Guide: Cryptocurrency Wallet Security

Litecoin walletSo you’ve built your own mining rig, you’ve mastered the art of trading for profit on the cryptocurrency exchanges, but you haven’t given much thought to securing your digital fortune against theft and accidental loss? Don’t worry, you’re not alone. Wallet security isn’t exactly a glamorous topic. In fact, many of you might even assume that you don’t need your own wallet at allafter all, mining pools and currency exchanges are more than happy to hold your money for you, right?

Letting somebody else control your money is a mistake that will likely end up costing you at some point. That mining pool operator that you assume is trustworthy could very well be a teenager halfway around the world that has no problem stealing your coins. The various digital currency exchanges are unregulated, not necessarily secure, and a daily target for hackersgood luck getting your money back when one is breached or goes belly up.

Since it’s still basically the Wild West when it comes to cryptocurrencies, the only way to ensure that your digital wallet can’t be stolen or lost is to secure it yourself. Thankfully, this isn’t all that difficult if you follow a few basic rules. Read on for the guide.

Guide: Cryptocurrency Wallet Security

I’m going to use the Litecoin client in my guide, because I’m assuming that is what most of you are mining. The basic steps of the guide are the same no matter what currency you’re dealing with, thoughyou’ll just need to get a client that is appropriate for whatever altcoin you’re interested in (I give some tips on how to locate the proper client in step 2).

On to the guide:

Step 1: Make sure that your PC is free from viruses/malware!

I cannot stress this enough. If you have a keylogger or other malicious code running on your PC that gives a hacker any kind of access to your computer or the information on it, then it doesn’t matter how careful you are about following the rest of the steps in this guide. Make absolutely certain that your PC hasn’t been compromised before continuing.

I’m a fan of both Avast and Microsoft Security Essentials as top free antivirus choices. Emsisoft and Malwarebytes both put out excellent anti-malware products. I recommend a full scan from one product in each category before proceeding, even if you’re relatively sure that you’re virus & malware free. If your computer has had viruses, keyloggers, or malware on it in the past, and you haven’t done a clean re-install of your OS since, then I’d recommend using another computer entirely.

If you’re truly paranoid or want a 100% secure environment, then the best option is to create an Ubuntu Live-CD (or bootable USB). Simply download Ubuntu, burn it to a disc, and then put it in your computer and reboot. When it reboots, choose the “Try Ubuntu without any change to your computer” option to boot into an environment that you know is 100% free from viruses and other malicious code.

Step 2: Download the client (wallet)

For Litecoin, this means downloading litecoin-qt, the official client. There are other options, but litecoin-qt is open source, so you can be sure that it is free from malicious code. If you’re interested in a Bitcoin wallet, you’d get bitcoin-qt (which litecoin-qt is based on). If you’re interested in another altcoin, just Google “[altcoin’s name]-qt“, and chances are that you’ll find a client.

Once you’ve downloaded and installed the client, proceed to the next step.

Step 3: Let the blockchain download

(You can technically skip this step if you’re just using the client to generate wallet addresses and you’re not actually moving coins around, but I prefer to let it finish, especially since you’ll eventually need the entire blockchain anyway.)

The download will happen automatically when you open the client for the first time. Depending on which currency you’re dealing with, this can potentially take quite some time (for Litecoin, expect it to take several hours).

When the blockchain is finished downloading, the “out-of-sync” warning will disappear, and you’re ready to proceed to the next step.

Step 4: Make a note of your wallet addresses

Click on the “Receive coins” tab of your client. You’ll see that 10 addresses have automatically been created for you already. These are the payment addresses that you’ll give to people (and mining pools, etc) so that they can send you coins.

If you want more than 10 addresses, you can go ahead and click the “new address” button to create more. If you want to assign labels to some addresses to make organization easier (eg: perhaps you mine at several different mining pools, and want to use a different address for each), go ahead and do that too. You can always generate more addresses and add/change labels later, too.

When you’re done, you’ll need to make a note of your addresses. The easiest way is to click the “Export” button on the client, which will save all of your address (and labels) in a CSV file for you. You can even email the contents of the file (you can open it with any spreadsheet program, or even a plain-text editor such as notepad) to yourself so you always have it available.

Once you’ve saved your addresses somewhere, proceed to the next step.

Step 5: Encrypt your wallet (optional)

This step isn’t strictly necessary, but there really isn’t a downside to it other than potentially forgetting your password.

Click on “encrypt wallet” under the “settings” menu of the client. Choose a good passphrase that you can remember here. When you’re done, you should see an icon in the lower right corner of the client that says your wallet is encrypyted and locked.

Step 6: Copy your wallet file to multiple secure locations

This is the important step. Your wallet file contains the private keys that authorize you to transfer coins from all of the addresses that you generated in step 4. If anyone else gets this file, they will be able to steal your coins. If you lose this file, your coins are gone forever. I cannot stress the importance of this file enoughif you lose it, there is no way for anyone to ever retrieve any coins you have stored in the associated addresses.

If you’re using Windows, then your wallet file is located here:

   C:\Users\[YOUR USERNAME]\AppData\Roaming\Litecoin\wallet.dat

If you’re using Linux, then your wallet file is located here:

   /home/[YOUR USERNAME]/.litecoin/wallet.dat

Go ahead and close down the client. Navigate to the location of your wallet file. Now comes the question of where to copy it to?

I find that a few USB sticks are ideal (this 3-pack is perfect). You can also burn the wallet.dat file to a few CDs or DVDs. Wherever you copy it, make absolutely certain that:

  • You make multiple copies (I prefer at least three), in case one is lost/destroyed/corrupted.
  • The copies are offlineif you absolutely must copy you wallet.dat file to a computer, make sure it isn’t connected to the internet, at least.
  • You store the copies in more than one physical location. Leave at least one with a trusted friend or family member. If you’re a bitcoin millionaire, consider a safe deposit box or two.

Step 7: Delete your wallet file from your computer

Now that you have multiple offline backups, delete the wallet file from the computer that you used to generate it. This ensures that if your computer is compromised at any point in the future, a hacker can’t get your private keys and steal your coins.

And that’s ityou’re done! You can give any of the addresses that you made a note of in step 4 to people (or mining pools, or exchanges, etc), and they’ll be able to send coins to you. Nobody other than you will be able to do anything with the coins once they hit one of your addresses, as long as you hold onto your wallet backups.

Now that you have a secure place for your funds, I recommend that you take advantage of the auto-cashout feature on your mining pool(s), and setup your mining gains to automatically flow into one of your wallet addresses at a low threshold. Don’t move money into exchanges until you’re prepared to actually trade, and move your funds out afterward. Don’t treat pools or exchanges (or anyone else that offers to hold onto your digital currency) like banksthey’re not; the safest place for your coins is in your own secure wallet.

Checking your balance & spending coins

But what if you want to check on the balance of your coins? You don’t need your private keys to see all of the transactions associated with your addresses. You can simply use an online blockchain explorerthose transactions are public information. For Litecoin, I like to use Abe. Bitcoin has blockchain.info. Simply type any valid wallet address into the search bar and you’ll see all of the transactions associated with it. For example, here is the address that I use to accept litecoin donations on this website (thanks peopleyou’re awesome!).

The only time that you’ll need your private keys is when you want to move coins out of one of your addresses. When you want to do that, you’ll just need to grab one of your USB sticks (or CDs, or whatever), copy your wallet.dat file back to where it belongs (the location in step 6), and then open up the client (you’ll need to wait for the blockchain to sync again before all of your coins show up in the client). Whenever you do spend coins, you should re-do step 6 and overwrite all of your backups with the new wallet.dat file to ensure that everything stays in sync.

If you need to spend coins on a day-to-day basis, the above process might be a bit cumbersome. In that case, you may want to create a second set of wallet addresses, and keep the wallet.dat file associated with this new set on your computer at all times, with only enough coins in it to meet your daily needs. You can think of the second set of addresses as the money in your pocket, while the primary addresses (the ones you secured and backed up in steps 1-7) are your personal bank vault. If the money in your pocket gets low, you can just open up your vault and transfer a few coins. This way, if you do get hacked, at least it’ll be more like a pickpocketing than a bank heist.

35 Responses to Guide: Cryptocurrency Wallet Security

  1. Biggen says:

    Great article!

    Man, I have learned a ton from this site. As soon as I start earning some coins I’ll throw some your way

  2. RB says:

    What a fantastic well written article. thanks mate

  3. SWE-Staal says:

    Thanks for all the great infomation on this page, I have ordered parts for a litecoin server/miner. 3 X GIGABYTE RADEON HD7950 is good enough I think.

    I hope you can write about the procedure how to excange liteoins to dollars.

    Regards

  4. kevin says:

    Why not use strong encryption like bcrypt to protect wallet.dat and store a copy on google drive?

    http://en.wikipedia.org/wiki/Bcrypt

  5. twalsh says:

    Great article.
    Couple of questions though..

    1. If I just encrypt my wallet and save backups on computers that are left online would this not be protection enough, even if I get hacked?

    2. Re. “Whenever you do spend coins, you should re-do step 6 and overwrite all of your backups with the new wallet.dat file”
    Scenario: I store, say, 2 off-line backups (A and B) but only keep A updated with new transactions. Later ‘A’ has a mis-hap, gets lost or destroyed, can I still use ‘B’ to recover from this situation, or is ‘B’ useless now?

    • CryptoBadger says:

      It’s generally poor practice to leave wallets with any significant amount of currency in them on a machine that is internet-accessible. The wallet-level encryption that Litecoin-QT provides is fairly weak, and will probably not stop a serious thief that has access to modern password cracking tools.

      The answer to the second question is a bit more complicated. As long as the two copies of the wallets don’t get too far out-of-sync, the older version will still function. At some point though, it won’t – and then you’ll be out of luck. Best practice is to update all of your copies whenever you complete a send transaction, although in reality you’re safe as long as they’re not more than a few transactions out-of-sync. More information on the subject is here (they’re talking about the bitcoin wallet in this thread, but Litecoin-QT is essentially the same).

      • Rob says:

        Hi Badger, Regarding your answer to point 2, So if you have a backup – say a paper backup, stored in a few locations including a vault, are you saying as long as its a wallet purely used to receive coin then it doesn’t matter how old the backup it is still valid. I mean, if you put a paper backup to vault etc, and receive several transfers of LTC since the the “backup” then it will function fine? You would simply import the wallet sync it up with the current network and it would pull down all your transactions. I guess its s simple concept i’m not 100% clear on and i should really just test the concept myself by creating a paper wallet (or any wallet) perform a bunch of satoshi payments then import it and check it worked

  6. mauro strano says:

    Hey there,

    I download the litecoin wallet app, but for some reason the location where the wallet.dat file SHOULD be at, doesnt seem to be there? Would it default to another location when you backup your wallet?

  7. PeerMedia says:

    This might seem like an odd question, but how do you restore a wallet? Do you just overwrite the .dat file in the Windows directory you specified or would all the chains be lost?

  8. RR says:

    Great article.
    However, I am a newcomer in this world of bitcoins and it seems cumbersome to me to have separate wallets for each coin and needing to back up, cold store, etc?
    Wouldn’t it be easier if there was a bank for virtual currencies, which provided online banking with some two form authentication system and where you could store your bitcoins, litecoins, etc securely? Aren’t there any service providers offering this?

  9. QD says:

    Hi,

    I have one question, say, I have backup the wallet data file, then my hard drive (or mainboard) fried, that I need to reinstall Windows, how do I
    1. Import old addresses?
    2. Or I just need to copy wallet.dat over the newly installed Windows/computer?

    Thanks
    Q

  10. Daz Mc says:

    Hi CryptoB,

    I backed up my FTC wallet because all of sudden my FTC wallet stopped working on my Windows 7 machine.

    So I re-downloaded the FTC wallet but this time on my Mac Book Pro. This is my first time trying to use a backup.dat file so I’m a little bit lost.

    I can see you’ve provided path’s for locating Windows and Linux wallet.dat file but was wondering would you know the path for Mac?

    Also am I correct in assuming you just replace the current dat file with my back dat file?

    Sorry for all the questions.

    Thanks
    Daz

  11. Joel says:

    Great site CryptoBadger! Thanks so much for all the help.

    Question, can you delete the wallet file if you are solo mining? Or will the transfer (assuming you find a block) fail because it the miner can’t find the file.

    Thanks!
    Joel

  12. mitzache says:

    Hi, I have the same question. I saved the dat file and erase the wallet from my machine but how do I get back to spending my coins? Do I download the wallet again and override the .dat file with the one I saved?

  13. Boyd says:

    CB, first of all I want to thank you for the work you do in educating all of us. This is by far the easiest to understand site I have found in researching crypto currencies.

    Regarding wallets and syncing the chain. I like to sync up the chain every couple of days to ensure that it doesn’t get to far behind. Of course every time I do a new bat file appears. Does that file contain the same information as my original bat file? In other words, should I delete the file every time I sync up the chain?

  14. Anonymous says:

    You are the man

  15. Phil says:

    Hi

    Has anyone updated their wallet file to the latest version? I’m a bit unsure whether to do it as it says this:

    IMPORTANT WARNING: Litecoin v0.8.6.1
    ====================================
    These builds of Litecoin v0.8.6.1 have many improvements over the previous versions
    and are expected to work. It also reduces the default minimum transaction fee to
    0.001 LTC. This is great, but deployment of a fee reduction requires caution.

    Transactions flow from end-user clients to random peers who in turn relay valid
    transactions to the next peer. When minimum fee reductions happen, transactions
    can become stuck if all of your peers are running old versions of Litecoin as they
    the new fee is smaller than the previous minimum. As more users upgrade to 0.8.6.1
    the random chance of this happening becomes smaller and smaller.

    Optional Configuration
    ======================
    Currently Litecoin v0.8.6.1 users can add optional peers by editing litecoin.conf
    and using the addnode= parameter to manually connect to compatible relay nodes.

    The Litecoin community is now building a list of high bandwidth supernodes to
    prepare for a full public release. End-users will be recommended to addnode= one of
    the supernodes in a public list, operated by many different volunteers. Such manual
    connections helps to hasten the transition into the new lower default fee.

    You can help by in linking to the current supernodes and letting us know if you are able
    to contribute a high bandwidth listening supernode to the list for public release.

    Supernode Addresses
    ===================
    https://litecoin.info/Upgrading_Litecoin#Upgrading_to_0.8.6.1
    Follow the directions here to edit your litecoin.conf and add the necessary
    addnode= parameter.

    Tips
    ====
    * v0.8.5.3 nodes were the first to relay the new 0.001 mintxfee. So check
    getpeerinfo. If you have no v0.8.5.3 or v0.8.6.1 peers then your lower fee
    transactions are likely to get stuck until you find suitable peers.
    * v0.8.6.1 is very safe for mining and relay now even without manual connecions
    to other new fee capable peers. Only sending transactions requires the
    temporary manual addnode.

  16. […] Zabezpieczyć możemy właściwie tylko portfele: 1) Znajdujący się na komputerze. Temat wiele razy opisywany więc nie będę wyważał już otwartych drzwi. Skorzystajcie z poniższych linków: Pierwszy przykład instrukcja po polsku w razie czego Drugi przykład instrukcja po angielsku […]

  17. David says:

    Since building my first mining rig using your guide loosing all the coins I have made has been on my mind so I decided to make cold storage wallet and had some people request them, so I made a site to keep track of the orders. Would love to send you some free ones as a thanks for your helpful guides!

    http://coincardwallet.com

  18. VG says:

    Dear CryptoBadger, I am so glad that I found your site. It dose take a talent to have a such an accurate and clever explanation.
    It seems that a litecoin wallet has more options that was not covered. Is it because it is not important? What about creating a signature and signing options that in the wallet? What about a “paraphrase” that it is asking you to create? I am using this words with very little understanding of how to use it and what it is for. Can you please expand your guide by covering this topics and by giving an examples when and how it can be used.

    I am using latest version v0.8.6.1-beta

    Thank you very much.

  19. Hi, I think your blog might be having browser compatibility issues.
    When I look at your blog in Ie, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you
    a quick heads up! Other then that, very good blog!

  20. Barnaby says:

    My pool had an incident today. Part of this incident is that some LTC accounts of the pool workers were cleaned out. I won’t name the pool, as they do a good job, they say they will recredit, and I believe them so I don’t want to give them bad publicity.
    What I want to say is that I’m very happy to have followed this tutorial. I have a 1 LTC auto payment threshold, so even if my pool account has been cleaned out, I don’t care : there was maybe 0,2 LTC on it when it happaned ! I’ll sleep well tonight, wich might not be the case for those who have left big amounts on the pool.
    Thanks again cryptobadger for all your excellent advices.

    • herman tierens says:

      Dear Sir, dear Madam,
      I have the following problem with my Litecoin qt wallet:.
      I have installed QT in december 2013 a wallet and a number of Litecoin.
      By me unknown circumstances I without knowing the encrypted with password wallet.
      Now enter my Litecoin in the wallet and I can no longer do without the password out there.
      There Is still a possibility in the encrypted wallet on my Litecoin to be able and to cross this possibly in a new Litecoin qt wallet that I have downloaded on another laptop?.
      I have of course made a backup of these encrypted wallet with all my Litecoin down in case of something would go and I still have all my Litecoin.
      Can you please help me with this problem, thanks, Herman

  21. Barnaby says:

    Follow up on the incident that affected my pool :
    – it appears that dozens of people have had their account cleaned out. Accordind to these users reporting on the pool forums, dozens have lost tens of LTC, some were even in the range 100-250 LTC.
    – the poll crew said they would recredit, and they did. After 3 days, most people say they have been recredited.
    – the most modest thieving transfers could be blocked (ie the LTC didn’t leave the pool), but as for the bigger transfers, it seems that the pool crew refunded out of their own stash. Might have cost them thousands of LTC. This is a very devoted behaviour of their part. In the past, other pool crews didn’t go so far !

    This incident shows that securing your wallet and setting auto payment with low threashhold is very very important.

  22. […] Original Post: http://www.cryptobadger.com/2013/05/guide-bitcoin-wallet-security/ […]

  23. Page says:

    Hello,

    I am new to this whole thing, and I was trying to get everything situated before I begin mining etc. I was looking for my wallet…but no such AppData exists on my machine, using win7. Is it that because it has no coins in it? Does it need coins?

    I used the manual “backup wallet” in the LTC client, and then saved it onto a USB stick and deleted the file from my computer. Is this essentially the same thing?

    Thanks

    • JG says:

      Had the same issue…
      In Win7,
      Click START WINDOWs in lower L corner and type RUN
      Under programs, choose RUN
      At Open: type %APPDATA%\
      Scroll through choices selecting LiteCoin, then OK
      The next box that pops up should have wallet.dat in the list

      Once you get everything set and uninstall LiteCoin – this
      is the place you would recopy the wallet.dat file back into
      then moving coins around, selling, etc. in the future.

  24. dude11 says:

    I have a wallet 0.8.6.1 and it will not SEND. It received just fine, added to it a couple of times but the thing won’t SEND? I have saved the password so that is not the issue. I am confused as to the persons last statement…
    “Once you get everything set and uninstall Litecoin- this is the place you would recopy the wallet.dat file back into then moving coins around, selling?

    What am I missing here? I thought the thing should just send. It’s like there is a bug in the program? Has anybody else experienced not being able to SEND? I have read others in forums explaining the QT won’t send, and that they never lost the passphrase. Even one guy said the passprhase worked fine before then he upgraded wallets, then it wouln’t SEND. Coins are still there, like others on forums have said. Has to be a solution to this.
    I’m going to have to go see a community college and get help. But do you have any advice? I can tell I am not the only one and user error isn’t the reason.

  25. heatpro says:

    If you delete the client, and at a later point in time or on a different computer install the client again and paste in your wallet.dat file (from back-up), will everything work?

Leave a Reply

Your email address will not be published.