An unexpected backup system suggestion

[apogio]

Yesterday, I had a conversation (in real life) with a person who I really think is very knowledgeable in Bitcoin.

I will not provide more details about his setup, because I value his privacy. I asked him to join the forum and open a thread to discuss about it. The forum would have a lot to learn from him. He will not...

He provided me with some important arguments against BIP39, but most importantly, he described a backup system that he finds superior.

But this system was (and still is) a red flag for me.

He said that he prefers to GPG encrypt private keys in WIF format and store them digitally.

So... What are your thoughts?  I am aware that this system caused Luke Dashjr losing a lot of funds, so I can't believe he literally suggested it.

_{I won't be very active this weekend, but I will be back to read and discuss with you next week.}

[1714611847]

1714611847

[1714611847]

1714611847

[1714611847]

1714611847

[BlackHatCoiner]

I believe it is lack of creativity from their part. You can do a host variety of things to secure your bitcoin. Write the seed phrase down on paper, hide it on multiple places, use washers for long-term storage etc.

If he doesn't like BIP39, then maybe he should look for Electrum's seed standard? In any case, keeping your private keys encrypted is a bad idea. SD cards, disk drives, DVDs etc., are all prone to corruption. And you need to store both the GPG private key and the encrypted data somewhere. Losing access to one of them means loss of funds.

[apogio]

I believe it is lack of creativity from their part. You can do a host variety of things to secure your bitcoin. Write the seed phrase down on paper, hide it on multiple places, use washers for long-term storage etc.

If he doesn't like BIP39, then maybe he should look for Electrum's seed standard? In any case, keeping your private keys encrypted is a bad idea. SD cards, disk drives, DVDs etc., are all prone to corruption. And you need to store both the GPG private key and the encrypted data somewhere. Losing access to one of them means loss of funds.

He is symmetrically encrypting the keys. So he must have a strong password to decrypt them. I don't know how he stores the password though. I didn't ask for obvious reasons.

I am not in favour of digital storage either. I am afraid of disk failures.

As far as BIP39 is concerned, he actually said "I don't use seed phrases, especially BIP39". So I am assuming he must dislike Electrum as well.
Personally I mostly use electrum instead of BIP39, but I understand that BIP39 is the most widespread, software agnostic, backup protocol.

[BlackHatCoiner]

Has he told you why he doesn't use seed phrases? Sounds absurd.

[cryptosize]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

[Cricktor]

I am not in favour of digital storage either. I am afraid of disk failures.

Redundant multiple copies prevent a loss due to a device failure. My issue with digital storage is its susceptibility to ransom attacks when the digital storage is connected to online systems.

As far as BIP39 is concerned, he actually said "I don't use seed phrases, especially BIP39".

I'd like to know his reasoning against BIP39 or key derivation of BIP32, if he has issues with that in particular.


Does your conversation partner use those individually GPG encrypted private keys as sort of paperwallets? Why would a person want to take over a wallet's responsibility to manage private keys and derived addresses to deal with incoming and outgoing transactions of a wallet?

The aim of a deterministic keys wallet is easy backup and recovery while still maintaining good security. Address re-use should by default be minimized. I don't want to deal with when to use new keys and manage change. I expect the wallet to do this for me properly.

Legacy wallets that used a key pool of unrelated random private keys had their particular issues. Only file backup was possible. Restore of an older version of a wallet could lead to loss of funds if the key pool missmatched from latest to restored version. Usage of signing devices like hardware wallets or air-gapped setups aren't easy if not impossible with a key pool of random private keys.

[DaveF]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

https://en.wikipedia.org/wiki/Disc_rot
It has been seen on even the best high quality media. Although it is VERY VERY VERY RARE vs the average disc it still does happen. I have seen discussion about this on sysadmin forums.


Back to this, there is someone who always wants to re-invent the wheel.

If they are storing private keys then they have a limited # of addresses. BIP39 can get you unlimited address. So if you are talking about long term cold storage that is one thing. If you are talking about securing a wallet you are using day to day then it's another since you are going to wind up loosing privacy due to address re-use.

If you are talking about long term cold storage of large amounts of funds at one address then this is even worse.
Much like the lukejr hack you are storing vast sums in an insecure environment. That is just asking for trouble.
And you are vulnerable to the $5 wrench attack.

A seed phrase stored in a bank vault that you have no other business with is a better security method.

-Dave

 

[apogio]

Has he told you why he doesn't use seed phrases? Sounds absurd.

I'd like to know his reasoning against BIP39 or key derivation of BIP32, if he has issues with that in particular.

The reasoning was that he didn't feel safe storing a seed phrase ( in any storage medium ) without it being encrypted.
He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.
He also said he doesn't want to use multisig or passphrase, because this is what I suggested as a measure of extra protection.
Finally, he uses these encrypted keys as paper wallets.

[Cricktor]

...

You already suggested to him to protect the (wallet based on) mnemonic recovery words by an optional mnemonic passphrase. If you hadn't written it already, I would've suggested it next.

So he says he doesn't want to use an optional mnemonic passphrase, but he needs a decent and secure passphrase for his PGP encryption, not? Or how does he protect his PGP private key? As far as I remember, it's protected by some passphrase... and this passphrase needs to be properly stored and saved, too.

Don't tell me he has this PGP protection passphrase only in his head. That's a recipe for later desaster, sooner or later, doesn't matter, desaster will strike.

Finally, he uses these encrypted keys as paper wallets.

I was pretty sure, he went this road. Assumptions are no certainty though, thanks for clarification.

I can only say for myself, I don't like his approach. Seems unnecassary layering to me and I'm not much of a friend of handling "naked" private keys after you unwrapped them by peeling off the PGP wrapping.

To be safe you need an air-gapped safe offline system to give your private keys a gentle rub after unwrapping. And on an air-gapped offline system you can happily have a safe offline HD wallet (needs to be on an encrypted filesystem to prevent being stolen and exploited by burglars). Much more comfort with the offline HD wallet than with paper wallets, for my taste.

[BlackHatCoiner]

He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.

His system provides the same security with a 2-of-2 multi-sig, but it adds extra complexity. In his system, he needs both the GPG private key and the encrypted data to spend coins, just as you need two seed phrases to spend from a 2-of-2 multi-sig. The difference is that two seed phrases are much more flexible and easier to store than the other. He can only store his data digitally, where you can store a 2-of-2 multi-sig practically everywhere.

He wouldn't write down GPG key and base64 encrypted data on paper or print them, would he? That'd be less secure for a number of reasons.

[cryptosize]

Optical discs can be quite reliable if we're talking about a good brand (like Mitsui Gold CD-R or Taiyo Yuden Ceramic DVD-R). They can last up to 100-200 years.

I have optical discs from the 90s/2000s and they're still fine...

But yeah, these days nobody uses optical discs anymore, most PCs don't even have an optical drive. It's also very hard to find reputable brands these days.

If someone knows what they're doing, they're fine.

NAND/flash memory (USB sticks, microSD) has a data retention period of 10 years. It used to be more reliable 15-20 years ago, not so much anymore (lower nanometers increase capacity, but reduce reliability).

https://en.wikipedia.org/wiki/Disc_rot
It has been seen on even the best high quality media. Although it is VERY VERY VERY RARE vs the average disc it still does happen. I have seen discussion about this on sysadmin forums.

I've never seen a recordable disc (CD-R, DVD-R) experiencing disc rot.

I've only seen one commercial audio CD from 1993 (commercial/pressed discs use aluminium) having disc rot in the outer edge.

I'm talking about a sample of thousands of discs, so indeed it's very rare...

If you want long-term optical storage, make sure it has gold or silver.

[apogio]

So he says he doesn't want to use an optional mnemonic passphrase, but he needs a decent and secure passphrase for his PGP encryption, not? Or how does he protect his PGP private key? As far as I remember, it's protected by some passphrase... and this passphrase needs to be properly stored and saved, too.

Don't tell me he has this PGP protection passphrase only in his head. That's a recipe for later desaster, sooner or later, doesn't matter, desaster will strike.

His system provides the same security with a 2-of-2 multi-sig, but it adds extra complexity. In his system, he needs both the GPG private key and the encrypted data to spend coins, just as you need two seed phrases to spend from a 2-of-2 multi-sig. The difference is that two seed phrases are much more flexible and easier to store than the other. He can only store his data digitally, where you can store a 2-of-2 multi-sig practically everywhere.

That's exactly my point.
Essentialy in terms of protection, I prefer multisig because I can sign with 2 cosigners that can be anywhere on this planet, without ever getting the cosigners together.
As far as storing anything in our heads is concerned, that's terrible. Without even thinking about bitcoin, I have had a relative who suffered from dementia, so she couldn't recognise me, so I wouldn't expect her to remember a strong passphrase. In a completely symmetrical way, I would never rely on my brain for anything other than generating ideas.

[pooya87]

person who I really think is very knowledgeable in Bitcoin.

He provided me with some important arguments against BIP39, but most importantly, he described a backup system that he finds superior.

He said that he prefers to GPG encrypt private keys in WIF format and store them digitally.

I see some contradictions here.

1. BIP39 is offering a way to write down your hard to write WIFs in form of a human readable set of words. In other words it is difficult to write down 5KdD6mE.... but it is easy to write down Foo Bar Baz...

2. In BIP39 what you need to back up is one thing but you are actually backing up countless number of your keys derived from it. The alternative here has to "store" multiple things which makes it that much harder.

3. This has a flaw with the form of storage. Digital storage as pointed out earlier is a flawed and less-secure method of storing compared to physical storage (eg. on a physical medium including paper).

4. Someone who is "knowledgeable in Bitcoin" and familiar with BIP39 should be also familiar with BIP39-1 (BIP38) that describes a solid method of encrypting WIFs using AES encryption that is far better than using GPG specially since it is supported by most bitcoin wallets already whereas GPG is not and requires additional software.

[apogio]

I see some contradictions here.

1. BIP39 is offering a way to write down your hard to write WIFs in form of a human readable set of words. In other words it is difficult to write down 5KdD6mE.... but it is easy to write down Foo Bar Baz...

Sure, I think we all agree on that. By the way, since you mentioned it, I believe 2 separate pieces of paper stored in different locations is one of the safest backup methods. The only thing you need to do is to find secure locations and to health check the backups.

4. Someone who is "knowledgeable in Bitcoin" and familiar with BIP39 should be also familiar with BIP39-1 (BIP38) that describes a solid method of encrypting WIFs using AES encryption that is far better than using GPG specially since it is supported by most bitcoin wallets already whereas GPG is not and requires additional software.

Well this argument is strong, but in my opinion, knowing about GPG and having GPG on a Linux machine is really important for privacy and I reckon most bitcoiners should be familiar with it. Of course, it's not mandatory but it is more than just a "nice to have".

[pooya87]

Well this argument is strong, but in my opinion, knowing about GPG and having GPG on a Linux machine is really important for privacy and I reckon most bitcoiners should be familiar with it. Of course, it's not mandatory but it is more than just a "nice to have".

Of course, it could even be considered mandatory specially since you need to verify the signature of the downloaded binaries.
But lets not forget that OpenPGP is not an encryption algorithm although they have defined a way to encrypt stuff with it. This is while AES256 (what is used in BIP38) is an encryption algorithm.

That's also all assuming they're using the symmetric encryption option with gpg --symmetric command not the one using the GPG keys which are big themselves (512 and 1024 bits) and require another separate backup, which would be another flaw/complication in their method.

[apogio]

That's also all assuming they're using the symmetric encryption option with gpg --symmetric command not the one using the GPG keys which are big themselves (512 and 1024 bits) and require another separate backup, which would be another flaw/complication in their method.

Definitely. I think I have mentioned it above, that he uses symmetric encryption.
However, the passphrase needs to be a strong one, so I reckon that he must have a backup of the passphrase as well. That is to say that the separate backup is mandatory either way.

But lets not forget that OpenPGP is not an encryption algorithm although they have defined a way to encrypt stuff with it. This is while AES256 (what is used in BIP38) is an encryption algorithm.

The default --cipher-algo for gpg --symmetric is AES256, isn't it?

[Forsyth Jones]

I thought like your friend, I didn't think it was safe to use BIP39 mnemonics, but I saw that my way of thinking doesn't make much sense.

Encrypting the private keys with GPG (symmetrically), AES seems like a good idea as long as it's done on a secure computer free from any malware, but I'd stick with the BIP-39 backup system, which although some claim Electrum is superior (I'm not going to get into that discussion now), they were one of the best things that happened in Bitcoin, the advent of this BIP-39.

We need to be careful about reinventing the wheel, as this friend of yours could create so much complexity and end up losing the password for the encrypted file, not losing/corrupting media such as SD cards, pen drives, etc. Diversify this backup as much as possible by producing several copies, and most importantly, store this decryption password in a safe place so that it will later be remembered where it was stored.

[pooya87]

The default --cipher-algo for gpg --symmetric is AES256, isn't it?

Try adding --verbose, it should print the algorithms that are used.

But I believe it is using AES256 in the latest version, they've changed the default a couple of times in different versions. They've been basically using what they believe is "safe" which means for example in GnuPG 1.0 they used CAST5 and in GnuPG 2.0 used AES128 and changed it again in v. 2.2 or something to AES256.

[apogio]

We need to be careful about reinventing the wheel, as this friend of yours could create so much complexity and end up losing the password for the encrypted file, not losing/corrupting media such as SD cards, pen drives, etc. Diversify this backup as much as possible by producing several copies, and most importantly, store this decryption password in a safe place so that it will later be remembered where it was stored.

Yes I agree with you.
In fact, not trusting BIP39 is fine. What's not fine, is trying to manually override BIP39 with other types of backups, which are custom implementations.
The problem with this is that even people who have higher expertise than us, can lose money this way. This was the case with Luke Dashjr, he used the exact same backup method.
Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

[NotATether]

Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.