gapped hardware wallets that employ QR codes and cameras as a means to transfer data between devices are considered one of the most secure options of interacting with potentially malicious software. Naturally, this communication channel has its own drawbacks and attack vectors, one of which being a maliciously altered communication channel (hackers trying to exploit vulnerabilities in a hardware wallet by sending specific tampered data via QR-code-encoded messages). You can't keep hardware wallets fully isolated from the outside world (even the most secure and sophisticated ones) unless you never make transactions using them, which is ridiculous.

[Pmalek]

Just a few things that spring to mind. There are other similarities and differences of course.

Hardware wallets:

- If you ship the device to your home, they know and store your address. If the data leaks, many more people will know who and where you are.
- You have to trust the developers and manufacturers that they won't mess up and intentionally/unintentionally introduce bugs and vulnerabilities in their native software and hardware. Unless you can go though each line of code yourself (99% of people can't/won't), you will have to trust that the community and security experts have done a good job with it.
- The device (unless airgapped properly) needs to be connected to a computer or phone through a USB cable/Bluetooth to be used. 
- Seeds, private keys, and PIN codes are stored on the device and protected by secure element chips (if available).
- Requires backups of seeds in physical form (highly recommended).
- Change goes to change addresses.
- The coins are spent from the same secure device.

Paper wallets:

- Use TOR or VPN to download the wallet generator to your local machine and no purchase data is stored anywhere.
- You are responsible for your own backups and there are no software or firmware upgrades that can affect you in any way. You are also not affected by NDA agreements or unfixable hardware vulnerabilities.
- No cables, no USBs, or Bluetooth connectivity ever.   
- No digital copies of seeds or private keys. But the same data is imprinted on the paper, making it easier for someone to take note of it.
- Is obviously a backup in physical form.   
- The change could end up in an address you don't have the private key for if you are using such a bad setup.
- The seed/private key has to be imported elsewhere before spending. You could put your coins at risk using a hot wallet for such purposes. Transactions could, however, be created and signed on airgapped systems.

[Vampobit]

Just a few things that spring to mind. There are other similarities and differences of course.

Hardware wallets:

- If you ship the device to your home, they know and store your address. If the data leaks, many more people will know who and where you are.
- You have to trust the developers and manufacturers that they won't mess up and intentionally/unintentionally introduce bugs and vulnerabilities in their native software and hardware. Unless you can go though each line of code yourself (99% of people can't/won't), you will have to trust that the community and security experts have done a good job with it.
- The device (unless airgapped properly) needs to be connected to a computer or phone through a USB cable/Bluetooth to be used. 
- Seeds, private keys, and PIN codes are stored on the device and protected by secure element chips (if available).
- Requires backups of seeds in physical form (highly recommended).
- Change goes to change addresses.
- The coins are spent from the same secure device.

Paper wallets:

- Use TOR or VPN to download the wallet generator to your local machine and no purchase data is stored anywhere.
- You are responsible for your own backups and there are no software or firmware upgrades that can affect you in any way. You are also not affected by NDA agreements or unfixable hardware vulnerabilities.
- No cables, no USBs, or Bluetooth connectivity ever.   
- No digital copies of seeds or private keys. But the same data is imprinted on the paper, making it easier for someone to take note of it.
- Is obviously a backup in physical form.   
- The change could end up in an address you don't have the private key for if you are using such a bad setup.
- The seed/private key has to be imported elsewhere before spending. You could put your coins at risk using a hot wallet for such purposes. Transactions could, however, be created and signed on airgapped systems.

Hello, thanks for answering. How about this "app" that I have implemented: https://bitcointalk.org/index.php?topic=5432897.msg61539325#msg61539325

What I want to achieve is:
1. run a custom-made program
2. run it on totally offline computer
3. take a note of the private key and write it down as a backup on a piece of paper (2-3 times)

this process allows me to avoid many of the cons you mentioned above.

Essentially, what I wanna say is that I believe that running your own paper-wallet generator offline is the best method in terms of privacy and security.

What do you think ?

[Pmalek]

Hello, thanks for answering. How about this "app" that I have implemented: https://bitcointalk.org/index.php?topic=5432897.msg61539325#msg61539325
...
What do you think ?

Sorry, but I don't have the programming skills to comment on your project. I will check the responses of other members to see what they say. There are those who know these things. Maybe you talked about it in your thread, but I have to ask, why generate private keys if you can generate 12/24-word seeds? They are longer strings and difficult to write down. Therefore, the possibility to make a mistake is greater compared to a sequence of English words, for example.

[Vampobit]

Hello, thanks for answering. How about this "app" that I have implemented: https://bitcointalk.org/index.php?topic=5432897.msg61539325#msg61539325
...
What do you think ?

Sorry, but I don't have the programming skills to comment on your project. I will check the responses of other members to see what they say. There are those who know these things. Maybe you talked about it in your thread, but I have to ask, why generate private keys if you can generate 12/24-word seeds? They are longer strings and difficult to write down. Therefore, the possibility to make a mistake is greater compared to a sequence of English words, for example.

Actually a private key is nothing more than a 256bit random sequence (e.g. 010110...1001)

The words that you refer to, derive from this 256bit number, if you add 8 bits more (checksum).

Therefore, it is quite simple to get the words, like you mention above.

However, I also generate a QR code, which is what I keep track of in a custom QR template. I took this idea from SeedSigner's QR template. It is basically empty and you fill it up with the information you see on the computer.

[hZti]

I haven't really thought about it. I mean if the computer is connected to the internet, or it uses a problematic OS, then there will be a problem no matter what type of wallet you choose to use.

Well exactly --but I think it is far different from the hardware wallets, correct me if I am wrong but hardware wallets have a security feature that can protect themselves against malware infection or an OS that is already infected with malware.
I will hardware wallet over a paper wallet, but of course --it will vary always be in your hand how to protect it in a safe place.

[/quote]

Yes this is the whole point of the hardware wallet! They will not be infected, especially if they are used with only an MicroSD Card. Still the paper wallet will get exposed, since it shows the private key in the PDF file it creates.

[Pmalek]

Actually a private key is nothing more than a 256bit random sequence (e.g. 010110...1001)

The words that you refer to, derive from this 256bit number, if you add 8 bits more (checksum).

The seed is a representation of that number sequence in human readable and understandable form. It's much easier for us to look at and understand individual words and their meanings compared to a long sequence of (to us) illogical characters. That's why it's recommended to make physical backups of those seed words instead of the long number sequences where a mistake can happen.

[o_e_l_e_o]

Well exactly --but I think it is far different from the hardware wallets, correct me if I am wrong but hardware wallets have a security feature that can protect themselves against malware infection or an OS that is already infected with malware.

You certainly want that to be the case, but the reality is that almost no one can independently verify that is the case, and there could well be other attacks we simply don't know about yet which are still able to bypass any protections in place.

Essentially, what I wanna say is that I believe that running your own paper-wallet generator offline is the best method in terms of privacy and security.

What do you think ?

I think that 99.99% of people who try to design their own paper wallet generator will end up with something insecure. Your method combines a brain wallet, which are very insecure, with SecureRandom, which has also suffered from critical vulnerabilities resulting in people having their coins stolen - https://www.theregister.com/2013/08/12/android_bug_batters_bitcoin_wallets/.

A far safer option to generate raw private keys would be to use Bitcoin Core. If you don't want to use a piece of software, then flip a coin 256 times.

Actually a private key is nothing more than a 256bit random sequence (e.g. 010110...1001)

The words that you refer to, derive from this 256bit number, if you add 8 bits more (checksum).

Therefore, it is quite simple to get the words, like you mention above.

You are confusing separate concepts here. A seed phrase does not encode an individual private key. A seed phrase is used to generate a near unlimited number of private keys in a deterministic manner, meaning backing up the seed phrase backs up all the private keys that it generates.

[Vampobit]

Essentially, what I wanna say is that I believe that running your own paper-wallet generator offline is the best method in terms of privacy and security.

What do you think ?

I think that 99.99% of people who try to design their own paper wallet generator will end up with something insecure. Your method combines a brain wallet, which are very insecure, with SecureRandom, which has also suffered from critical vulnerabilities resulting in people having their coins stolen - https://www.theregister.com/2013/08/12/android_bug_batters_bitcoin_wallets/.

A far safer option to generate raw private keys would be to use Bitcoin Core. If you don't want to use a piece of software, then flip a coin 256 times.

I thought that in a brainwallet you need to remember a phrase. The reason why I get the user to input a random sequence of characters is to simply immitate the mouse-movement entropy. I just tell the user to randomly press anything they want in the keyboard and of course, not to remember it.

Actually a private key is nothing more than a 256bit random sequence (e.g. 010110...1001)

The words that you refer to, derive from this 256bit number, if you add 8 bits more (checksum).

Therefore, it is quite simple to get the words, like you mention above.

You are confusing separate concepts here. A seed phrase does not encode an individual private key. A seed phrase is used to generate a near unlimited number of private keys in a deterministic manner, meaning backing up the seed phrase backs up all the private keys that it generates.

Yes, my english may not be very good, but I understand what you say and that's what I wanted to say actually.

[o_e_l_e_o]

I thought that in a brainwallet you need to remember a phrase. The reason why I get the user to input a random sequence of characters is to simply immitate the mouse-movement entropy. I just tell the user to randomly press anything they want in the keyboard and of course, not to remember it.

You are asking a human to enter a sequence of characters on the keyboard. Even although you are asking them to enter something random, many won't. They'll use a name, a date, a reused password, a song lyric, something like that. Your own example even uses your username. Further, humans are not capable of being truly random. Even when you think you are being random, you aren't. Human chosen "entropy" is never random, and as such, is weak. There is a reason that no good piece of software uses human chosen strings to seed a wallet.

[Vampobit]

I thought that in a brainwallet you need to remember a phrase. The reason why I get the user to input a random sequence of characters is to simply immitate the mouse-movement entropy. I just tell the user to randomly press anything they want in the keyboard and of course, not to remember it.

You are asking a human to enter a sequence of characters on the keyboard. Even although you are asking them to enter something random, many won't. They'll use a name, a date, a reused password, a song lyric, something like that. Your own example even uses your username. Further, humans are not capable of being truly random. Even when you think you are being random, you aren't. Human chosen "entropy" is never random, and as such, is weak. There is a reason that no good piece of software uses human chosen strings to seed a wallet.

Alright, that's obviously wrong by my side. I could ask them to flip a coin and enter the result. However, what do professional wallets do to create entropy ? If they don't use SecureRandom, what do they do ?

[Pmalek]

There is a great thread created about two years ago by webtricks that you might find interesting > [Full Guide+Code]Seed Phrase & The Process of Deriving Bitcoin Addresses from It.
It tells you about generating entropy with coin flips, how to create the checksum, how to derive the recovery phrase from the number sequences, etc. I am sure you will find it interesting.

[Vampobit]

There is a great thread created about two years ago by webtricks that you might find interesting > [Full Guide+Code]Seed Phrase & The Process of Deriving Bitcoin Addresses from It.
It tells you about generating entropy with coin flips, how to create the checksum, how to derive the recovery phrase from the number sequences, etc. I am sure you will find it interesting.

Thanks! Of course it is interesting. In fact, the whole entropy generation idea is fascinating. I keep realising that nothing is truly random

[o_e_l_e_o]

However, what do professional wallets do to create entropy ? If they don't use SecureRandom, what do they do ?

Depends on the wallet. But there are plenty of wallets in the past which have generated insecure entropy and users have ended up losing coins, and plenty of people who have tried to come up with their own solutions and ended up losing coins. By far the safest thing to do is to stick to some tried and tested, open source, and verified software, such as Bitcoin Core or Electrum.

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

You can read more in the code here:
https://github.com/bitcoin/bitcoin/blob/master/src/random.h
https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp

[Vampobit]

However, what do professional wallets do to create entropy ? If they don't use SecureRandom, what do they do ?

Depends on the wallet. But there are plenty of wallets in the past which have generated insecure entropy and users have ended up losing coins, and plenty of people who have tried to come up with their own solutions and ended up losing coins. By far the safest thing to do is to stick to some tried and tested, open source, and verified software, such as Bitcoin Core or Electrum.

Most good wallets will be based on entropy directly from the OS and the computer's hardware. Bitcoin Core, as an example, draws entropy from /dev/urandom (which is from the OS, or the equivalent on non-Linux systems), RDSEED/RDRAND (which is from the processor), and a whole host of data from the computer itself, such as current resource usage, timestamps, kernel parameters, network data, version data, etc. All of this is then combined through a variety of techniques such as XORs and hashes, so if one source of entropy is weak or compromised then your final result should still be secure.

You can read more in the code here:
https://github.com/bitcoin/bitcoin/blob/master/src/random.h
https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp

That's great. Two questions though:

1. Bitcoin core and electrum are in fact host storage wallets, so it is kind of strange that people refer to them as the best wallets.

2. I know that this is private, so feel free not to answer it, but when it comes to you, where do you store the keys to your coins? Do you have a combination of hot storage and cold storage? Personally I use blue wallet, cold card and I am trying to create one on my own but as you said the majority of people who have tried in the past have lost money this way

[o_e_l_e_o]

1. Bitcoin core and electrum are in fact host storage wallets, so it is kind of strange that people refer to them as the best wallets.

What do you mean by "host storage" wallets? With both Core and Electrum, you generate your own private keys and you are the only one who can access them. This is generally referred to as "self custody" or "non-custodial", to differentiate from web wallets or exchanges where a third party holds your private keys for you.

Both Core and Electrum can be used as a simple hot wallet on an online device, which is the least secure way to use them. Similarly, both can also be used as a cold wallet on a permanently airgapped device, which is a much more secure way to use them. And if you are using them on an airgapped machine, you can also use them to generate key pairs or seed phrases that you then print out or write down to create paper wallets.

2. I know that this is private, so feel free not to answer it, but when it comes to you, where do you store the keys to your coins? Do you have a combination of hot storage and cold storage?

Yes, exactly that. I have a small amount of "daily spending" bitcoin which I carry on a mobile wallet. Insecure, but very convenient, and only ever an amount I can easily afford to lose. The vast majority of my coins are in a variety of more secure wallets, including hardware wallets, airgapped cold storage, paper wallets, and some multi-sig wallets involving a combination of these things. All my wallets are synced from my own node to minimize any privacy leaks.

[Pmalek]

1. Bitcoin core and electrum are in fact host storage wallets, so it is kind of strange that people refer to them as the best wallets.

Are you trying to say hot wallets or maybe software wallets? They are, yes. However, Electrum can be both a hot and cold wallet, meaning you can use it on an internet-connected computer or a permanently airgapped device. Bitcoin Core is a full-node client, which needs internet connection to update and sync the newest blocks. Electrum being a light client that doesn't require downloading the whole blockchain to work is easy to take offline. I think it's still doable with Bitcoin Core, and I could swear I saw an old guide for it in the past. But it's not user-friendly having a full client that is offline.