I’m interested in knowing what best practices are for storing crypto key information, from those who are doing it currently. Just throw it into a secure note?
I know almost nothing about it but I do understand that there are PINs, long seed text strings, etc. Appreciate any info!
There are no custom / additional types yet, so secure notes are the way to go for now if you want to store it in Bitwarden.
If you want more structured data, you can use custom fields to separate seeds, pins or whatever information you want. You can even designate the sensitive info as a “hidden” custom field so that someone standing next to you, when viewing your public key can’t see your seed text for example.
Unless I’m remembering incorrectly, I believe there is a 5000-character limit for the encrypted cipher of a custom field (compared to 10,000 characters for a secure note), and the encryption process typically expands the field contents by 20-30%. Thus, in some cases, a long cryptographic key may not fit in a custom field.
I would never recommend storing seeds for any blockchain cryptocurrency wallet of value in a cloud-based password manager. Large wallets are susceptible to targeted attacks by very determined and skilled groups of hackers. Offline seed management in a secure (water; fire; theft) environment with redundancy. Especially for NFTs, the current practice is to keep your main wallets in cold storage, only temporarily transferring in the amount you need for a transaction to a hot wallet so if the hot wallet is compromised, you only lose the amount you temporarily transferred. The main wallet never does a direct transaction for any purpose. Would recommend Ledger as one cold wallet storage solution. But, again, the Ledger’s seeds should be kept offline in a secure environment with redundancy and should never be entered electronically anywhere. Just my .02 cents.
That mirrors other recommendations I’ve read yesterday. Thanks.
I agree with the post made by 222 on March 11. It is not safe to store your wallet seed phrase, nor private key, in a cloud based password manager.
However, I strongly disagree with the following point, which is to store your seed phrase, or private key, within an offline password manager or a cold storage hardware wallet such as the Ledger.
Why do I think this?
Ledger has been exposed as a hot wallet (see source one). The main issue with all hardware wallets is that the seed phrase offers a single point of failure for the entirety of your wallet. Similarly, a private key offers a single point of failure for a specific blockchain address.
The trick is to decentralize the single point of failure presented by the seed phrase and private keys. This is where MPC, formally known as Multi-Party Computation, comes into play.
What is MPC?
Cybravo is a enterprise grade digital asset custodian co-founded by Paul Fan and Tim Hsu. These men are heavy weight hitters within the Taiwanese cybersecurity space. They spent nearly two decades, each, advising companies such as Trend Micro and Qihoo. They were recently acquired by Circle, the issuer of the USDC stable coin.
Cybravo defines MPC as the following: “Multi-party computation (MPC) is a cryptographic protocol that powers shared computation without compromising the security and privacy of data. It is a method of distributing computation across several individuals where no single party can see the other individuals’ information” (Cybravo 2021). (see source two)
Therefore, I highly suggest people use a wallet, such as ZenGo, that supports MPC.
I also highly recommend using multi-sig wallets as well, such as mycelium for BTC. And of course, nothing truly beats the pen, the pad, and the fire proof safe. It is always wise to store each multi-sig signer in a different geolocation. Make sure to have redundancies in place. If you are hodling BTC for the long run, this is the safest bet.
However, if you truly must store your seed phrase or private keys in a digital form, there are safe ways to do this.
Before you begin, make sure you fully trust the host device. Best to download the necessary software, and then boot into safe mode without networking to conduct the encryption process. If you feel extra paranoid, go ahead and do it inside a virtual machine as well.
In my opinion, your best bet would be to use the software Veracrypt, to create a virtual cascade encrypted drive. You may also create a separate encrypted hidden drive within the virtual drive, if you want to be extra cautious.
Use Paranoia Encryption Tools to encrypt your seed phrase or private keys with AES-256, Twofish, Serpent, etc. There is no “better” choice between them, as the probability to crack them is unfeasible. Use a password randomizer, such as the one provided by Bitwarden, to create a 64 digit, or 12 word password. This ensures resistance against a bruce force attack.
Mount the virtual drive using Veracrypt, store the files within the virtual drive, un-mount it, and then, you have yourself a pretty secure lockbox. Feel free to upload it to any cloud service you choose (I suggest only using cloud providers that employ zero-knowledge proofs, zero-knowledge encryption, zero-trust environments, etc). Store it on external hardrives, USB’s etc. It is pretty much safe anywhere at this point.
And if you really wanted to, use the shellbag analyzer and cleaner, plus privaZer, to give your system a good clean (six to seven passes, within the privaZer settings, is more than good enough). Securely erase, and reinstall windows, and there you go. Hope you can find something valuable from this.
Stay safe my friends!
OneDiamondToRuleThemAll
Source One: Firmware Wallets: Sunlight is the best disinfectant - ZenGo
Source Two: What is Multi-Party Computation (MPC) And How Does it Secure Digital Assets? - Cybavo
https://tinyurl.com/55fx2fbn — (The link was unruly. It needed to be shortened)
[URL shortener removed by mod.]
@222, in my case, I mostly use cryptocurrency wallets to evaluate the technology, so I shan’t be the focus of a targeted attack.
In that case, have any of you any recommendations about how to most conveniently store relevant credentials - like the recovery phrase and passphrase - in BW?
Autofill not working (due to these not necessarily correlating to a password and username) seems like a nuisance.
@OneDiamondToRuleThem, did you copy that comment content from somewhere? It appears somewhat unusually verbose to have been written for such a niche topic by yourself.
Just do old school approach. No need for fancy stuff. Create 2-3 small 2gb pendrives, store data on them as plain text and then triple encrypt using AES 512, don’t forget about regular backups and you’re good to go.
@DannyD, I want them synchronised in a secret manager that I can access an API of.
That method of storing credentials, if you’re not being targeted by a nation-state actor, is unnecessarily arcane for mere technical evaluation.
how to most conveniently store relevant credentials - like the recovery phrase and passphrase - in BW?
Autofill not working (due to these not necessarily correlating to a password and username) seems like a nuisance.
Maybe a hidden custom field, but you would have to go grabe the filed id/name to have it autofilled.
Yeah, @Neuron5569, I was hoping that there might be standard terminology that was stuck to amongst id fields, but it appears not… I’d rather not have to do a csv= of all the possible options per entry. It’s bad enough for Matrix credentials.