Databases, Ciphers and Secrets: A Guide to Securely Storing Cake Wallet Private Keys

Almost any cryptocurrency wallet allows a backup — saving the private key in a special file to restore access in case of loss or device failure. But this creates new problems: the file could be stolen by attackers.

The developers of the Cake Wallet cryptocurrency wallet discuss open-source software for secure storage and encryption of private keys.

Cracking a wallet in three minutes

Desktop, mobile and browser wallets store private keys on the user’s device. For example, the Exodus crypto wallet stores them in the AppRoaming folder on Windows and in Application Support on macOS.

The most important files are seed.seco and passphrase.json. The former contains the private key, and the latter the phrase to decrypt it.

If a hacker copies the files to their computer, they gain access to the wallet. We performed such steps in the example below.

This does not mean Exodus and other desktop wallets are unreliable. We deliberately did not use passwords, encryption or 2FA to illustrate the theft mechanism.

Most wallets offer to encrypt key files with a password. But even then they will remain in obvious places and be vulnerable to brute-force attacks.

Spoiling the files on a smartphone is harder: iOS and Android do not provide full access to the file system. We installed Cake Wallet, MyEtherWallet and TON Surf on a smartphone but could not locate key folders without root access.

However, a phone can be lost or damaged, and thus cryptocurrency can be lost. In that case, back up the wallet: store the private key or mnemonic phrase on a separate device, and then encrypt them. 

Additionally, backups let you safely use desktop wallets. To do this, turn them into non-custodial: manually import the private key each time, and after finishing, wipe the folders.

How to Back Up Properly

Access to the wallet requires either the private key or the seed phrase—one will suffice.

It is better to choose the seed phrase. It consists of English words, and therefore reduces the likelihood of errors when creating a backup.

Seed phrases and private keys are roughly equally resistant to brute-force attacks— the method of guessing possible combinations.

The data can be secured in four ways:

• store in a password manager;
• save to a file and encrypt it;
• upload to encrypted cloud storage;
• split into shares using the секрета Шамира.

We illustrate them using open-source tools: KeePassXC, PGPTool, Cryptomator and ASecuritysite.

Remember that there is no absolutely secure method for storing keys. But cracking a protected wallet would take months, whereas cracking an unprotected one would take minutes.

KeePassXC Password Manager

A password manager is an application for storing numerous key-value pairs. Essentially, it’s an encrypted database that can be opened only with a master key.

We illustrate the password manager using KeePassXC — a free open-source application for Windows, Linux and macOS.

On first run KeePassXC will offer to create a database. Enter its name in the Database Name field.

In the second step configure the time needed for each brute-force attempt (Decryption Time). The default is 1 second; the recommended value is 5 seconds.

Next, enter and confirm the master key. It should be unique — do not reuse existing or similar passwords. Note that KeePassXC supports characters such as ©, ✓ or ⌀, which are not found in standard keyboard layouts and brute-force dictionaries.

Then name the database file and choose where to save it.

To create a backup, click the plus on the top toolbar. Name the entry, for example seed phrase. If you don’t want to leave a hint for hackers, leave the field blank.

Enter the seed phrase or private key in any field and press OK. We recommend using the Password field: KeePassXC hides its contents when viewing the database.

To copy a key or seed phrase, right-click the entry and choose Copy Password from the dropdown.

The database should be copied to a USB drive or uploaded to the cloud in case the hard drive fails.

PGPTool Encryptor

PGP (Pretty Good Privacy) — the name of a library of functions for data encryption and the applications built on it.

PGP encryption protects the contents of emails, hard drives and individual files. PGP applications operate like crypto wallets: they encrypt information with public keys and decrypt with private keys.

We will back up a text file containing the seed phrase using PGPTool — a desktop PGP client with open source. To run it, you need any operating system that supports Java Runtime Environment.

Write the private key or seed phrase to a text file and save it on your computer. Install and run PGPTool.

Click the Key ring button to create a new pair of public and private keys.

PGP is used to encrypt emails, so many apps ask for a name, password and email. It is not necessary to provide real data: in our case this is the name of the key pair.

After filling in the main information, set a password and click Create.

Create a backup: click Encrypt File and select the file containing the seed phrase.

Uncheck the Use same folder and specify where to save. Otherwise PGPTool will place the backup in the folder with the source file.

Click Encrypt.

Upon completion, PGPTool will display the message “File was encrypted successfully”. The backup is ready. Make a copy of this file in case of loss or damage to the main device.

To decrypt the backup and read the seed phrase, click the Decrypt file button and select the encrypted file. Enter the password you set when creating the key pair.

Choose a folder to save the decrypted file and click Decrypt.

Click the Key ring, right-click the key and select Export private key in the dropdown. Specify a folder for storing the key file and click Save.

After that, remove the private key from the client by selecting Remove key from the list. If a hacker still gains access to the computer, they will not be able to decrypt the file.

Cryptomator Cloud Storage

Cryptomator — a free tool for creating encrypted cloud storages in OneDrive, Google Drive, iCloud and on the device’s hard drive.

To back up, install a version of Cryptomator for your operating system. The app runs on Windows, macOS, Linux, Android and iOS.

Launch Cryptomator, press Add Vault and enter the storage name.

Choose where to store the files — cloud or a folder. Cryptomator will offer cloud services whose apps are installed on the device. We created storage in iCloud.

Set a password and tick the Yes checkbox to obtain the recovery phrase.

Before transferring the file to storage, gain access: click Unlock Now and enter the password.

Cryptomator will open a virtual vault in the Explorer. Place the seed phrase file into it. The app will immediately push it to the cloud.

After that, close the vault: select it in Cryptomator and click Lock.

If you close the app or shut down the computer, Cryptomator automatically re-encrypts open vaults: copies the contents of the vault to the cloud and removes the virtual drive from the system.

Back up the storage to avoid losing access if the device fails. Go to the Cryptomator folder and locate the vault folder.

Copy all files to an external drive. If the computer fails, install Cryptomator on a new device and import the vault. To do this, click Add Vault, then Existing Vault. In the dialog, specify the path to the masterkey and vault.

When importing the vault, Cryptomator will require a password. If a hacker steals the backup, they will gain access to your backups only after a brute-force attack.

Shamir’s Scheme on ASecuritysite

Shamir’s scheme (Shamir’s secret) is an algorithm that splits information into encrypted fragments. To restore the original data, several fragments are required. Their number is called the threshold.

The algorithm can be explained with a curve-building task. Suppose Alice specifies five points through which only one curve passes. Bob can take the coordinates of any three of Alice’s points (the threshold) and construct that curve.

Backups using Shamir’s scheme can be created on open-source online converters. We used the first site in search results — ASecuritysite.

Go to the Shamir encryption page. Paste the private key or seed phrase into the Secret Message field.

Enter the number of shares in No of shares and the threshold in Threshold. Press Determine.

The converter will write encrypted fragments into the Shares field and separate them with the ‘=’ sign.

Save the fragments on different media: one in a notebook, another in the cloud, a third in a password manager, and so on.

A hacker cannot recover the data from a single fragment. But if you lose one fragment, you will still be able to decrypt the data for wallet access.

To read the information in the backup, go to the decoding page. Paste several fragments into the Secret shares field and click Determine.

Initial decoding attempts will look like random bit sequences. This is normal: the decoder tries to restore the original from the first fragment, then adds new ones and repeats. It will yield the original message when the threshold is met.

Conclusion

There is no perfect method for storing information, but encryption can complicate a hacker’s work and shield against device failure.

The private key and seed phrase can be stored in a password manager, encrypted with PGP, placed in a secure vault, or split using Shamir’s scheme. These methods can be combined, for example by storing the password-manager database in the cloud or applying Shamir’s scheme to the key for PGP encryption.

For storing cryptocurrency, it is better to use mobile wallets such as Cake Wallet: they do not store key files in obvious places.

If you prefer desktop applications, create an encrypted backup and import the private key at every wallet startup, and after finishing remove the contents of the AppRoaming (Windows) and Application Support (macOS) folders.

Follow ForkLog on YouTube!