I have planned to buy more $onions at the end of the airdrop and therefore I wanted a secure wallet, a real cold wallet. I assume the most people just download the wallet software on their main computer and create their wallet.dat there. But there are always risks when creating a wallet on an online computer. The computer could be infected with malware or attackers could sniff the network.
I am a long term holder and didn't want to worry about my wallet. I wanted a secure cold storage.
A Frozen Lake - Cold as my Wallet
(Photo by Rob Bye on Unsplash)
Approach
My approach to achieve this was to create a wallet on an offline machine and encrypt it there. Then I would test it, create a few backups and send my funds to it which I want to store long term.
Not the easiest way to set up a new wallet, but the advantage is that the private keys are never exposed to the internet. No one without physical access will be able to steal the funds. That's a safe feeling.
Practical Implementation
First of all I needed an offline device. Fortunately I had an old laptop which I didn't use anymore. I reinstalled windows and disabled all network devices to make sure that it is disconnected.
In the next step I downloaded the newest from the DeepOnion website and moved it via an USB stick to the laptop. Now I started the wallet and checked for new folders and files under %appdata%. Everything worked as expected. I had a new DeepOnion folder and in it my cold wallet.dat. The wallet software is of course out of sync and will not show any values.
Offline Generated DeepOnion Wallet
Testing the wallet
After I had encrypted the wallet file, it was time to test that I can send from the wallet. It's very unlikely that there could be any issues, but I prefer to ensure that all is working fine.
The idea is to create everything offline and only move the encrypted wallet.dat to an online computer. It isn't required to unlock it there, it's just used to list all unspent inputs and prepare an outgoing transaction, which is then signed offline.
I needed to sign a transaction from the offline wallet. Fortunately I had this already tested a while ago and wrote a tutorial about it.
https://deeponion.org/community/threads/tutorial-how-to-send-from-an-offline-wallet-cold-storage-without-exposing-your-private-keys.23806/
First I created the raw transaction on the online wallet.
Creation of an raw Transaction
Then I moved this to the offline computer and signed it there.
Signing a raw Transaction
Everything worked on the first try. Now, I am quite sure that everything works and that it's nearly impossible to steal funds from this address.
I own now a wallet where the private keys were never exposed on a computer which is connected to the internet. As there is currently no hardware wallet available for DeepOnion, this is a good alternative to create a secure wallet.
Usability improvements
Of course it's not convenient to create a raw transaction every time I want to send funds. Therefore I moved the entire DeepOnion folder to a USB stick and created a symbolic link on the online machine as described in this post.
https://deeponion.org/community/threads/tutorial-how-to-move-your-deeponion-appdata-folder-to-a-different-drive.23630
Now it's only possible to send funds when I connect my USB stick to the machine. There were still one problem. How can I unlock my wallet without risking to lose my password? KeePass provides an easy way to obfuscate your password entries, you just have to set one checkbox and it will partly auto-type and partly paste from the clipboard.
https://deeponion.org/community/threads/tutorial-how-to-obfuscate-your-password-inputs-with-keepass.26317/
Outlook
It is possible to create a cold storage for DeepOnion and you just need a computer which is not connected to the internet and an USB stick. Depending on the requirements it's possible to never expose anything to the internet, which makes it a real secure storage.
Further cooling
If you are serious about the wallet and don't want anything exposed, you can also download the entire blockchain on an online computer and move the data to the offline machine. Then you can there list the unspent inputs, create the transaction and just broadcast it on an online machine. You would not be required to use anything online.
Open risks
Bruteforce the wallet.dat
Someone could steal the wallet.dat from the computer and just test different passwords against it. As long as the password is strong enough and there is no security vulnerability, it will unsuccessful with the today's computing power.Physical access
No real risk when the wallet.dat is also encrypted on the offline computer. It's recommended to use an encrypted hard disk when using dumpwallet.
I also published this article on the DeepOnion community forum.
https://deeponion.org/community/threads/article-i-created-a-cold-storage-wallet.34444/
Follow me on twitter for the newest updates and giveaways.
https://twitter.com/BlockEncryptor