I have a (unfortunately for me, rather small) number of bitcoins and I wanted to share with you a way to put them in cold storage. Bitcoin storage seems simple, but can prove a little tricky in practice if you want to be extra safe, which is probably what you want otherwise you would not be reading this post. In this post I present an alternative recipe for really really cold, freezing storage.
Before I begin let me say that there are many ways to store bitcoin wallets and a few posts out there that explain how to achieve
cold storage. For example, you can use the
cold storage udemy lecture by Charles Hoskinson, or the
explanation in the bitcoin wiki. Below I comment on some of them.
Online wallets? (not cold enough)
Online services that provide bitcoin wallets may be (and the good ones are, for sure) very very secure. However, it is still a third party that you may or may not want to trust. By doing bitcoin storage at home you eliminate the need to trust a third party.
paper wallets? (feels unsafe, may get lost or stolen)
You can create a cold storage by printing a paper wallet that has the private key for all to see if they get a hold of the paper. I don’t like this idea because it feels to me like leaving cash in the bedside drawer, seems unsafe. Also it can be lost (definitely within the scope of a few years) and you need to trust any third party that will keep them for you.
Brain wallets? (either not safe or very hard to remember)
There is the option to seed a wallet with a memorable pass phrase. This is super cool in the sense that all you need to do is memorize a secure pass phrase, like “chitty chitty bang bang 12345″ Easy peasy, right? One problem, if it’s easy to remember it’s easy to hack and if it’s secure it is hard to remember. I see a much bigger problem in forgetting my damn password and losing all the bitcoins stored in that brain wallet than in anyone actually attempting to steal my coins.
Encrypted Wallet? (relies on wallet software)
As mentioned above, you can create an offline wallet using any number of wallet software (
bitcoin QT or
Armory). This may be easier in some sense but you do run the risk of the wallet software becoming outdated by the time you need to re-heat your coins back to life.
Encrypted Cold Storage without a Wallet (the method I'm describing here)
Instead of using a wallet software we are going to directly keep the private keys for public addresses that we will generate offline. Our main concern will be to ensure no malicious software can possibly copy those keys and transmit them to the outside world. We will achieve this by running a Linux operating system from an installation CD (a cheap and safe way to get a one time computer) and perform all the secret activities after the transient Linux machine was disconnected from the Internet never to be connected again before it’s final demise by ejecting the installation CD. To my understanding this is the safest way that ensure that as long as bitcoins are still bitcoins we can reclaim them from storage even in the far future. In essence what we are doing is very similar to a paper wallet that is then secretly transformed into digital form and encrypted.
Prerequisites:
- You have a computer with an internet connection (yes, internet connection should not be used in the same sentence with cold storage, I know, hold your horses)
- Your computer has a DVD burner (If you don’t have that, there is a way around it too)
- You are already in possession of some bitcoins. If not, please Google how to get some. I recommend localbitcoins for absolute beginners and then perhaps hooking up a bank account with a coinbase like service.
- You have a USB memory stick, you don’t need much room so small and cheap will do.
Let’s start:
step 1 – Creating a temporary Linux machine
with your computer turned on and hooked up to the Internet, visit the download page for the mint distribution of the Linux operating system -
http://www.linuxmint.com/download.php
select one of the options for download, for example:
If you are not really sure, just download the topmost (in this case cinnamon, but this changes) 32-bit option.
Fine, it takes a while for the file to download, but after a while you should see a file named something like linuxmint-15-mate-dvd-64bit.iso in your downloads directory.
Insert an empty DVD into the drive (It will be a DVD rather than a CD because the file is almost 1gig)
Burn the Linux distribution image (i.e. the .iso file) onto the DVD. Note that you need to make sure to burn the disc as a disc image, not as the ISO file itself. The way to do that on Windows is to right click the disk image and select the topmost option which says 'Burn Disc Image'.
If for some reason you fail to burn the image to a DVD or do not have a burner in your machine and are in no way capable of getting help on that issue from a friend, there is always the option of waiting a day or two and buying one online:
Very good. So now you have the linux operating system burnt to a DVD. That’s going to be one pillar of our coldness.
Turn your computer off, insert the DVD and turn it on.
Instead of your normal operating system you should see Linux running. It is running purely in memory and any action you do on it that does not involve your physical hard drive will be completely erased after you shut it off.
Step 2 – get software tools from the Internet
Make sure you still have Internet connection. We are going to download an encryption tool and a wallet generator from the internet into our temporary Linux machine before we disconnect from the internet to create our private/public bitcoin addresses pairs in full secrecy.
AEScrypt:
The first thing we are going to do is download a powerful encryption program that will help us encrypt the addresses we later create. This software is called AEScrypt. It is open source and considered as safe as anything out there. However, we are only going to trust that it encrypts well, we are not going to trust that it is not spying on us (because we are only going to actually make use of it after we have disconnected from the internet).
tar -zxf <type "aes"+TAB, auto-complete to the file name just downloaded>
For example, it may be "tar -zxf aescrypt-3.0.9.tgz"
Now you should see a folder called aescrypt-3.0.9/ (or in general whatever the file name is, just without the .tgz suffix)
- Change directory to the source sub directory by typing
cd <type "aes"+TAB>/src
For example "cd aescrypt-3.0.9/src"
make && sudo make install
AEScrypt should now be installed.
bitaddress.org - Bitcoin Wallet Generator
Last but not least, visit the beautiful web utility
bitaddress and wait for the page to load:
Step 3 – Creating the cold storage
Now we got all we need in order to create bitcoin cold storage, and since cold means no internet, ever:
disconnect your computer from the internet.
Depending on how cold is cold enough for you, decide if disconnecting from the Internet using the Linux interface is enough, or if you prefer to actually unplug the Ethernet cable or your wireless card/usb.
Remember to keep your Firefox browser open
We need the JavaScript running on bitaddress.org to generate new wallets for us now that we are offline.
- Open a new tab in Firefox and verify you are not connected to the Internet
- Navigate back to the open tab with bitaddress.org loaded.
- If you are interested in a single address you can stay on the homepage of bitaddress.org and just click the ‘Generate New Address’ button now that your are offline.
- Otherwise, navigate to the paper wallet and generate as many wallets as you like.
I like to hide the art so that it is easier to cut and paste the address or the private key.
So let’s say you are interested in 3 addresses and you generated them like so:
- Create a directory on your desktop, say call it Bitcoin/
- Under it create two sub directories, say, Bitcoin/Public and Bitcoin/Private.
You can do one (or few, or all) of the following list of options to store your
private keys inside the Private sub directory:
- Create a text file in ~/Desktop/Bitcoin/Private and copy and paste with your mouse the content of the wallet from the bitaddress.org firefox tab
- Click the print button and ‘print to file’ into ~/Desktop/Bitcoin/Private
- take a screenshot of the bitaddress web page and save it into ~/Desktop/Bitcoin/Private
You do need, however, to somehow keep your PUBLIC bitcoin addresses accessible so that you can send money to them. You can, for example:
- Copy the public wallet addresses into a text file and save it to the ~/Desktop/Bitcoin/Public directory
- Take a screenshot only of the QR codes of the public addresses and save it to the ~/Desktop/Bitcoin/Public directory. Note that if you take a screenshot of the QR code and the public address using a rectangular snipping tool, you will reveal the first three or four characters of the private keys:
This leaking is a bad idea. What you can do is use the default Linux editing tool ‘gimp’ to scribble with a wide pen over the private characters that are peeping in:
Fine, almost there. Now we need to:
Encrypt the PRIVATE directory
- Launch a terminal window
- change directory into the Bitcoin directory you created
cd ~/Desktop/Bitcoin
tar -cvf Private/
a new file ‘Private.tar’ should have been added to the Bitcoin directory.
You can verify the content of the tarred file by running
tar -tvf Private.tar
You should see all the Private files that you created inside the Private directory listed.
- Delete the Private directory including all of it’s content
Now to the encryption step. This is why we installed AEScrypt before
aescrypt -e -p secure-password-you-can-remember Private.tar
This step is crucial. Finding a good password is key (no pun intended). Here is one
useful link but you should Google and experiment until you find something that is both secure (installing
keypass is one way for you to measure that) and memorable (because in a few months you are not going to remember a password that is too complex).
Good, so now you should see Private.tar and Private.tar.aes.
Let's run a little experiment before we delete the non-encrypted data and trust our memory with the passowrd:
- Rename Private.tar to say, Private2.tar momentarily by typing
mv Private.tar Private2.tar
let’s see that you actually used the correct password, by trying to decrypt it
aescrypt -d -p same-secure-password Private.tar.aes
If indeed you remembered the password then Private.tar should reappear.
If it didn't, here is a good dry run of how it would feel to loose all your money in case you actually sent money to the corresponding public address. Luckily, so far we didn't and we kept a copy in Private2.tar. So delete the encrypted file that is now useless to you, rename Private2.tar back to Private.tar and encrypt again, but this time around please
REMEMBER THE PASSWORD
OK, good, it worked and you see Private.tar reappearing. So delete it again, this was just a reality check.
Now delete also Private2.tar if it is still there, and you should only be left with Private.tar.aes and the Public directory under the Bitcoin directory.
Great, you are almost done, let's continue:
- Insert your USB stick and copy the Bitcoin directory onto it
- Remove the stick
- Eject the installation DVD
- Turn your computer off
You are basically done. What’s left to do now is to actually send the bitcoins you wish to cold store to the addresses you created and are listed in the Public sub directory on your flash drive. It is probably a good idea to create a few backups of the Private.tar.aes file that contains the private keys. Here are some options:
- Copy it on a few more flash drives and put those in various physical locations.
- Burn it on a few CDs and put those in various physical locations.
- Send it to yourself as an email attachment
- Put it on any cloud storage you use.
You have now successfully created a secure encrypted cold storage of any bitcoins that you will send to the public addresses in the Public directory. The only ways I see for someone to steal your bitcoins now is if that person has videotaped you or physically attached a key tracking device to your keyboard. Unless you are
Tony Soprano this is unlikely. And if you are still paranoid, I guess you can eliminate this risk too by buying a new machine altogether and performing the above in the lavatory of the nearest wifi enabled Starbucks (hint: If you are really considering this option, you probably have bigger problems than bitcoin security on your hands. Maybe
take the harpoon out of your chest first.)
Done. Next post about how to track while frozen and unfreeze your frozen Bitcoins.