Thursday, July 25, 2013

Bitcoin Cold Storage - part 1: Freezing'em


I have a (unfortunately for me, rather small) number of bitcoins and I wanted to share with you a way to put them in cold storage. Bitcoin storage seems simple, but can prove a little tricky in practice if you want to be extra safe, which is probably what you want otherwise you would not be reading this post. In this post I present an alternative recipe for really really cold, freezing storage.

Before I begin let me say that there are many ways to store bitcoin wallets and a few posts out there that explain how to achieve cold storage. For example, you can use the cold storage udemy lecture by Charles Hoskinson, or the explanation in the bitcoin wiki. Below I comment on some of them.

Online wallets? (not cold enough)

Online services that provide bitcoin wallets may be (and the good ones are, for sure) very very secure. However, it is still a third party that you may or may not want to trust. By doing bitcoin storage at home you eliminate the need to trust a third party.

paper wallets? (feels unsafe, may get lost or stolen)

You can create a cold storage by printing a paper wallet that has the private key for all to see if they get a hold of the paper. I don’t like this idea because it feels to me like leaving cash in the bedside drawer, seems unsafe. Also it can be lost (definitely within the scope of a few years) and you need to trust any third party that will keep them for you.

Brain wallets? (either not safe or very hard to remember)

There is the option to seed a wallet with a memorable pass phrase. This is super cool in the sense that all you need to do is memorize a secure pass phrase, like “chitty chitty bang bang 12345″ Easy peasy, right? One problem, if it’s easy to remember it’s easy to hack and if it’s secure it is hard to remember. I see a much bigger problem in forgetting my damn password and losing all the bitcoins stored in that brain wallet than in anyone actually attempting to steal my coins.

Encrypted Wallet? (relies on wallet software)

As mentioned above, you can create an offline wallet using any number of wallet software (bitcoin QT or Armory). This may be easier in some sense but you do run the risk of the wallet software becoming outdated by the time you need to re-heat your coins back to life.

Encrypted Cold Storage without a Wallet (the method I'm describing here)

Instead of using a wallet software we are going to directly keep the private keys for public addresses that we will generate offline. Our main concern will be to ensure no malicious software can possibly copy those keys and transmit them to the outside world. We will achieve this by running a Linux operating system from an installation CD (a cheap and safe way to get a one time computer) and perform all the secret activities after the transient Linux machine was disconnected from the Internet never to be connected again before it’s final demise by ejecting the installation CD. To my understanding this is the safest way that ensure that as long as bitcoins are still bitcoins we can reclaim them from storage even in the far future. In essence what we are doing is very similar to a paper wallet that is then secretly transformed into digital form and encrypted.

Prerequisites:

  • You have a computer with an internet connection (yes, internet connection should not be used in the same sentence with cold storage, I know, hold your horses)
  • Your computer has a DVD burner (If you don’t have that, there is a way around it too)
  • You are already in possession of some bitcoins. If not, please Google how to get some. I recommend localbitcoins for absolute beginners and then perhaps hooking up a bank account with a coinbase like service.
  • You have a USB memory stick, you don’t need much room so small and cheap will do.

Let’s start:

step 1 – Creating a temporary Linux machine

with your computer turned on and hooked up to the Internet, visit the download page for the mint distribution of the Linux operating system - http://www.linuxmint.com/download.php
select one of the options for download, for example:

 

If you are not really sure, just download the topmost (in this case cinnamon, but this changes) 32-bit option.
Fine, it takes a while for the file to download, but after a while you should see a file named something like linuxmint-15-mate-dvd-64bit.iso in your downloads directory.
Insert an empty DVD into the drive (It will be a DVD rather than a CD because the file is almost 1gig)
Burn the Linux distribution image (i.e. the .iso file) onto the DVD. Note that you need to make sure to burn the disc as a disc image, not as the ISO file itself. The way to do that on Windows is to right click the disk image and select the topmost option which says 'Burn Disc Image'.
If for some reason you fail to burn the image to a DVD or do not have a burner in your machine and are in no way capable of getting help on that issue from a friend, there is always the option of waiting a day or two and buying one online:

 

Very good. So now you have the linux operating system burnt to a DVD. That’s going to be one pillar of our coldness.
Turn your computer off, insert the DVD and turn it on.
Instead of your normal operating system you should see Linux running. It is running purely in memory and any action you do on it that does not involve your physical hard drive will be completely erased after you shut it off. 

Step 2 – get software tools from the Internet 

Make sure you still have Internet connection. We are going to download an encryption tool and a wallet generator from the internet into our temporary Linux machine before we disconnect from the internet to create our private/public bitcoin addresses pairs in full secrecy.

AEScrypt:

The first thing we are going to do is download a powerful encryption program that will help us encrypt the addresses we later create. This software is called AEScrypt. It is open source and considered as safe as anything out there. However, we are only going to trust that it encrypts well, we are not going to trust that it is not spying on us (because we are only going to actually make use of it after we have disconnected from the internet).
  • Open a command prompt 
  • Get the file over to your machine by typing
wget <paste the url you just copied>
for example, it may be "wget http://www.aescrypt.com/download/v3/linux/aescrypt-3.0.9.tgz"
  • unzip the file by typing
 tar -zxf <type "aes"+TAB, auto-complete to the file name just downloaded>

For example, it may be "tar -zxf aescrypt-3.0.9.tgz"
Now you should see a folder called aescrypt-3.0.9/ (or in general whatever the file name is, just without the .tgz suffix)
  • Change directory to the source sub directory by typing 
  cd <type "aes"+TAB>/src

For example "cd aescrypt-3.0.9/src"
  • install by typing 
make && sudo make install

AEScrypt should now be installed.

bitaddress.org - Bitcoin Wallet Generator


Last but not least, visit the beautiful web utility bitaddress and wait for the page to load:


Step 3 – Creating the cold storage

Now we got all we need in order to create bitcoin cold storage, and since cold means no internet, ever:

disconnect your computer from the internet.

Depending on how cold is cold enough for you, decide if disconnecting from the Internet using the Linux interface is enough, or if you prefer to actually unplug the Ethernet cable or your wireless card/usb.

Remember to keep your Firefox browser open


We need the JavaScript running on bitaddress.org to generate new wallets for us now that we are offline.

  • Open a new tab in Firefox and verify you are not connected to the Internet
  • Navigate back to the open tab with bitaddress.org loaded.
  • If you are interested in a single address you can stay on the homepage of bitaddress.org and just click the ‘Generate New Address’ button now that your are offline.
  • Otherwise, navigate to the paper wallet and generate as many wallets as you like.

I like to hide the art so that it is easier to cut and paste the address or the private key.
So let’s say you are interested in 3 addresses and you generated them like so:



  • Create a directory on your desktop, say call it Bitcoin/
  • Under it create two sub directories, say, Bitcoin/Public and Bitcoin/Private.
You can do one (or few, or all) of the following list of options to store your private keys inside the Private sub directory:
  1. Create a text file in ~/Desktop/Bitcoin/Private and copy and paste with your mouse the content of the wallet from the bitaddress.org firefox tab
  2. Click the print button and ‘print to file’ into ~/Desktop/Bitcoin/Private
  3. take a screenshot of the bitaddress web page and save it into ~/Desktop/Bitcoin/Private

You do need, however, to somehow keep your PUBLIC bitcoin addresses accessible so that you can send money to them. You can, for example:

  1. Copy the public wallet addresses into a text file and save it to the ~/Desktop/Bitcoin/Public directory
  2. Take a screenshot only of the QR codes of the public addresses and save it to the ~/Desktop/Bitcoin/Public directory. Note that if you take a screenshot of the QR code and the public address using a rectangular snipping tool, you will reveal the first three or four characters of the private keys:



This leaking is a bad idea. What you can do is use the default Linux editing tool ‘gimp’ to scribble with a wide pen over the private characters that are peeping in:


Fine, almost there. Now we need to:

 

Encrypt the PRIVATE directory


  • Launch a terminal window
  • change directory into the Bitcoin directory you created
cd  ~/Desktop/Bitcoin
  • type 
tar -cvf Private/
a new file ‘Private.tar’ should have been added to the Bitcoin directory.
You can verify the content of the tarred file by running
tar -tvf Private.tar
You should see all the Private files that you created inside the Private directory listed.
  • Delete the Private directory including all of it’s content
Now to the encryption step. This is why we installed AEScrypt before
  • Type 
aescrypt -e -p secure-password-you-can-remember Private.tar
This step is crucial. Finding a good password is key (no pun intended). Here is one useful link but you should Google and experiment until you find something that is both secure (installing keypass is one way for you to measure that) and memorable (because in a few months you are not going to remember a password that is too complex).

Good, so now you should see Private.tar and Private.tar.aes.
Let's run a little experiment before we delete the non-encrypted data and trust our memory with the passowrd:
  • Rename Private.tar to say, Private2.tar momentarily by typing
mv Private.tar Private2.tar
let’s see that you actually used the correct password, by trying to decrypt it
  • Type
 aescrypt -d -p same-secure-password Private.tar.aes
If indeed you remembered the password then Private.tar should reappear.
If it didn't, here is a good dry run of how it would feel to loose all your money in case you actually sent money to the corresponding public address. Luckily, so far we didn't and we kept a copy in Private2.tar. So delete the encrypted file that is now useless to you, rename Private2.tar back to Private.tar and encrypt again, but this time around please

REMEMBER THE PASSWORD


OK, good, it worked and you see Private.tar reappearing. So delete it again, this was just a reality check.
Now delete also Private2.tar if it is still there, and you should only be left with Private.tar.aes and the Public directory under the Bitcoin directory.
Great, you are almost done, let's continue:

  • Insert your USB stick and copy the Bitcoin directory onto it
  • Remove the stick
  • Eject the installation DVD
  • Turn your computer off
You are basically done. What’s left to do now is to actually send the bitcoins you wish to cold store to the addresses you created and are listed in the Public sub directory on your flash drive. It is probably a good idea to create a few backups of the Private.tar.aes file that contains the private keys. Here are some options:

  • Copy it on a few more flash drives and put those in various physical locations. 
  • Burn it on a few CDs and put those in various physical locations. 
  • Send it to yourself as an email attachment
  • Put it on any cloud storage you use.

You have now successfully created a secure encrypted cold storage of any bitcoins that you will send to the public addresses in the Public directory. The only ways I see for someone to steal your bitcoins now is if that person has videotaped you or physically attached a key tracking device to your keyboard. Unless you are Tony Soprano this is unlikely. And if you are still paranoid, I guess you can eliminate this risk too by buying a new machine altogether and performing the above in the lavatory of the nearest wifi enabled Starbucks (hint: If you are really considering this option, you probably have bigger problems than bitcoin security on your hands. Maybe take the harpoon out of your chest first.)

Done. Next post about how to track while frozen and unfreeze your frozen Bitcoins.

6 comments:

  1. Wow, long (and good!) post.

    A few comments:

    1. Regarding Encrypted Wallet - even if the software becomes outdated, it will always be possible to resurrect the bitcoins with enough effort. Given the financial and other motivation, I trust that people will always write open source utilities that do just that - recover encrypted coins from old wallets - if the need ever arises.

    2. The details are very good (I would consider adding your post as a wiki article).

    3. I'm not sure there is actually a fundamental difference between your method and a brain wallet. Both methods require you to remember a secure password/passphrase. You can claim that your method can use less complicated passwords ... but I'm not sure this is correct. It does add a little bit of "technical security" - an attacker would have to not just guess your password, but also hack into your Dropbox - but otherwise, it's equivalent.

    3. Two key things that are missing:
    A) Add a step to test your memory before depositing funds to this address. This is essential. I advise https://en.wikipedia.org/wiki/Spaced_repetition

    B) You need to add another step to make sure your funds are safe even if you die or suffer memory loss. I suggest adding instructions to create a will using Shami's secret sharing.

    ReplyDelete
    Replies
    1. This is more secure than a brain wallet because a brain wallet's private key is nothing more than a hash (SHA256) of your password. There are precomputed rainbow tables for SHA256, if you use any password on the list your private key is "in the clear" for any hacker who wants it. As someone on bitcointalk recently found out (when he used "stfu!" as a brain wallet password), a few smart hackers have already generated the addresses for these keys and they have bots watching the blockchain just waiting to sweep the funds.

      Now compare that to a AES encrypted file. Even if you use the same password. The hacker who guesses your password has nothing unless he also has a copy of the encrypted file, and the hacker who steals a copy of the file has nothing unless he also guesses your password. They actually have to work for it and unless you used a ridiculously simple password (something that could be brute-forced) the odds are in your favor that they're not going to be able to crack it.

      Some "reduced rounds" versions of AES have been broken, but as far as I know full AES with a 128 or 256-bit key is still unbroken. It's more than "a little bit of technical security", this is the same algorithm the U.S. government trusts for encrypting top secret documents, it's a much more secure way to store your bitcoins than trusting them to a simple SHA256 hash of a password that may or may not exist in some rainbow table somewhere.

      Delete
    2. AES is secure only if the password is unknown and too complicated to guess.

      You're arguing against the strawman version of brain wallets. You can add a written-down salt to make sure attackers will have to attack you specifically and not use generic tables, and you can use a hashing algorithm which takes more time per attempt than SHA-256, such as scrypt or multiple iterations of SHA-256.

      Delete
  2. I agree with ripper234. If you back up the wallet extensively it can be assumed the attacker has access to it. The only protection left is the password - if you remember it it's like a brain wallet, and if you write it down it's like a paper wallet.

    ReplyDelete
    Replies
    1. Meni. Thanks for your comment. I agree completely that if the attacker has your encrypted wallet then it is equivalent to a brain wallet.
      However, I disagree with your assumption that possessing a copy of your wallet should be assumed.
      Any overzealous high school kid in the world can attempt to crack the password to your brain wallet, say by mining online data about you and using rainbow tables and what not to guess the phrase you used to generate the private/public key pair.
      However, getting your hands on one of a few physical copies of your encrypted wallet is much harder in practice. You have to be, like, a real criminal and send people to break in etc, not something you can do online in a semi anonymous way.
      My conclusion is that an encrypted file stored physically adds (in practice) a very thick layer of security on top of what a brain wallet can offer.

      Delete
  3. Extraordinary website you score. Do you already support Bitcoins? I would advocate to hire up at who-accepts-bitcoins.com. They gift make the interchange you necessity as their database is oft searched by bitcoin spenders. It's unrestricted though!

    ReplyDelete