Cold storage bitcoin ubuntu ppap
Imagine opening your Bitcoin wallet. How do you feel? Every Bitcoin user faces the problem of securely storing their money. Preventing these losses is the goal of cold storage. Cold storage is an important subject with a steep learning curve. To make the topic more approachable, this article introduces core Bitcoin concepts when needed.
It concludes by discussing a new Bitcoin feature that could simplify the safe storage of funds. Like any powerful tool, cold storage can cause damage if misused. Consider using cold storage only if all of these apply:. Beginners should pay close attention to the risk of accidentally losing funds through simple cold storage mistakes. Consider practicing with pocket change before using cold storage for meaningful amounts of bitcoin. A more accurate way to think about the relationship might be to imagine a tamper-proof vault designed to hold paper bills.
The vault dispenses the cash it holds to anyone who can prove they know a unique number called the private key.
The legal and moral rights of the person attempting to gain access to the funds in the vault are irrelevant. The vault accepts an unlimited number of access attempts by anyone.
The range of possible numbers is virtually infinite. You could make millions of guesses per second for millions of years without success. Bitcoin stores funds in the electronic equivalent of this imaginary vault called an address. As with the vault, funds at an address may be unlocked by anyone knowing the unique private key. Despite its apparent complexity, Bitcoin security boils down to one simple rule: A close corollary to this rule would be: For insight into how this can be, consider the recent case of a website repurposed to steal funds from unsuspecting Bitcoin users.
Listen to Bitcoin was a popular service for the real-time monitoring of transactions on the Bitcoin network. Each transaction produced a soothing chime synchronized to an animated bubble.
The creator of the site eventually sold it. Shortly after the sale, problems began to surface. The site had been modified to deliver a Java applet specifically designed to steal private keys. Numerous such exploits have been reported, with many victims along the way. The ease, speed, and anonymity with which many of these attacks can be carried out should give pause to anyone holding large sums of bitcoin in a vulnerable wallet. Instead, it required the user to prove knowledge of the private key.
Asking directly for the private key would permit any eavesdropper to discover it. Likewise, spending funds from a Bitcoin address requires proof of knowledge of the private key - not the key itself. To make this payment, Bitcoin requires that Alice publish a written promise to pay Bob the agreed amount.
This promise is called a transaction. Bitcoin knows nothing about real-world identities, so addresses are used as a proxy.
If this were the end of the story, it would be very easy to steal from Alice by forging transactions from her address.
Bitcoin prevents this kind of theft by requiring that each transaction bear an unforgeable digital signature. Changing the transaction in any way also changes the signature. By signing the transaction, Alice proves knowledge of her private key and authorizes the transfer of funds. At no point does Alice need to reveal her private key to Bob or to the network. The need to do all four tasks creates a security dilemma: A hot wallet combines all functions into a single system, typically running on a single computer.
Many hot wallets encrypt private keys to deter their use if stolen, but the threat remains. For example, keyloggers, clipboard loggers, and screen capturers can transmit decrypted keys used during manual operations. What a hot wallet may lack in security, it makes up for in convenience. Managing funds and sending payments can be accomplished from a single device.
Cold storage resolves the network security dilemma through quarantine. A specially-created offline environment hosts all operations that either create or use private keys. Private keys remain secure from network-based attacks through strict isolation of the offline environment from the network.
The process starts by generating an unsigned transaction on an online device. The transaction is then moved via USB or other connection to an offline environment, where it is signed. The signed transaction is then moved back to the online environment, from which it is broadcast to the network. At no point does the private key contact a system connected to the network.
Both hot wallets and cold storage can be used together, just as a saving accounts and purse are often used by the same person. Cold storage funds are held securely, but are hard to access. Cold storage in practice often represents a balance between security and convenience. The more securely we try to store funds, the more difficult and error-prone it becomes to manage them. An offline environment plays a key role in most cold storage schemes. Two main components make up this environment: Offline computers can be configured with a range of security features, depending on budget, the value of funds being stored, and perceived threat.
At one extreme, a computer currently in service can be taken offline by temporarily disconnecting the network card or cable. Although easily implemented, this approach offers little protection against attacks that are tolerant to intermittent network connectivity. A dedicated offline computer with a permanently-disabled network connection offers a more robust alternative. These system are sometimes called air-gapped computers.
Many use strongly-encrypted hard drives. Many Linux distributions, including Ubuntusupport this option. Private keys may either be stored directly on an offline computer or stored separately. A variety of external media can be used, including paper, plastic cardshard drives, removable USB drives, and even the human brain. Even if private keys are stored on the hard drive of an offline computer directly, these other media are often used to store backups.
Cold storage methods can be divided into two broad categories based on how private keys are maintained. With a manual keystorethe user maintains a collection of private keys directly.
With a software keystoreprivate key maintenance is under the full control of software. If flexibility and software minimalism are your goals, consider using manual cold storage. Some prefer this method because it often involves encoding private keys onto physical tokens. Step 4 poses the biggest challenge under a manual keystore system because wallets vary in how they handle external private keys and change addresses. Before committing to manual cold storage, learn how your wallet works with external private keys.
Notice that spending funds from cold storage requires the transfer of a private key into a hot wallet. Unfortunately, this risks unintended transmission of the key to a network-based attacker. Holding the key in memory only, or sending change to a newly-created cold storage change address are both possible workarounds.
However, neither approach completely eliminates the threat. Backup media are often selected to be complementary to the primary keystore medium. For example, if paper wallets are kept in a secure on-site location, a backup printed on plastic might be kept in a safety deposit box. If the thought of maintaining private keys yourself leaves you uneasy, consider a wallet that handles the job for you.
Two software wallets currently offer this capability: Software keystores employ two devices, an online computer and a single-use offline computer. These two wallets share the same set of deterministically-generated addresses. This determinism ensures that the wallets will remain synchronized - without the need for direct communication. Funds are moved from cold storage via a multi-step procedure.
The online wallet first prepares an unsigned transaction. Next, the transaction is signed by the offline computer. Finally, the signed transaction is broadcast to the network by the online computer. A physical medium such as a USB stick shuttles the transaction between computers, however more secure methods such as QR codes could be used in principle.
A variety of hardware can be used to implement this system. For example, Cold Pi and Pi-Wallet offer a portable, dedicated platform for running Armory cold storage from a small form-factor open source computer. Trezor takes this approach one step further with an all-in-one device running custom software. More typically, the offline wallet runs on a dedicated offline computer.
Backups of deterministic wallet keystores are relatively simple. Each wallet uses a seed as a reproducible starting point for generating addresses and private keys. The seed is often represented as a series of words, but QR code representations are also used.
The cold wallet is created by running Bitcoin Core in an offline Tails session. Once created, keep the wallet cold - never enter the passphrase within anything other than an offline Tails or similar session. You will also need the Bitcoin Core binaries, which you can get here. On a modern computer and decent USB drive I find it stable, quick-booting and responsive. The first time you boot into Tails, create an encrypted persistent storage partition on the USB drive - this is straightforward, just follow the instructions here.
KeePassX is actually bundled with Tails. Boot into your Tails USB disk. At this point, Bitcoin Core will have created two receiving addresses that are managed by the wallet. Access these addresses via the Bitcoin Core File menu:. Two unnamed accounts are created by default during wallet setup. The API still has lots of references to accounts - for example, to list out addresses, the getaddressesbyaccount method is required.
If you were to send funds to a public address controlled by this wallet, they would be irretrievable. You can open a wallet by passing in the -wallet option when opening Bitcoin Core - BUT the wallet must be located in the Bitcoin core data directory. You can add a symlink to set this up:. If required, you could dump the private keys of the cold wallet.
Access to the private keys equates to full control over the Bitcoin. On the plus side, you could store these keys on paper which would ensure that you will always be able to import keys. Personally, I have decided not to backup private keys - instead relying on multiple copies of a cold wallet encrypted with a strong passphrase.
The wallet can then be safely stored online, since it is effectively useless without the encryption passphrase. Note that if someone gained control of your encrypted wallet without the passphrase, although they would not be able to transfer funds they would be able to access your transaction history. The passphrase should be stored securely for example, in multiple copies of an encrypted KeePassX database in more than one location.
To do this in Ubuntu:. This will load your cold wallet into your Bitcoin Core client. This article describes how to: Create a cold-storage wallet using Bitcoin Core in a live offline Tails session Generate and collect public Bitcoin addresses for the cold wallet Manage the wallet and wallet passphrase The cold wallet is created by running Bitcoin Core in an offline Tails session.
Open a terminal and cd to the Bitcoin Core binaries directory: Access these addresses via the Bitcoin Core File menu: Save the generated wallet to your persistent volume. You can add a symlink to set this up: Transfer Funds Transfer Bitcoin to one of the public Bitcoin addresses managed by the cold wallet. Backup Private Keys If required, you could dump the private keys of the cold wallet. To do this in Ubuntu: Encrypt wallets with a strong passphrase Secure your passphrase and your wallet - there is NO password reset option if you forget!