Moving an existing software wallet onto an encrypted USB drive can provide an extra layer of security and flexibility. I think that most people begin down this path thinking about it as a backup, or maybe that a USB is just easier to put in a fire safe than a laptop. Upon closer consideration you will discover many more signification advantages to keeping your hot wallet on secure removable media.
This article is for those that have decided to move an existing software (hot) wallet to a USB. I believe most would agree that separating your wallet from the computer that they use daily for work and play is wise and practical. Perhaps you need an easy to use USB bootable Ubuntu or Mint partition to protect from the inherent insecurities of Windows and OSX.
I am following this concept to its logical conclusion, storing a wallet on a “On-The-Fly” hardware encrypted removable device. Striking a balance between convenient flexibility and realistic security. This is more than just a “How to” article. I also address different use cases and the common misconceptions about this approach.
With all the talk about hardware wallets you might think that there are no hardware encryption alternatives for software wallets. That is not the case. In this article I introduce Arcanus 55, a hardware encrypted USB bootable Ubuntu platform.
The encrypted USB drive in this scenario is uniquely qualified for this task. It is 256b AES encrypted. Data is encrypted on the fly and the data remains encrypted while the drive is at rest. This hardened drive has brute-force defense, unattended auto lock and a self-destruct PIN.
I would like to point out that there is much misinformation on this subject. I don’t think that it’s intentional but people tend to disparage software wallets on USB without fully understanding the diverse needs that drive this solution. Historically is has been more of a home-brew nerd solution, embraced by those that were already predisposed to bootable Ubuntu / Linux Mint and feel comfortable locking down their own operating system. With Arcanus 55 you don’t need to be a Linux expert because the partition is created and configured for you.
Everyone has different information security needs. There is no one size fits all solution. The platform described here is a flexible solution that can evolve with your needs. For example if you just want to store Ethereum then a simple hardware wallet would be sufficient. But if you need cold-storage, sensitive document storage, a password management vault, a virtual keyboard, a bootable Ubuntu partition and all in a airtight waterproof container then Arcanus 55 would work for you. The two are not mutually exclusive. Most hardware wallets will fit inside the A55 Capsule and A55 Key Quest Vault secures BIPx passphrases.
A software wallet on a USB is not as secure as a software wallet installed on a computer.
This myth is based on the misguided notion that a user is “encouraged” to plug the USB into an compromised computer. Somehow that is considered more likely than the user simply installing the software wallet on a compromised computer. While both scenarios are possible I believe that the user who opted for the encrypted USB is far more security conscious than the user who simply downloaded and installed the software wallet. Ultimately it is the behavior of the user at issue not the vulnerability of the medium.
Ironically those that choose digital currency over paper choose paper security over digital.
Another common misconception that seems to be repeated often is that writing a mnemonic passphrase on a piece of paper is the most secure solution for all users.
Software wallet instructions and sage advisors on reddit strongly suggest that you write the mnemonic passphrase on a piece of paper or etched into steal. The reason given is that it will protect you in case of computer failure. Considering that this is a portable wallet, is computer failure even a concern? We’ve installed this wallet on a hardware encrypted USB drive for exactly that reason. You should absolutely record the passphrase but is paper really the best option for everyone?
Human nature is the problem. I suspect that most people will write down the passphrase on a post-it note and hide it somewhere anyone can find it except the naive that forgot where he hid it. It is a myth that paper is safer than digital. While it is true paper cannot be hacked, it is easily lost, burnt, or simply photographed. An attacker with no technical skill can easily compromise paper / etched steel.
It is also suggested that you “Do not store the passphrase electronically”. Presumably because all data stored electronically is unsafe. That doesn’t sound right! Personally I think this is an attempt to dodge responsibility. If a user writes the passphrase on paper and it gets compromised then it’s cleary the users fault. Even though the user likely did not have sufficient skill to perform the task. Perhaps a person with a military, intelligence or information security background would have mitigated all the potential risks. A new crypto investor may not be equipped to solve this problem. Paper is risky.
A passphrase hand written on a piece of paper is compromised on sight. One glance and it’s gone. Knowing this people have tried to scramble the words or letters. I would not recommend this “security by obscurity” behavior. It is not likely to stop an attacker but you are very likely to forget your word pattern.
There are risks unique to the paper medium. Consider what would happen in the event of death, incarceration or traumatic memory loss. Paper has no “Dead Man’s Switch”. Consider a duress situation where you or a loved one are held captive. Paper has no duress “rubber hose” redirection. Paper in a safety deposit box will be compromised if the box is forfeit by court order. Paper will not survive a fire or flood.
Paper is Poverty. It is only the ghost of money, and not money itself
There are three approaches to moving your wallet:
1). Create a new portable wallet on the encrypted USB drive exFAT partition then transfer the keys to the new wallet.
2). Create a new Linux wallet on the encrypted USB bootable Ubuntu partition then transfer the keys to the new wallet.
3). Copy your existing wallets files from your internal hard drive and update your links to point to the new location.
What is portable? A portable version it has no OS dependencies. Meaning that it does not use an installer and makes no registry changes. It is portable in that you can plug it into another PC and simply double-click on the executable.
If you like approach 1 (the exFAT portable solution) then read my other article that explains the process in-depth (click here).
If you like approach 2 (the Ubuntu solution) simply follow the software wallet’s instructions for Linux. I hope to publish an Arcanus 55 specific article on this topic shortly.
If you are still reading then I assume you want to manually move your wallets asset onto an encrypted USB folder.
The first step is to discover where on your internal hard drive the wallet is storing its assets. If it created a desktop icon, simply right-click that icons and choose Properties.
The next step is to copy then paste that folder onto the encrypted USB volume.
Done. To run the wallet you can just double-click on the executable or change to the link to point to the new location. Or both.
There are some safety warnings at the end of the article. Please, please, please read them.
In this article I presented a critical comparison between a wallet on a laptop and a wallet on an encrypted USB.
So far things seem pretty equal. Let’s compare extended scenarios where both USB and a laptop are lost, stolen, crushed or submerged in liquid. In each of these situations the Arcanus 55 USB survives and thrives while the average laptop does not. If the USB is lost or stolen it is gone but it’s secrets remain safe. It’s contents are encrypted at rest and it’s PIN is brute-force protected. The Arcanus 55 Capsule protects the USB from physical / liquid damage. Furthermore a USB is much easier to put in a fire safe, safety deposit box or jump bag than a laptop.
We’ve compared a software wallet installed on an encrypted USB vs. a software wallet installed on an internal drive. We are not comparing a software wallet installed on an encrypted USB with a bootable Linux Mint Cinnamon partition. That is a subject for future article but here is a spoiler. The USB wins!
Enter The PIN before inserting the USB into its slot. Do not enter the PIN while the device is connected.
Close all applications before ejecting the USB device. This is an important step especially if you are using the A55 Key Quest Vault or a software cryptocurrency wallet.
Put the USB Device back in its capsule when not in use. You should remember to seal the capsule and store it in a safe place.
Make sure your are not being watched or recorded on surveillance cameras. Be aware of your surroundings and look behind you.
Do not plug the USB into a suspicious computer. Avoid using a computer that may be infected with malware.