How to Import, Export, Store and Manage Private Keys in Cryptocurrency Wallets

Any crypto wallet is a virtual keychain, with many addresses (keys) inside. What is the private key? Private keys are long strings of numbers and letters ‘unlocking’ the coins on the crypto address every time you make payment. The ‘golden rule of bitcoin’ by Andreas Antonopoulos is proving significance over the years: ‘Not your keys – not your Bitcoins’. Some of the industry’s worst wallets feature security holes, so you can lose the keys. Let’s make sure that you won’t.

What to Look at When Picking the Wallet Source on the Internet?

Briefly:

• Only download the wallet files from official website
• Always check MD5 checksum
• Always check GPG signature of the wallet publisher
• Always check the news for the recent wallet/website hack reports
• Consider building the client from source code (in case you want to put in all of your funds)

Many websites offer you to download the software without having to attend the official website. However, the Bitcoin wallet is not the usual application. It is for storing the actual wealth, that’s why you should always download the wallets only from the official website. Just like you download banking apps only via the bank’s website.

The most popular reference website for wallets overview is Bitcoin.org. It allows picking the wallet that would serve all your needs.

The website allows browsing among the most trusted wallets. There are many cryptocurrency wallets available around. However, the code of those wallets is either closed source or has low peer review coverage. Always hit the ‘Control’ checkbox when picking the wallet.

Next, check the MD5 checksum of the installation file you download. The ‘checksum’ is a digital fingerprint allowing you to verify whether the file you have is similar to the file site owners/wallet creators put on the website. The checksum must always be the same as the one written on the website. It is usually somewhere near the download link. In case you have a wallet installation file with checksum different from the featured one, its a fake copy aiming at stealing your coins.

More than that, hackers love to break the security systems of such websites to replace exe (Windows), dmg (Mac), and deb/rpm (Linux) installation files. In November 2019, the official Monero (XMR) website got hit by a hacker. They replaced the installation binary, but didn’t manage to rewrite the md5 checksum featured on the download page. One of the users lost $7000 after downloading the malicious Monero app. He then found that the hateful client had a different checksum.

Please note that checking the MD5 sum of a file does not provide 100% security. In some cases, the attackers can forge the MD5 checksum of the fake installation file. So that it is identical to checksum featured as ‘valid’ on a website. That’s why the only 100% secure way of verifying the installation file integrity is to check the GPG signature. Here’s the link to a great tutorial on verifying the Electrum wallet GPG signature on Windows.

GPG signature is a virtual signature attached to the wallet file by the creator. In case the attackers replace the original file and forge MD5 checksum, they won’t be able to ‘sign’ the binaries. Only a special key belonging to the creators can do that.

Also, consider installing cryptocurrency wallets by building the application by yourself with official code repo. Read this Linux-based tutorial on how to build from source. You can find instructions for Mac and Windows on the official website of a chosen wallet.

Custodial or Non-Custodial Wallets

Custodians are firms that manage your Bitcoin, Ethereum, or Monero private keys for you. Online wallets, big exchanges, telegram bots, and some of the software wallets are custodians.

Such service must be obligated by law to protect your funds and hold responsibility for the theft. In case they lose your coins, you apply for a refund via insurance. Exchanges like Coinbase and Gemini have such an option. The shady exchanges leave it without compensations though. Infamous Mt.Gox, BTC-e, and QuadrigaCX incidents serve as three bright examples.

Reports about the exchanges stealing/losing the user funds are common. That’s why it’s unsafe to store all of your wealth with them. Some are not scammers, though. It’s just a lack of technical knowledge. Please note that the custodial wallet won’t give you control over private keys.

Open Source and Closed Source Wallets

There are not so many closed source cryptocurrency wallets. Most of the wallets are open source. To avoid unnecessary loss of funds, consider avoiding closed source wallets. Those are Atomic Wallet, Jaxx, Exodus. Although they have a fair level of code privacy, there is no guarantee that the coding team won’t steal private keys. Jaxx and Exodus are two wallets constantly receiving negative feedback on Reddit and Bitcointalk.

Closed source wallets seem like using remote servers to store and deliver user’s wallet information. This makes them nothing better than online/custodial wallets and very insecure.

Hot Wallets and Cold/Paper Wallets

Almost any wallet will provide a 12 or 24-word backup phrase called ‘seed’. You must write it down on paper, then hide. Monero wallets allow you to create seeds with several languages. All other cryptocurrencies use English.

Please, take note that the Electrum wallet for BTC and Electron Cash for BCH both allow you to add custom words to the seed phrase. This way the seed is well protected against brute force attack.

A hot wallet is any software wallet that is running on a device with an Internet connection. This means less privacy and security. Holding a big sum on a hot wallet is not a good idea at all. Your private keys are at risk.

A hot wallet is secure enough for small to middle sums. But for big money, the best option is the so-called cold (paper) wallets that use bip38 encryption.

A cold wallet is also a crypto wallet running on a spyware-free device, without an Internet connection. The keys/seeds generated by that wallet are 100% unknown to anyone, yet mathematically valid in the blockchain. You don’t need a constant connection to the Internet or to the Bitcoin network to receive and store bitcoins or keys in cold storage.

Write down or print the seeds and they are secure.

The best cold wallet is the 12 words seed that you memorize in your head. It is called the ‘brain wallet’. It allows the money to ‘live’ inside your head: useful for refugees, journalists, secret agents, etc.

BIP38 Encryption of Exported Private Keys

Sometimes, you need to manage several wallets, addresses, or to export particular keys to make a cold/paper wallet.

Unfortunately, most Bitcoin wallets including Electrum show a lack of support for BIP38 encryption. It’s the standard applied to create password-protected cold/paper wallets. BIP38 encrypts the private keys with a password before exporting/printing it. Even if someone finds your backup, the funds remain safe. Contrary to that, if someone finds your seed or unencrypted keys – the funds are gone.

You can find BIP38 support in Mycelium Bitcoin Wallet for Android. Also, the wallet called Electron Cash has support for BIP38 keys import/export. But the wallet only works with Bitcoin Cash (BCH) and SLP tokens.

We had a quick chat with Calin Culianu, the Electron Cash wallet developer. Here’s what he says on the support of BIP38 encryption for the cold/paper wallets:

“Having the paper wallet without the password (which presumably you store securely or just keep in your head) means one can access the private key (by scanning the QR code or by entering the seed phrase). When the wallet is BIP38 protected, it is perfect. if someone steals your paper they can’t do jack. So keep all paper wallets behind bip38 keys with a password only you know.”

Are there any other wallets that use the same tech?

“Well, wallets are supposed to implement bip38. I don’t think bitcoin-qt does. Most people have to hit a website or use a 3rd party tool to turn bip38 keys into WIF keys which always annoyed me. So for instance people would hit this site (Bitaddress).”

So WIFs are not BIP38 encrypted?

“No, WIFs are plaintext, the key is right there. Screaming “steal me”. While you copy-paste the keys over to the new wallet, typically you use WIFs to switch wallets and bring your old addresses over to the new wallet. Put them in a file only you have access to temporarily.

If you work with WIFs (which stands for Wallet Import Format), then you need to keep the strings of the WIFs secure. These days most people work with wallet seeds. Which encapsulates all of the wallet’s deterministic private key generation inside a single bit of entropy.

But WIFs is the backup plan in case you switch between very old or incompatible seed formats. Maybe you have a multitude of wallets with keys to be extracted and mixed into one wallet? WIFs are a bit of a thing of the past. But.. people still use them a lot (again, power users). And sadly most wallets didn’t bother to implement bip38… but Electron Cash does. So you can export your keys securely and load them securely. Summary:

– WIF is plaintext private key format all wallets understand

– BIP38 – encrypted WIF key. you decrypt it back to a WIF

Electron cash can take the BIP38 key directly and can save it directly. Most wallets cannot — you need to use a third-party tool such as Bitaddress to turn WIF <-> BIP38. BIP38 is the only secure way to store private keys in a text file if you want to do cold storage.

Most people don’t really export keys, only power users do.”

Electron Cash is a wallet for BCH. For Bitcoin keys, please use the offline version of bitaddress.org. If you want to use that, don’t forget to turn off the Internet connection at the same moment you enter the site! Also, Mycelium Bitcoin wallet for Android is capable of reading and decrypting BIP38 keys.

Please take note that the BIP38 private keys will start with 6p instead of 5j.

How to Know Whether the Wallet Stores Private Keys Locally or on a Remote Server?

Some cryptocurrency wallets are storing the user’s private keys on remote servers. The fact that your seeds have to travel to the Internet makes it all less secure. Only one of such wallets is featured on Bitcoin.org in the wallets section. It’s the Edge wallet.

Unlike other wallets, Edge requires the creation of username and password pair, not the 12 or 24-word seed. The wallet encrypts your seed with the username and password of your choice. Then, it sends it over to the remote servers. If you lost the wallet, recover the funds on another device with the same login and password. In terms of guessing, the seed is better than username and password. However, if you make the password and the username strong enough, that would increase fund safety.

There are other similar wallets, like Exodus, Jaxx, or Atomic Wallet. They are not featured on Bitcoin.org at all. That’s because their code is closed source and no chance to check whether they send out seeds and if the connection to the servers is secure.

There are concerning Bitcointalk discussions alleging that the Exodus wallet keeps a database of all the seeds on remote servers via the ‘e-mail backup link’ feature.

Efficient Private Keys Management Tools

Electrum wallet – the most efficient Bitcoin keys management tool. If you want to gain convenient visual exposure of your addresses and private keys, it’s the best wallet. It’s open-source, and Electrum offers good key control features not presented in other wallets.

For instance, you can view and manage/label all of the addresses that the wallet generates using a separate Addresses tab. For BCH, you can use the Electron Cash wallet. It is a fork of Electrum maintained by anonymous developers.

Bitcoin Private Keys Protection via Hardware Wallets

Many of the experts recommend the hardware wallets as a perfect solution. But you must put even more attention while picking the right hardware wallet. It will store the keys on a special memory disk where viruses cannot deploy and execute code. However, there are numerous reports about unexpected bugs in such wallets.

Unlike the usual wallet, hardware one is a physical product with a price. It also requires a bit of trust in the developers and their coding/engineering skills.

Also, wallet users can make magic with the portable keychain file storage option. Just export the keys on an encrypted flash drive and a custom hardware wallet is yours. It is not entirely safe but looks cool and you can impress girls with your skill.