Do not use (only) flash memory (SSD drives, hardware wallets, USB flash drives) for your precious private keys!

Flash memory is not a reliable medium for archives. Especially when there is no regular power. I have personal experience with usb flash drive not powered for weeks - one file became corrupted.

(Read more here: Archiving private keys - TLDR version.)

You should always back up on paper and other mediums.

Flash memory is prone to failure if it is not powered for weeks or more and if there are ionizing radiation

When you write your precious private keys you should use technologies like Parchive and ZFS. And make several copies of your files.

It's OK if you use your USB flash drive for another backup, but don't rely on it! Always back up on DVDs (even small files!), paper and online (after encryption with CPU and RAM intensive key derivative function like scrypt).

Here is example of using the scrypt utility:

$ sudo apt-get install scrypt
$ scrypt enc -M 1073741824 -t 200 secret.txt encrypted.scrypt

Do not use default values of "-M" and "-t", they are weak!

If you want to print your encrypted secret you can encrypt it again with GnuPG (with different password! the new password may be weaker, it does not matter because you already encrypted the data using a heavy KDF):

$ gpg -vv --force-mdc -c -a --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 --cipher-algo AES256 encrypted.scrypt

This will write the file "encrypted.scrypt.asc".

Be careful which font you choose for printing because it is important to distinguish between similar looking characters.

When you print important crypto stuff (private keys) make sure you use a proper font and don't leave traces on your printer's hard drive and your computer's hard drive

The default installation of Linux distros like Ubuntu is not very secure if you don't know what you are doing.

For example, if you write a file "secret.txt" on your non-encrypted hard drive partition, it stays there for a long time (maybe years) even if you "delete" it.

It can be recovered by the thieves if they stole your hard drive or install malware on your computer.

Also, your swap file must be encrypted if you want to keep your private keys for yourself.

You can use tmpfs to write your secrets before encryption (if you don't have swap file or your swap file is encrypted):

$ mkdir /home/yourusername/tmpfs
$ sudo mount -t tmpfs -o size=2G tmpfs /home/yourusername/tmpfs

It's always beneficial to invest in learning about computer security.

Archiving private keys - TLDR version.

Comments

Popular posts from this blog

[fixed] "Evolution is currently offline due to a network outage."

Archiving private keys - TLDR version

[ad removed]