Skip to content

Instantly share code, notes, and snippets.

@mingyang91

mingyang91/Safeguarding Your Mnemonic Phrase.md

Created November 28, 2024 14:27
Show Gist options
  • Save mingyang91/3bd22cd89c694081d48cc2835afca240 to your computer and use it in GitHub Desktop.
Save mingyang91/3bd22cd89c694081d48cc2835afca240 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Safeguarding Your Mnemonic Phrase.md

Safeguarding Your Mnemonic Phrase: A Comprehensive Guide

Your mnemonic phrase is the master key to your cryptocurrency wallets and digital assets. Securing it against unauthorized access is paramount. This guide will walk you through encrypting your mnemonic using RSA encryption with OpenSSL, ensuring it remains confidential and secure.

Table of Contents

  1. Introduction
  2. Prerequisites
  3. Step-by-Step Instructions
    • Step 1: Generate an RSA Private Key with a Passphrase
    • Step 2: Extract the Public Key
    • Step 3: Verify the Public Key
    • Step 4: Confirm the Private Key is Encrypted
    • Step 5: Encrypt Your Mnemonic Phrase
    • Step 6: Verify the Encrypted Mnemonic
    • Step 7: Test Decrypting Your Mnemonic
    • Step 8: Verify the Decryption (DO NOT DO THIS ON YOUR FINAL MNEMONIC)
  4. Critical Security Considerations
  5. Final Steps
  6. Conclusion

Introduction

In the digital age, securing sensitive information like your cryptocurrency mnemonic phrase is essential. By encrypting your mnemonic with a robust RSA key, you add an extra layer of security, ensuring that even if someone gains access to your encrypted data, they cannot decrypt it without the private key and passphrase.

Prerequisites

  • Operating System: Unix-like system (Linux, macOS)
  • Installed Software: OpenSSL
  • Basic Knowledge: Familiarity with command-line operations

Step-by-Step Instructions

Step 1: Generate an RSA Private Key with a Passphrase

Create a 4096-bit RSA private key encrypted with AES-256 encryption. Replace my_rsa_private_key.pem with a filename of your choice.

openssl genpkey -algorithm RSA -out my_rsa_private_key.pem -pkeyopt rsa_keygen_bits:4096 -aes256
  • Explanation:
  • openssl genpkey: Generates a private key.
  • -algorithm RSA: Specifies the RSA algorithm.
  • -out my_rsa_private_key.pem: Saves the private key to my_rsa_private_key.pem.
  • -pkeyopt rsa_keygen_bits:4096: Sets the key size to 4096 bits.
  • -aes256: Encrypts the private key with AES-256; you will be prompted to set a strong passphrase.

Important: You must remember this passphrase. Memorize it securely and do not write it down or store it digitally. This passphrase is essential for decrypting your mnemonic in the future.

Step 2: Extract the Public Key

Derive the public key from your private key. Replace my_rsa_public_key.pub with a filename of your choice.

openssl pkey -in my_rsa_private_key.pem -pubout -out my_rsa_public_key.pub
  • Explanation:
  • openssl pkey: Manages public and private keys.
  • -in my_rsa_private_key.pem: Specifies the input private key file.
  • -pubout: Outputs the public key.
  • -out my_rsa_public_key.pub: Saves the public key to my_rsa_public_key.pub.

Step 3: Verify the Public Key

Display the contents of the public key to ensure it has been correctly generated.

cat my_rsa_public_key.pub

Step 4: Confirm the Private Key is Encrypted

Check that your private key is encrypted by viewing its headers.

cat my_rsa_private_key.pem
  • You should see:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJtTBfBg...
-----END ENCRYPTED PRIVATE KEY-----

The ENCRYPTED PRIVATE KEY header confirms that the key is encrypted.

Step 5: Encrypt Your Mnemonic Phrase

Encrypt your mnemonic phrase using the public key. Ensure your mnemonic is saved in a file named mnemonic.txt.

openssl pkeyutl -encrypt -pubin -inkey my_rsa_public_key.pub -in mnemonic.txt -out encrypted_mnemonic.bin -pkeyopt rsa_padding_mode:oaep
  • Explanation:
  • openssl pkeyutl: Performs public key cryptographic operations.
  • -encrypt: Sets the mode to encryption.
  • -pubin: Indicates that the input key is a public key.
  • -inkey my_rsa_public_key.pub: Specifies the public key file.
  • -in mnemonic.txt: Input file containing your mnemonic.
  • -out encrypted_mnemonic.bin: Outputs the encrypted mnemonic.
  • -pkeyopt rsa_padding_mode:oaep: Uses OAEP padding for enhanced security.

Step 6: Verify the Encrypted Mnemonic

Although the encrypted file is binary and not human-readable, you can check its presence and size.

ls -lh encrypted_mnemonic.bin
  • Note: The output will display the file size and confirm its existence.

Step 7: Test Decrypting Your Mnemonic

Ensure you can decrypt your mnemonic when needed.

openssl pkeyutl -decrypt -inkey my_rsa_private_key.pem -in encrypted_mnemonic.bin -out decrypted_mnemonic.txt -pkeyopt rsa_padding_mode:oaep
  • Explanation:
  • -decrypt: Sets the mode to decryption.
  • -inkey my_rsa_private_key.pem: Uses your encrypted private key (you will be prompted for the passphrase).
  • -in encrypted_mnemonic.bin: The encrypted mnemonic file.
  • -out decrypted_mnemonic.txt: Outputs the decrypted mnemonic.

Step 8: Verify the Decryption (DO NOT DO THIS ON YOUR FINAL MNEMONIC)

Compare the decrypted mnemonic with the original to ensure accuracy.

cat decrypted_mnemonic.txt
  • Tip: The contents should exactly match your original mnemonic in mnemonic.txt.

Critical Security Considerations

  • Memorize Your Passphrase: The passphrase for your RSA private key is crucial. Memorize it securely. If forgotten, you cannot decrypt your mnemonic, potentially losing access to your assets forever.
  • Avoid Untrusted Generators: Do not use online or web-based key generators. They may compromise your keys. Generate keys on a trusted, secure machine.
  • Use Secure Hardware: Perform these steps on a secure, trusted computer with a reliable source of randomness. Avoid suspicious or public computers.
  • Backup Your Encrypted Mnemonic: The encrypted_mnemonic.bin file can be safely backed up anywhere, even on public platforms or on-chain storage, as it requires your private key and passphrase to decrypt.
  • Securely Store Your Encrypted Private Key: Backup the my_rsa_private_key.pem file in trusted storage solutions like secure cloud drives or encrypted external storage. Ensure that access is restricted.
  • Erase the Generation Machine: After completing these steps, securely erase any temporary files and consider wiping the machine if it was solely used for this purpose.
  • Destroy Plaintext Mnemonic Copies: Permanently delete any files containing the plaintext mnemonic (mnemonic.txt and decrypted_mnemonic.txt). If written on physical media, securely destroy them.
  • Do Not Share Sensitive Information: Never share your private key, passphrase, or the encrypted mnemonic with anyone.

Final Steps

  • Double-Check Everything: Before deleting any files, ensure you have securely backed up the necessary encrypted files and that you can recall your passphrase.
  • Test Decryption Periodically: Regularly verify that you can decrypt your mnemonic to avoid any unpleasant surprises in the future.
  • Stay Informed: Keep up-to-date with best security practices to protect your assets effectively.

Conclusion

By following this guide, you’ve taken significant steps to secure your mnemonic phrase using strong RSA encryption. This method allows you to backup your encrypted mnemonic in multiple locations without compromising its security, as only you hold the private key and passphrase required to decrypt it.

Enjoy the peace of mind that comes with knowing your digital assets are securely protected.

Disclaimer: This guide is for educational purposes. Always exercise caution and consider consulting a security professional when handling sensitive cryptographic materials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment