An unexpected backup system suggestion

[apogio]

Yesterday, I had a conversation (in real life) with a person who I really think is very knowledgeable in Bitcoin.

I will not provide more details about his setup, because I value his privacy. I asked him to join the forum and open a thread to discuss about it. The forum would have a lot to learn from him. He will not...

He provided me with some important arguments against BIP39, but most importantly, he described a backup system that he finds superior.

But this system was (and still is) a red flag for me.

He said that he prefers to GPG encrypt private keys in WIF format and store them digitally.

So... What are your thoughts?  I am aware that this system caused Luke Dashjr losing a lot of funds, so I can't believe he literally suggested it.

_{I won't be very active this weekend, but I will be back to read and discuss with you next week.}

[BlackHatCoiner]

I believe it is lack of creativity from their part. You can do a host variety of things to secure your bitcoin. Write the seed phrase down on paper, hide it on multiple places, use washers for long-term storage etc.

If he doesn't like BIP39, then maybe he should look for Electrum's seed standard? In any case, keeping your private keys encrypted is a bad idea. SD cards, disk drives, DVDs etc., are all prone to corruption. And you need to store both the GPG private key and the encrypted data somewhere. Losing access to one of them means loss of funds.

[apogio]

I believe it is lack of creativity from their part. You can do a host variety of things to secure your bitcoin. Write the seed phrase down on paper, hide it on multiple places, use washers for long-term storage etc.

If he doesn't like BIP39, then maybe he should look for Electrum's seed standard? In any case, keeping your private keys encrypted is a bad idea. SD cards, disk drives, DVDs etc., are all prone to corruption. And you need to store both the GPG private key and the encrypted data somewhere. Losing access to one of them means loss of funds.

He is symmetrically encrypting the keys. So he must have a strong password to decrypt them. I don't know how he stores the password though. I didn't ask for obvious reasons.

I am not in favour of digital storage either. I am afraid of disk failures.

As far as BIP39 is concerned, he actually said "I don't use seed phrases, especially BIP39". So I am assuming he must dislike Electrum as well.
Personally I mostly use electrum instead of BIP39, but I understand that BIP39 is the most widespread, software agnostic, backup protocol.

[BlackHatCoiner]

Has he told you why he doesn't use seed phrases? Sounds absurd.

[cryptosize]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

[Cricktor]

I am not in favour of digital storage either. I am afraid of disk failures.

Redundant multiple copies prevent a loss due to a device failure. My issue with digital storage is its susceptibility to ransom attacks when the digital storage is connected to online systems.

As far as BIP39 is concerned, he actually said "I don't use seed phrases, especially BIP39".

I'd like to know his reasoning against BIP39 or key derivation of BIP32, if he has issues with that in particular.


Does your conversation partner use those individually GPG encrypted private keys as sort of paperwallets? Why would a person want to take over a wallet's responsibility to manage private keys and derived addresses to deal with incoming and outgoing transactions of a wallet?

The aim of a deterministic keys wallet is easy backup and recovery while still maintaining good security. Address re-use should by default be minimized. I don't want to deal with when to use new keys and manage change. I expect the wallet to do this for me properly.

Legacy wallets that used a key pool of unrelated random private keys had their particular issues. Only file backup was possible. Restore of an older version of a wallet could lead to loss of funds if the key pool missmatched from latest to restored version. Usage of signing devices like hardware wallets or air-gapped setups aren't easy if not impossible with a key pool of random private keys.

[DaveF]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

https://en.wikipedia.org/wiki/Disc_rot
It has been seen on even the best high quality media. Although it is VERY VERY VERY RARE vs the average disc it still does happen. I have seen discussion about this on sysadmin forums.


Back to this, there is someone who always wants to re-invent the wheel.

If they are storing private keys then they have a limited # of addresses. BIP39 can get you unlimited address. So if you are talking about long term cold storage that is one thing. If you are talking about securing a wallet you are using day to day then it's another since you are going to wind up loosing privacy due to address re-use.

If you are talking about long term cold storage of large amounts of funds at one address then this is even worse.
Much like the lukejr hack you are storing vast sums in an insecure environment. That is just asking for trouble.
And you are vulnerable to the $5 wrench attack.

A seed phrase stored in a bank vault that you have no other business with is a better security method.

-Dave

 

[apogio]

Has he told you why he doesn't use seed phrases? Sounds absurd.

I'd like to know his reasoning against BIP39 or key derivation of BIP32, if he has issues with that in particular.

The reasoning was that he didn't feel safe storing a seed phrase ( in any storage medium ) without it being encrypted.
He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.
He also said he doesn't want to use multisig or passphrase, because this is what I suggested as a measure of extra protection.
Finally, he uses these encrypted keys as paper wallets.

[Cricktor]

...

You already suggested to him to protect the (wallet based on) mnemonic recovery words by an optional mnemonic passphrase. If you hadn't written it already, I would've suggested it next.

So he says he doesn't want to use an optional mnemonic passphrase, but he needs a decent and secure passphrase for his PGP encryption, not? Or how does he protect his PGP private key? As far as I remember, it's protected by some passphrase... and this passphrase needs to be properly stored and saved, too.

Don't tell me he has this PGP protection passphrase only in his head. That's a recipe for later desaster, sooner or later, doesn't matter, desaster will strike.

Finally, he uses these encrypted keys as paper wallets.

I was pretty sure, he went this road. Assumptions are no certainty though, thanks for clarification.

I can only say for myself, I don't like his approach. Seems unnecassary layering to me and I'm not much of a friend of handling "naked" private keys after you unwrapped them by peeling off the PGP wrapping.

To be safe you need an air-gapped safe offline system to give your private keys a gentle rub after unwrapping. And on an air-gapped offline system you can happily have a safe offline HD wallet (needs to be on an encrypted filesystem to prevent being stolen and exploited by burglars). Much more comfort with the offline HD wallet than with paper wallets, for my taste.

[BlackHatCoiner]

He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.

His system provides the same security with a 2-of-2 multi-sig, but it adds extra complexity. In his system, he needs both the GPG private key and the encrypted data to spend coins, just as you need two seed phrases to spend from a 2-of-2 multi-sig. The difference is that two seed phrases are much more flexible and easier to store than the other. He can only store his data digitally, where you can store a 2-of-2 multi-sig practically everywhere.

He wouldn't write down GPG key and base64 encrypted data on paper or print them, would he? That'd be less secure for a number of reasons.

[cryptosize]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

https://en.wikipedia.org/wiki/Disc_rot
It has been seen on even the best high quality media. Although it is VERY VERY VERY RARE vs the average disc it still does happen. I have seen discussion about this on sysadmin forums.

I've never seen a recordable disc (CD-R, DVD-R) experiencing disc rot.

I've only seen one commercial audio CD from 1993 (commercial/pressed discs use aluminium) having disc rot in the outer edge.

I'm talking about a sample of thousands of discs, so indeed it's very rare...

If you want long-term optical storage, make sure it has gold or silver.

[apogio]

So he says he doesn't want to use an optional mnemonic passphrase, but he needs a decent and secure passphrase for his PGP encryption, not? Or how does he protect his PGP private key? As far as I remember, it's protected by some passphrase... and this passphrase needs to be properly stored and saved, too.

Don't tell me he has this PGP protection passphrase only in his head. That's a recipe for later desaster, sooner or later, doesn't matter, desaster will strike.

His system provides the same security with a 2-of-2 multi-sig, but it adds extra complexity. In his system, he needs both the GPG private key and the encrypted data to spend coins, just as you need two seed phrases to spend from a 2-of-2 multi-sig. The difference is that two seed phrases are much more flexible and easier to store than the other. He can only store his data digitally, where you can store a 2-of-2 multi-sig practically everywhere.

That's exactly my point.
Essentialy in terms of protection, I prefer multisig because I can sign with 2 cosigners that can be anywhere on this planet, without ever getting the cosigners together.
As far as storing anything in our heads is concerned, that's terrible. Without even thinking about bitcoin, I have had a relative who suffered from dementia, so she couldn't recognise me, so I wouldn't expect her to remember a strong passphrase. In a completely symmetrical way, I would never rely on my brain for anything other than generating ideas.

[pooya87]

person who I really think is very knowledgeable in Bitcoin.

He provided me with some important arguments against BIP39, but most importantly, he described a backup system that he finds superior.

He said that he prefers to GPG encrypt private keys in WIF format and store them digitally.

I see some contradictions here.

1. BIP39 is offering a way to write down your hard to write WIFs in form of a human readable set of words. In other words it is difficult to write down 5KdD6mE.... but it is easy to write down Foo Bar Baz...

2. In BIP39 what you need to back up is one thing but you are actually backing up countless number of your keys derived from it. The alternative here has to "store" multiple things which makes it that much harder.

3. This has a flaw with the form of storage. Digital storage as pointed out earlier is a flawed and less-secure method of storing compared to physical storage (eg. on a physical medium including paper).

4. Someone who is "knowledgeable in Bitcoin" and familiar with BIP39 should be also familiar with BIP39-1 (BIP38) that describes a solid method of encrypting WIFs using AES encryption that is far better than using GPG specially since it is supported by most bitcoin wallets already whereas GPG is not and requires additional software.

[apogio]

I see some contradictions here.

1. BIP39 is offering a way to write down your hard to write WIFs in form of a human readable set of words. In other words it is difficult to write down 5KdD6mE.... but it is easy to write down Foo Bar Baz...

Sure, I think we all agree on that. By the way, since you mentioned it, I believe 2 separate pieces of paper stored in different locations is one of the safest backup methods. The only thing you need to do is to find secure locations and to health check the backups.

4. Someone who is "knowledgeable in Bitcoin" and familiar with BIP39 should be also familiar with BIP39-1 (BIP38) that describes a solid method of encrypting WIFs using AES encryption that is far better than using GPG specially since it is supported by most bitcoin wallets already whereas GPG is not and requires additional software.

Well this argument is strong, but in my opinion, knowing about GPG and having GPG on a Linux machine is really important for privacy and I reckon most bitcoiners should be familiar with it. Of course, it's not mandatory but it is more than just a "nice to have".

[pooya87]

Well this argument is strong, but in my opinion, knowing about GPG and having GPG on a Linux machine is really important for privacy and I reckon most bitcoiners should be familiar with it. Of course, it's not mandatory but it is more than just a "nice to have".

Of course, it could even be considered mandatory specially since you need to verify the signature of the downloaded binaries.
But lets not forget that OpenPGP is not an encryption algorithm although they have defined a way to encrypt stuff with it. This is while AES256 (what is used in BIP38) is an encryption algorithm.

That's also all assuming they're using the symmetric encryption option with gpg --symmetric command not the one using the GPG keys which are big themselves (512 and 1024 bits) and require another separate backup, which would be another flaw/complication in their method.

[apogio]

That's also all assuming they're using the symmetric encryption option with gpg --symmetric command not the one using the GPG keys which are big themselves (512 and 1024 bits) and require another separate backup, which would be another flaw/complication in their method.

Definitely. I think I have mentioned it above, that he uses symmetric encryption.
However, the passphrase needs to be a strong one, so I reckon that he must have a backup of the passphrase as well. That is to say that the separate backup is mandatory either way.

But lets not forget that OpenPGP is not an encryption algorithm although they have defined a way to encrypt stuff with it. This is while AES256 (what is used in BIP38) is an encryption algorithm.

The default --cipher-algo for gpg --symmetric is AES256, isn't it?

[Forsyth Jones]

I thought like your friend, I didn't think it was safe to use BIP39 mnemonics, but I saw that my way of thinking doesn't make much sense.

Encrypting the private keys with GPG (symmetrically), AES seems like a good idea as long as it's done on a secure computer free from any malware, but I'd stick with the BIP-39 backup system, which although some claim Electrum is superior (I'm not going to get into that discussion now), they were one of the best things that happened in Bitcoin, the advent of this BIP-39.

We need to be careful about reinventing the wheel, as this friend of yours could create so much complexity and end up losing the password for the encrypted file, not losing/corrupting media such as SD cards, pen drives, etc. Diversify this backup as much as possible by producing several copies, and most importantly, store this decryption password in a safe place so that it will later be remembered where it was stored.

[pooya87]

The default --cipher-algo for gpg --symmetric is AES256, isn't it?

Try adding --verbose, it should print the algorithms that are used.

But I believe it is using AES256 in the latest version, they've changed the default a couple of times in different versions. They've been basically using what they believe is "safe" which means for example in GnuPG 1.0 they used CAST5 and in GnuPG 2.0 used AES128 and changed it again in v. 2.2 or something to AES256.

[apogio]

We need to be careful about reinventing the wheel, as this friend of yours could create so much complexity and end up losing the password for the encrypted file, not losing/corrupting media such as SD cards, pen drives, etc. Diversify this backup as much as possible by producing several copies, and most importantly, store this decryption password in a safe place so that it will later be remembered where it was stored.

Yes I agree with you.
In fact, not trusting BIP39 is fine. What's not fine, is trying to manually override BIP39 with other types of backups, which are custom implementations.
The problem with this is that even people who have higher expertise than us, can lose money this way. This was the case with Luke Dashjr, he used the exact same backup method.
Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

[NotATether]

Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

[apogio]

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Yeah I don't even doubt that. I totally agree. Here is the discussion we had in the forum last year: https://bitcointalk.org/index.php?topic=5432665.0
I am just pointing out for newer members or members who may have missed it. It's a good reading.

[ranochigo]

The aim of a deterministic keys wallet is easy backup and recovery while still maintaining good security. Address re-use should by default be minimized. I don't want to deal with when to use new keys and manage change. I expect the wallet to do this for me properly.

Legacy wallets that used a key pool of unrelated random private keys had their particular issues. Only file backup was possible. Restore of an older version of a wallet could lead to loss of funds if the key pool missmatched from latest to restored version. Usage of signing devices like hardware wallets or air-gapped setups aren't easy if not impossible with a key pool of random private keys.

FWIW, hierarchical deterministic wallets like Bitcoin Core requires a new backup given a password change. Certain activities to the wallet will result in a refresh of the HD seed and thereby requiring a new backup. Mnemonics are designed to make it easier for people to write them down and read them.

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Not saying that I agree with him but there are merits to this arguments. It's not a matter of inspecting the entire PCB with your naked eye or reading the codes. There's no way of knowing what exactly each chip is for and the entire design and layout of PCB, because certain components are designed to be a blackbox for security. In fact, it would be difficult to tell if your firmware is indeed flashed to the one that you've uploaded to the device.

Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

I think the issue is less about reinventing the wheel and more about knowing what you're doing and guarding against potential attack vectors. If you thoroughly understand and guard against what's potentially a threat, then I don't see how it would be bad since majority of them are a direct result of human error. Not trusting BIP39 is okay, or using GPG to encrypt every single WIF private key is fine too, but it's just a less efficient way and one that doesn't make much sense given the alternatives that we have.

[NotATether]

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Not saying that I agree with him but there are merits to this arguments. It's not a matter of inspecting the entire PCB with your naked eye or reading the codes. There's no way of knowing what exactly each chip is for and the entire design and layout of PCB, because certain components are designed to be a blackbox for security. In fact, it would be difficult to tell if your firmware is indeed flashed to the one that you've uploaded to the device.

I'm quite ignorant about hardware wallet design so pardon me, but can you give me some examples of some components that are completely proprietary? I'm guessing whatever HSM (hardware security module) is used in there firstly. But then again, if a module could be demonstrated to be provably secure - at least against modern-day attacks - what exactly is the point of not making all the parts deterministic like a software wallet?

Just like how I would be uncomfortable using a closed source wallet like Coinomi, similarly I would not be comfortable using a hardware device to store my life savings unless I know exactly how it works.

[ranochigo]

I'm quite ignorant about hardware wallet design so pardon me, but can you give me some examples of some components that are completely proprietary? I'm guessing whatever HSM (hardware security module) is used in there firstly. But then again, if a module could be demonstrated to be provably secure - at least against modern-day attacks - what exactly is the point of not making all the parts deterministic like a software wallet?

HSM is probably one of the most notable one, but I think MCUs are generally not as guarded though I wouldn't doubt if they aren't willing to release schematics on these. These are deterministic (similar design and components are on every device), but given the obscure nature of it, you wouldn't know if any backdoors are already in the chip if you have zero access to the internals.

Hardware wallets are generally tamperproof which means that it would be difficult to exactly inspect each and every component in the device. Let's say you know exactly which components are on the device, which isn't quite difficult (a quick visual scan will do, xray can be used if you really want to be sure), then I don't see how this still wouldn't require the user trusting the manufacturer.

[NotATether]

HSM is probably one of the most notable one, but I think MCUs are generally not as guarded though I wouldn't doubt if they aren't willing to release schematics on these. These are deterministic (similar design and components are on every device), but given the obscure nature of it, you wouldn't know if any backdoors are already in the chip if you have zero access to the internals.

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Hardware wallets are generally tamperproof which means that it would be difficult to exactly inspect each and every component in the device. Let's say you know exactly which components are on the device, which isn't quite difficult (a quick visual scan will do, xray can be used if you really want to be sure), then I don't see how this still wouldn't require the user trusting the manufacturer.

You are right that it is quite infeasible to open a hardware wallet and inspect the parts one by one before you use it. Nobody does that with software wallets either. But if this is only done occasionally, by a few enthusiasts, as opposed to every time you get a new hardware wallet, it would decentralize a lot of that trust that people are putting on the manufacturer to not have a compromised supply chain.

[ranochigo]

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Quite significant, I would expect. HSMs are very specialized chips and they are required to withstand various attacks from sidechannels, fault injections, tampering etc. Most of them are certified and hardware wallet manufacturers are generally more keen to use those that are available on the market, which is often proprietary and closed source as compared to open source ones, likely due to the track record and stuff.

They are obscure for a reason, which likely allows it to benefit from security from obscurity, which is especially important for devices which are required to be secure. You don't want people trying to probe around to see what makes it tick.

[NotATether]

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Quite significant, I would expect. HSMs are very specialized chips and they are required to withstand various attacks from sidechannels, fault injections, tampering etc. Most of them are certified and hardware wallet manufacturers are generally more keen to use those that are available on the market, which is often proprietary and closed source as compared to open source ones, likely due to the track record and stuff.

They are obscure for a reason, which likely allows it to benefit from security from obscurity, which is especially important for devices which are required to be secure. You don't want people trying to probe around to see what makes it tick.

I dunno - the whole thing about security through obscurity is very fragile and it just takes one vulnerability to knock out the parts that you are using, whether it's by migrating to newer or different parts with a mitigation, or by a cyberattack in case you are not so lucky.

I feel like after seeing all these unpatchable hardware-level vulnerabilities such as Spectre and DMP (and to some extent the RowHammer family of exploits), we need to have more eyeballs looking at the design so that these kind of things are less likely to go unnoticed. Of course the examples I mention affecting CPUs that have no chance of getting open-sourced at all, but I really do think there's a chance for HSMs.

Just some food for thought.

[ranochigo]

I dunno - the whole thing about security through obscurity is very fragile and it just takes one vulnerability to knock out the parts that you are using, whether it's by migrating to newer or different parts with a mitigation, or by a cyberattack in case you are not so lucky.

I feel like after seeing all these unpatchable hardware-level vulnerabilities such as Spectre and DMP (and to some extent the RowHammer family of exploits), we need to have more eyeballs looking at the design so that these kind of things are less likely to go unnoticed. Of course the examples I mention affecting CPUs that have no chance of getting open-sourced at all, but I really do think there's a chance for HSMs.

Just some food for thought.

CPUs don't really benefit that much from the entire concept of security by obscurity but they are proprietary because of the significant R&D and stuff that is going into the chips. Asking them to open source their chips would be quite unreasonable from a business perspective and probably would never happen.

I've got no doubt that HSMs already have their inhouse red team to try to attack and crack their own chips and it is unlikely for an adversary, say a state sponsored attacker at worst to be able to understand the inner-workings thoroughly enough to break the HSM. My take is that security by obscurity works, and that open sourcing stuff doesn't exactly benefit manufacturers from a business perspective, considering the amount of money on R&D and certifications as well as the potential threats by doing so. We've had plenty of vulnerabilities from open source codes and notably some of the more serious ones were not disclosed and secretly used to develop their own exploits. I have no doubt that this could happen if given the chance.

[apogio]

I think the issue is less about reinventing the wheel and more about knowing what you're doing and guarding against potential attack vectors. If you thoroughly understand and guard against what's potentially a threat, then I don't see how it would be bad since majority of them are a direct result of human error. Not trusting BIP39 is okay, or using GPG to encrypt every single WIF private key is fine too, but it's just a less efficient way and one that doesn't make much sense given the alternatives that we have.

The main issue is that it's very difficult to use the keys if you need to.
Theoretically, if you have X key-pairs, you need to have X separate files.
So, if you needed to decrypt one private key and spend from it, the other ones wouldn't be decrypted.

I don't think it comes too handy though. Imagine that you need to:
1. plug in the external HDD.
2. transfer the encrypted file to your machine.
3. gpg decrypt the file. (if your GPG keys aren't on the machine, then it requires more steps).
4. open the file in a notepad and copy the WIF.
5. open electrum or sparrow and sweep the private key to a wallet.

I dislike this approach.

[Pmalek]

The reasoning was that he didn't feel safe storing a seed phrase ( in any storage medium ) without it being encrypted.
He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.
He also said he doesn't want to use multisig or passphrase, because this is what I suggested as a measure of extra protection.

All that isn't an argument against BIP39 seeds. His paranoia level is at a point where he believes his coins will be lost because someone out there will find them and empty his wallets. To be honest, I don't think it's healthy.

Finally, he uses these encrypted keys as paper wallets.

To me, something that is digitally backed up and saved on a computer isn't a paper wallet, regardless if it's encrypted or not. The keys (better yet, seeds) are supposed to be on a physical medium.

When we are on the subject of paranoia, why is he only afraid of someone finding his physical backups? Why not be afraid of someone very knowledgeable getting physical access to your computer? Sure, they would have to break all the encryption, but still. Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

[Forsyth Jones]

Regarding the components of hardware wallets being obscure, such as the HSM and the Secure Element available in HW such as Ledger, it's difficult to trust completely, since these parts have an NDA agreement that these manufacturers that sell HW are obliged to comply with. i.e at the moment we don't have open source SE, but according to Trezor, this will be possible in the future as they are working on it.

I don't fully trust HW, but I know that at the moment they are the best options for beginners who don't understand anything about air-gapped storing coins safely.

I think this deserves a topic just for these hardware wallet dilemmas (if we don't have one), so I'll return to the subject of this thread.

All that isn't an argument against BIP39 seeds. His paranoia level is at a point where he believes his coins will be lost because someone out there will find them and empty his wallets. To be honest, I don't think it's healthy.

Agree, worrying too much about one thing and ignoring another is not a good thing, as it opens the door to online vulnerabilities.

When we are on the subject of paranoia, why is he only afraid of someone finding his physical backups? Why not be afraid of someone very knowledgeable getting physical access to your computer? Sure, they would have to break all the encryption, but still. Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

One of the best ways to protect your coins is really not to tell anyone that you have bitcoin, at least not unnecessarily, you can take every precaution to protect your wallets and backups, but not take care of privacy and go around telling friends that have bitcoin and making a lot of profit from is a decoy for physical attacks such as the wrench scam. Of course, most people you talk to with Bitcoin won't do this, but I feel uncomfortable when close family members ask me how much Bitcoin I have or tell others that I have it, as if I own a large amount, rather than to discuss the fundamentals and potential of bitcoin as a tool to improve our lives as well as protection against inflation and privacy against crooks and governments.

Whenever they start asking personal questions, I tend to deviate from the subject, as one of my mistakes was having said too much in an attempt to show what bitcoin is and how it works.

[apogio]

Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

One of the best ways to protect your coins is really not to tell anyone that you have bitcoin, at least not unnecessarily

Guys, I completely agree with these comments.
Jameson Lopp has a great resource on github where he keeps a list of all the physical bitcoin attacks. Just read it and you will notice that there have been many "torture / threat" stories. This is a huge threat that people seem to ignore.