Wallets, Passphrase, SSH Fail Safe, & Backups

Technical discussion about nodes, wallets, transfers, miners, etc.
Post Reply
mqpickens
Posts: 48
Joined: Sat Jun 04, 2022 11:38 pm

Wallets, Passphrase, SSH Fail Safe, & Backups

Post by mqpickens »

It is a good practice to create backup copy of wallet files and have a second ssh public key handy; however,
keeping these backup files encrypted is a must for good security measures. Start by generating a passphrase:

Generating Strong Passphrase
  • STRONGPASSPF=$(openssl rand -base64 24)
  • STRONGPASSPF=${STRONGPASSPF//\//0} # Replace '/' characters with '0'
  • STRONGPASSPF=${STRONGPASSPF//+/1} # Replace '+' characters with '1'
  • STRONGPASSPF=${STRONGPASSPF//=/} # Replace '=' characters with ''
  • STRONGPASSPF=${STRONGPASSPF//O/0} # Replace 'O' (o) characters with '0'
  • STRONGPASSPF=${STRONGPASSPF//l/1} # Replace 'l' (L) characters with '1'
  • echo $STRONGPASSPF | sudo tee /root/passphrase
  • STRONGPASSPF="" # Erase from memory
  • sudo chmod 400 /root/passphrase
Record (by Hand) the Passphrase (store in a safe place)
  • sudo cat /root/passphrase
Verify Hand Written Passphrase
  • # Type in the passphrase in substitution of $TYPED_HANDWRITTENPASSPHRASE (keep the quotes)
  • sudo cat /root/passphrase | grep "$TYPED_HANDWRITTENPASSPHRASE" | wc -l
  • history -c # Clear the password from bash's history
  • # 0 indicates it was not recorded/entered correctly
  • # 1 indicates that it was recorded/entered correctly
Last edited by mqpickens on Fri May 19, 2023 7:13 pm, edited 16 times in total.
mqpickens
Posts: 48
Joined: Sat Jun 04, 2022 11:38 pm

SSH Fail Safe

Post by mqpickens »

Create Fail Safe SSH Key Pair
  • sudo su satoshi # Let's use satoshi's account
  • sudo rm ~/.ssh/ssh_key_failsafe*
  • ssh-keygen -t ed25519 -C "# SSH Fail Safe" -N $(sudo cat /root/passphrase) -f ~/.ssh/ssh_key_failsafe
Authorize New Key
  • sed -i '/# SSH Fail Safe/d' ~/.ssh/authorized_keys # Delete preexisting "Fail Safe Key" if it exists
  • cat ~/.ssh/ssh_key_failsafe.pub | sudo tee -a ~/.ssh/authorized_keys # Add "Fail Safe Key" to list of authorized keys
  • sudo cat ~/.ssh/authorized_keys # Verify fail safe key was successfully added to authorized_keys file
Verify Passphrase is Enforced
  • echo "passphrase:" $(sudo cat /root/passphrase) # Verify a strong passphrase is being referenced
  • ssh-keygen -y -P $(sudo cat /root/passphrase) -f ~/.ssh/ssh_key_failsafe # If output matches pub key, referenced passphrase is in use!
Note: For this SSH Fail Safe to be of any use, the private key needs to exist outside this node (i.e. backed up).
It is used to login when other remote login methods have failed (e.g. lose your YubiKey).
Last edited by mqpickens on Wed May 17, 2023 4:10 am, edited 9 times in total.
mqpickens
Posts: 48
Joined: Sat Jun 04, 2022 11:38 pm

Create Wallets w\ Strong Passphrase

Post by mqpickens »

Generate Wallets
  • btc --named createwallet wallet_name="watch" disable_private_keys=true descriptors=false load_on_startup=true
  • btc --named createwallet wallet_name="import" descriptors=false load_on_startup=true
  • btc --named createwallet wallet_name="mining" passphrase=$(sudo cat /root/passphrase) load_on_startup=true
  • btc --named createwallet wallet_name="bank" passphrase=$(sudo cat /root/passphrase) load_on_startup=true
Create Alias Unlocks wallets for 24 Hours
  • alias unlockwallets="btc -rpcwallet=mining walletpassphrase \$(sudo cat /root/passphrase) 86400; btc -rpcwallet=bank walletpassphrase \$(sudo cat /root/passphrase) 86400"
  • echo "alias unlockwallets=\"btc -rpcwallet=mining walletpassphrase \$(sudo cat /root/passphrase) 86400; btc -rpcwallet=bank walletpassphrase \$(sudo cat /root/passphrase) 86400\"" | sudo tee -a /etc/bash.bashrc # Restores alias @ boot
  • alias lockwallets="btc -rpcwallet=mining walletlock; btc -rpcwallet=bank walletlock"
  • echo "alias lockwallets=\"btc -rpcwallet=mining walletlock; btc -rpcwallet=bank walletlock\"" | sudo tee -a /etc/bash.bashrc # Restores alias @ boot
Verification
  • btc listwalletdir # Show wallets in wallets directory
  • btc listwallets # Show wallets that are loaded
  • echo "passphrase:" $(sudo cat /root/passphrase) # Verify a strong passphrase is being referenced
  • lockwallets # Lock wallets
  • btc -rpcwallet=mining walletpassphrase $(sudo cat /root/passphrase) 1 # No messages indicates passphrase is working
  • btc -rpcwallet=bank walletpassphrase $(sudo cat /root/passphrase) 1 # No messages indicates passphrase is working
Last edited by mqpickens on Mon May 15, 2023 2:33 pm, edited 3 times in total.
mqpickens
Posts: 48
Joined: Sat Jun 04, 2022 11:38 pm

Backup and Restore

Post by mqpickens »

Backup Wallets and SSH Fail Safe Key ("watch" and "import" wallets not included)
  • Remote (e.g. Debian Linux)
    • sudo su satoshi # Let's use satoshi's account
    • mkdir ~/backup
    • sudo install -C -m 400 -o satoshi -g satoshi /var/lib/bitcoin/micro/wallets/mining/wallet.dat ~/backup/mining.dat
    • sudo install -C -m 400 -o satoshi -g satoshi /var/lib/bitcoin/micro/wallets/bank/wallet.dat ~/backup/bank.dat
    • sudo install -C -m 400 -o satoshi -g satoshi ~/.ssh/ssh_key_failsafe ~/backup
  • Local (e.g. Window's PowerShell)
    • scp -rp -P $PORT -i $HOME/.ssh/YubiKey satoshi@$ADDRESS:~/backup $HOME/Desktop # The port is optional; default is 22
    • # With WSL, the host drive is already mounted. It can just be copied with cp (e.g. "cp -rf ~/backup /mnt/c/Users/$USERNAME/Desktop")
Restore Wallets (Wallets will be called bank-restored and mining-restored)
  • # Copy wallet files (mining.dat & bank.dat) to a folder (named "restore") on the desktop
  • Local (e.g. Window's PowerShell)
    • scp -rp -P $PORT -i $HOME/.ssh/YubiKey $HOME/Desktop/restore satoshi@$ADDRESS:~ # The port is optional; default is 22
    • # With WSL, the host drive is already mounted. It can just be copied with cp (e.g. "cp -rf /mnt/c/Users/DellXPS13/Desktop/restore ~/")
  • Remote (e.g. Debian Linux)
    • sudo mkdir -p /var/lib/bitcoin/micro/wallets/mining-restored
    • sudo chown -R bitcoin:bitcoin /var/lib/bitcoin/micro/wallets/mining-restored
    • sudo mkdir -p /var/lib/bitcoin/micro/wallets/bank-restored
    • sudo chown -R bitcoin:bitcoin /var/lib/bitcoin/micro/wallets/bank-restored
    • sudo install -C -m 600 -o bitcoin -g bitcoin ~/restore/mining.dat /var/lib/bitcoin/micro/wallets/mining-restored/wallet.dat
    • sudo install -C -m 600 -o bitcoin -g bitcoin ~/restore/bank.dat /var/lib/bitcoin/micro/wallets/bank-restored/wallet.dat
  • Load Wallets
    • btc loadwallet mining-restored
    • btc loadwallet bank-restored
  • Unlock Restored Wallets
    • # Type in Hand Written passphrase in substitution of $TYPED_HANDWRITTENPASSPHRASE (keep the quotes)
    • btc -rpcwallet=mining-restored walletpassphrase "$TYPED_HANDWRITTENPASSPHRASE" 100000000
    • btc -rpcwallet=bank-restored walletpassphrase "$TYPED_HANDWRITTENPASSPHRASE" 100000000
Last edited by mqpickens on Wed May 17, 2023 2:13 pm, edited 2 times in total.
mqpickens
Posts: 48
Joined: Sat Jun 04, 2022 11:38 pm

Login \w SSH Fail Safe Key

Post by mqpickens »

If your YubiKey becomes lost, stolen, no longer working, or is simply not available, you can still login with your SSH Fail Safe Key.

Login \w SSH Fail Safe Key (SSH Windows PowerShell)
  • # Move private key file (ssh_key_failsafe) to $HOME/.ssh
  • ssh -p $PORT satoshi@$ADDRESS: -i $HOME/.ssh/ssh_key_failsafe # The port is optional; default is 22
  • # Type in Hand Written passphrase
(If Necessary) Remove Access from the Lost or Stolen YubiKey
  • sed -i '/YubiKey/d' ~/.ssh/authorized_keys
Post Reply