Add wallet privkey encryption, and use it for all new keys #203

pull TheBlueMatt wants to merge 1 commits into bitcoin:master from TheBlueMatt:crypter changing 12 files +493 −9
  1. TheBlueMatt commented at 2:56 PM on May 8, 2011: member

    Request the password from the user at startup and store the key in memory for all new key encryption. Each ekey in the wallet is decrypted and the privkey derived and checked against the stored pubkey to ensure the password is correct.

    Thanks to jgarzik for the original patch and sipa for all his input.

    Forum thread: http://www.bitcoin.org/smf/index.php?topic=7405

  2. CAFxX commented at 8:00 PM on May 8, 2011: none

    I see you took into consideration the issue of the password/key being swapped out but didn't actually write any code to prevent it. You should use mlock (unix) or VirtualLock (windows) to prevent memory from being swapped (the correct way of doing this is: allocate, mlock/VirtualLock, use the memory, when done overwrite it (random data is better than 0s), deallocate). Note: this still won't protect from other processes peeking at your memory, at least on windows.

  3. TheBlueMatt commented at 8:05 PM on May 8, 2011: member

    Yea the whole ramdump to see password/key is pretty much impossible to prevent no matter what you do, so I'm really not going to try to fight it. Though, I'm planning to add more security to the encryption later, but having it now really isn't worth it for several reasons (see the original forum thread by jgarzik linked by the one about this pull).

  4. TheBlueMatt commented at 8:36 PM on May 8, 2011: member

    As a side note, preventing any kind of key leakage is pretty much impossible in C++ when the user is entering the key in wx. If nothing else, the current value of the password dialog might end up in swap. I'll try to add a bunch of memlock's and memset/fills tomorrow but I don't think its possible for it to be 100%.

  5. CAFxX commented at 5:51 AM on May 9, 2011: none

    I guess so, unless we also patch wx in the process.

  6. TheBlueMatt commented at 10:23 AM on May 9, 2011: member

    Now with more mlock(). Note I made a conscious decision here that I only bother to keep the actual password entered by the user out of memory/swap as much as possible, not the derived key or the private keys themselves. I have a separate branch which encrypts private keys in memory (much easier than not loading until needed in the current architecture) but still keeps the key to decrypt them in memory. Hopefully someone has the time to patch bitcoin to be a bit more careful about when it generates private keys and make it possible for password entry only at decrypt-time.

  7. TheBlueMatt commented at 10:24 AM on May 9, 2011: member

    Note that any password longer than 100 characters will only have the first 100 mlock()d, but if you can't derive the key without all of the password, so I'm not concerned.

  8. CAFxX commented at 10:33 AM on May 9, 2011: none

    maybe adding some comments about this might help (eventually also mentioning that currently there's no way to stop another process from peeking and that we don't deal with hibernate-to-disk)

  9. Add wallet privkey encryption, and use it for all new keys
    Request the password from the user at startup and store the key in memory for all new key encryption.
Each ekey in the wallet is decrypted and the privkey derived and checked against the stored pubkey
to ensure the password is correct.

Thanks to jgarzik for the original patch and sipa for all his input.
    b8b8e0a8c0
  10. TheBlueMatt commented at 8:32 AM on May 10, 2011: member

    Now with more comments to clarify the purpose of mlock()s and such.
    Now the question: I have a WIP branch which decrypts private keys only at spend-time (or it will in a couple days). Still a couple things to tighten down, but the question is which would rather be seen in bitcoin? https://github.com/TheBlueMatt/bitcoin/tree/encprivkeys

  11. CAFxX commented at 4:17 PM on May 10, 2011: none

    well, keeping the keys encrypted in ram as a method to prevent other processes from reading it is pretty useless unless we manage to lock out all other processes from accessing our memory. reasking the password at spending-time is a good opt-in setting, but doesn't require keeping the keys encrypted in ram. so If I had to choose I'd definitely say wallet encryption over privkey encryption in ram. it would probably make more sense to have an hardware token (something like one of these http://www.hacker10.com/tag/hardware-security-token/ ) storing the privkey and doing the actual signing (so that the privkey never leaves it).

  12. TheBlueMatt commented at 1:53 PM on May 18, 2011: member

    Superseded by #232 closed.

  13. TheBlueMatt closed this on May 18, 2011
  14. sipa referenced this in commit 9d09322b41 on Mar 27, 2015
  15. dexX7 referenced this in commit a952cd62d4 on Aug 30, 2015
  16. TheBlueMatt referenced this in commit 582b2934e6 on Oct 20, 2015
  17. deadalnix referenced this in commit 1256ee1a97 on Jan 6, 2017
  18. deadalnix referenced this in commit f88343f2eb on Jan 19, 2017
  19. deadalnix referenced this in commit 78532abaa3 on Jan 19, 2017
  20. lateminer referenced this in commit 7892d71057 on Dec 9, 2017
  21. classesjack referenced this in commit 2ee4af9f6a on Jan 2, 2018
  22. attilaaf referenced this in commit 09992fc00e on Jan 13, 2020
  23. Losangelosgenetics referenced this in commit 26956bf434 on Mar 12, 2020
  24. cryptapus referenced this in commit 214b74e6e7 on May 3, 2021
  25. DrahtBot locked this on Sep 8, 2021
Contributors
TheBlueMattCAFxX
Linked (view graph)
#25323 miniscript fuzzer failing after qa-assets update
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 21:16 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me