3

I'm new to bitcoin and I'm very concerned about keeping my wallet secure. As I prefer CLIs over GUIs for many reasons including security, I'm learning how to use the bitcoin-cli command on GNU/Linux. In particular, the command bitcoin-cli walletpassphrase lets you unlock your wallet for a specified amount of time in order to make a transaction. You're expected to run this command like so:

bitcoin-cli walletpassphrase p4$$w0rd 45

Where the last two arguments are the plaintext password and the unlock time in seconds. That's clearly not secure at all because your password is going to be stored in plaintext in ~/.bash_history, and also someone could be watching you type your plaintext unobfuscated password over your shoulder, or also scroll back afterwards.

So, after trying some suggestions in this related post, I came up with a very simple solution. I have to mention that I use pass for storing my passwords:

pass bitcoin | xargs -I '{}' bitcoin-cli walletpassphrase '{}' 45

In other words, I use a pipe and xargs (see this post) to input my password and avoid all the aforementioned security issues.

My question is: is this really secure? Is there any possibility for an attacker to somehow obtain my password while it is travelling from pass to bitcoin-cli? Any other thoughts about this?

Community
  • 1
e18r
  • 153
  • 7

2 Answers2

4

Ultimately your xargs solution still results in the bitcoin-cli being run with the password as a command line argument. Your solution successfully prevents the password from ending up in your ~/.bash_history file. However, it doesn't prevent the password from showing up in your system's process list while the command is running. Any user on your system running "ps -ef" at the right moment (such as by spamming the command) can see the password.

On a standard single user desktop system, this isn't a big concern. You can disable the ability for users to list other users' processes by following the instructions at https://unix.stackexchange.com/a/244357/94543.

Another possibility to consider is that some system utilities may record the active process list. If you configure an intrusion detection system, then it may record every process started and their arguments. If a program on your computer crashes, a crash logging utility may include a list of your system's running processes in the log. (That would be pretty bad luck to have that run in the same moment that bitcoin-cli is, but consider the case where your system is running low on memory, causing bitcoin-cli to hang and also causing another program to crash, triggering a crash logger...)

The best and foolproof solution would be if bitcoin-cli had a flag to allow you to pass it the password interactively or directly over standard input. And conveniently, it has the -stdin option allowing you to do that:

bitcoin-cli -stdin walletpassphrase
Community
  • 1
Macil
  • 1,482
  • 9
  • 11
  • Is there a way concatenate this command with pass so I don't have to copy-paste the password? – e18r Jan 21 '17 at 17:19
  • Yes, bitcoin-cli will read from stdin with this option, so you can pipe into it: `pass bitcoin | bitcoin-cli -stdin walletpassphrase` – Macil Jan 23 '17 at 18:23
  • What about @Yorick de Wid's answer below? How secure is passing the password via pipe? Also, with -stdin I have to input the password, then newline, then the unlock time. You know how to do it with the pipe? – e18r Jan 25 '17 at 16:26
  • 1
    If someone has root on your system, then they can see anything in it. If they want your bitcoin wallet, then they can just dump the memory of the bitcoin process regardless of how you pass a password into it. You can do this: `(pass bitcoin; echo 123) | bitcoin-cli -stdin walletpassphrase` – Macil Jan 25 '17 at 18:53
  • `stty -echo;bitcoin-cli -stdin walletpassphrase;stty echo` => `enter pass\n enter timeout\n ctrl+D` (to prevent stdout echoing) – mpapec Sep 13 '17 at 11:01
-1

You secure do you want it? On Unix the pipe is implemented via a Unix socket. One could hook in on the socket, reading the buffer and storing it somewhere, without you ever noticing it. This could be worse than the ~/.bash_history problem (which you can disable).

As I prefer CLIs over GUIs for many reasons including security.

I am not so sure the interface does matter when it comes to security. I can certainly think of a few use cases whereas the web interface might pose less security concerns, than a GUI.

Yorick de Wid
  • 3,346
  • 14
  • 22
  • 2
    "I can certainly think of a few use cases whereas the web interface might pose less security concerns, than a GUI." Would you mind elaborating on this for the rest of us? – R. Murray Dec 21 '16 at 21:09
  • How could an attacker hook in on a pipe socket? Do you have any recommendations to protect against that? In general, what would be your approach to providing the password? Would you rather use bitcoin-qt? – e18r Dec 22 '16 at 03:55
  • 2
    An attacker could only hook in on the socket if they have root on your system (or access to your user account and are ptracing these processes). If they have that access, then they could just dump the memory of the bitcoin process while the wallet is unlocked, and it doesn't matter one bit how you put in your password. – Macil Jan 21 '17 at 01:38