Wallet encryption protocol

[ThePiachu]

Is there some step-by-step guide on how the official client encrypts the wallet? I'm trying to write an implementation of that in Go, but can't seem to find any concrete reference, asides
https://github.com/bitcoin/bitcoin/blob/6b8a5ab622e5c9386c872036646bf94da983b190/doc/README
So lets see if I got this right...

I have a private key:
18E14A7B6A307F426A94F8114701E7C8E774E7F9A47E2C2035DB29A206321725

And a password:
Satoshi

Then I need a random master key (how long is it? Is it stored anywhere?)
??

I take a SHA-512 of the password
B85729C8DB06F82DDEDBF5B70B482D32C46A556562FE79AD8402820D52EB7D562463C021F23E33D 6274E60845C19D6DC298910537D8D3C1CB4DB08F88D2E8B21

Then I  perform OpenSSL's EVP_BytesToKey from the master key and the SHA in a dynamic number of rounds based on the speed of my computer (how do I calculate this?)

And what I get is the encrypted private key, right?

[1714914128]

1714914128

[1714914128]

1714914128

[Hawkix]

Damn! That is my password. Why do you have to use just the same nice password as I do? Its not fair. And not secure.





(OK, was just joking).

[Joric]

relevant: https://bitcointalk.org/index.php?topic=34028.msg708668#msg708668

off: private key made from sha256("Satoshi Nakamoto") actually had a few coins on it, but it was swept recently.

[Pieter Wuille]

Your passphrase is strengthened and converted to a 256-bit key and IV using OpenSSL's EVP routines, using SHA512.

The wallet contains an "mkey" record, which contains a 256-bit randomly generated master key, encrypted using AES-256-CBC using the above key and IV.

Key entries in the wallet ("ckey") are a mapping from the pubkey to the AES-256-CBC encrypted 32-byte EC secret, using the master key as key, and the hash of the pubkey as IV.

[Joric]

Your passphrase is strengthened and converted to a 256-bit key and IV using OpenSSL's EVP routines, using SHA512.

More specifically, it's 25000+ rounds of sha512 performed on "passphrase" + "salt", hence we get 64-byte hash.
Then I just use first 32 bytes as the AES key and 16 bytes after that as initialization vector.
Both number of rounds (nDerivIterations) and "salt" are stored unencrypted in the mkey record.
This is method 0 (nDerivationMethod, also stored in the mkey), other methods could have another implementation.