Is it safe to move a hot BTC wallet to a remote VPS? \ stacker news ~bitcoin

pull down to refresh

Is it safe to move a hot BTC wallet to a remote VPS?

184 sats \ 6 comments \ @_Bubble_2009 28 Apr bitcoin

This is a doubt that has been tearing me apart for some time. I'll try to explain the background.

long, long time ago, I can still remember ..... of having helped a friend to prepare a full node on a micro computer installed in his home.

Some time later, on my advice, he preferred to mask the full-node traffic, so we prepared a Raspberry-PI (I think it was a 3B) with a midle-relay tor. All under a dedicated VLAN. All reachable from the outside with an ipsec VPN on his router.

Now, for reasons that I am not here to explain, he has to make everything disappear from his house. We discussed it a bit and this is what came out.

My proposal

Let's prepare a new micro computer, perhaps with an N150 as a base and transfer both the tor node and the full-node to it. I still don't know whether to put everything on the rail, or separate the two instances with two different containers. This new computer would be installed at the home of the mother who currently has no internet.

On an economic level, therefore, there would be to buy: _ Computer _ Additional Memory _ Router _ New internet access (I think a wifi solution)

His proposal

He decided to rent a VPS and put his full-node there. At this point, I think, he would also like to avoid the middle-relay tor (I'm not sure it's a good choice).

My thoughts

Thinking of putting my funds on a VPS that I don't have physical control over scares me to death. It is true that the funds are his, but I would not want him to have problems with all this.

Do you have any experience in this regard? Would you trust putting your knot on a VPS? (I already know some of the answers you will give me, but based on those I will explain what does not convince me) On the skin, considering that the costs would be quite similar after about 3 years, what would you do in his situation?

I thank in advance anyone who wants to speak in this debate

view all related items

117 sats \ 1 reply \ @optimism 21h

Thinking of putting my funds on a VPS that I don't have physical control over scares me to death.

As it should.

What would you do in his situation?

Put whatever coins are savings in a cold wallet
Keep spending coin on hot wallet somewhere else. Can be a phone but be wary that phones easily get hacked/lost/stolen, so be conservative in what's exposed.
Don't run the node at all if you can't stay on top of it: nodes aren't fire-and-forget and security patching OS is intensive. If you do want to run the node, don't put a wallet on the VPS, just the node. You can add electrs to have your own private electrum endpoint for your hot wallet to have a proper "economic node".

Whatever you do... don't put keys on VPSs. @justin_shocknet said it clinically precise:

as long as [keys] are used in memory for any purpose, then they are ultimately accessible.

21 sats \ 0 replies \ @_Bubble_2009 OP 5h

Thanks also to you. Same here, I've read yesterday but from phone. Also now I'm away from my computer and I hate write from phone. I'll replay tobyiu later cause I've some question about your reply.

154 sats \ 3 replies \ @justin_shocknet 22h

First, remove Tor out of the equation, it's completely retarded. If you want to mask traffic, or expose an external service to the internet, you can do that over SSH tunnel or Wireguard via a cheapo VPS that does not hold the Bitcoin keys. A cheap few dollar a year one off LowEndBox or similar.

You're right that VPS providers, by having physical access to the hardware, technically have access to the Bitcoin keys if they dig. It doesn't matter if you encrypt it a-la Voltage or Greenlight state management blah blah, as long as they are used in memory for any purpose, then they are ultimately accessible.

It's still reasonable to use a VPS for many situations though, its like any other type of hot-wallet risk, and much safer than your average mobile phone wallet or exchanges prone to social engineering.

A large provider with 10's or more millions of dollars in reputation at stake has more valuable stuff than your buddies Bitcoin, and likely good accountability processes for their employees as a result.

There's also the obscurity factor... someone competent would have to know that your particular VPS has enough coin to be worth going through the hassle of smuggling it out without being caught, so don't name the VPS "Bitcoin node with 1000 BTC on it" or other stupid thing. You can also use multiple VPS's from disparate providers in a multi-sig setup or to obfuscate the configuration.

There's more basic question to be answered that would inform the ideal setup, like WTF does he have an online node and not a cold one if paranoid? What is the threat assessment on the traffic that warrants any of this? Is there an internet facing service?

Architecting a solution is fairly simple if you know what you're trying to achieve exactly, consulting is 90% interrogation.

0 sats \ 2 replies \ @_Bubble_2009 OP 22h

First, remove Tor out of the equation, it's completely retarded. If you want to mask traffic, or expose an external service to the internet, you can do that over SSH tunnel or Wireguard via a cheapo VPS that does not hold the Bitcoin keys. A cheap few dollar a year one off LowEndBox or similar.

Thank you for the precise answer. Let's start with the Tor knot. If you have a full-node, your Internet Provider, you will see that every 10 minutes you will have a peak out towards Tor. This clearly identifies possession of a full-node. Therefore having a tower node in the equation, it serves precisely to mask these peaks on a regular basis. A VPN on a remote VPS, it would be important if I wanted to mask my Internet Provider the fact that I am using Tor, but this is currently not our purpose.

You're right that VPS providers, by having physical access to the hardware, technically have access to the Bitcoin keys if they dig. It doesn't matter if you encrypt it a-la Voltage or Greenlight state management blah blah, as long as they are used in memory for any purpose, then they are ultimately accessible. It's still reasonable to use a VPS for many situations though, its like any other type of hot-wallet risk, and much safer than your average mobile phone wallet or exchanges prone to social engineering.

I fully agree, in fact the alternatives were just a new computer at the mother's house, or a VPS. We have never talked about using custodial services.

A large provider with 10's or more millions of dollars in reputation at stake has more valuable stuff than your buddies Bitcoin, and likely good accountability processes for their employees as a result.

Here too you are right, but we focus on a VSP that can be rented anonymously and paid for in Sats.

There's also the obscurity factor... someone competent would have to know that your particular VPS has enough coin to be worth going through the hassle of smuggling it out without being caught, so don't name the VPS "Bitcoin node with 1000 BTC on it" or other stupid thing. You can also use multiple VPS's from disparate providers in a multi-sig setup or to obfuscate the configuration.

This would be very nice, but it would move the cost needle a lot towards VPS and a small N150 with router and company becomes much cheaper.

There's more basic question to be answered that would inform the ideal setup, like WTF does he have an online node and not a cold one if paranoid?

These questions are not easy to answer, also because the paranoid in this case is me and not my friend.

What is the threat assessment on the traffic that warrants any of this?

Here I don't understand if you are referring to the Tor node or something else.

Is there an internet facing service?

Here I don't understand if you are referring to the Tor node or something else.

Architecting a solution is fairly simple if you know what you're trying to achieve exactly, consulting is 90% interrogation.

If I am aware, my work also often brands on the design and to get to a proposal, I often have to question my customers. I thought I had given enough information about my doubt, but now I realize that I have not been quite exhaustive.

0 sats \ 1 reply \ @justin_shocknet 21h

Tor does nothing in this context but draw extra attention from your ISP and the intel agencies that use Tor as a honeypot.

The ISP's ability to observe Bitcoin gossip traffic doesn't imply anything about the location of keys or anything else, most nodes are read only. Again, if it was the real concern or there's a need for ingress (Lightning example) its only a few dollar a year problem via a LowEndBox VPS and SSH.

There's absolutely 0 reason to use Tor under any circumstance. Shillfluencers are larp morons that do people a great disservice by recommending it.

a new computer at the mother's house

This is what really doesn't make sense in the context of all this, why a full online node instead of cold storage? What's the point of the N150 at all vs a HWW?

(That's not to say I like HWW's either, just trying to understand the objective for the N150)

VPS that can be rented anonymously and paid for in Sats.

These would be ideal for an SSH tunnel, if necessary. I agree with not storing a single sig key on them for any material amount.

Is there an internet facing service?

Is he running an online store, swap service, Lightning, or other such thing that requires the node to be online and connected to the internet? If not, then this is all pointless. Even if so, those roles should be separated between hot and cold wallets such that the valuable node is not online.

Maybe he's regularly spending from a good stash so the cold wallet is defacto warm? That would be one reason to have an N150 online, but that's even more reason to use the SSH tunnel instead of Tor, to auth and firewall off everything except the jump host and 1-3 gossip peers.

17 sats \ 0 replies \ @_Bubble_2009 OP 5h

Thanks for your reply, I've read yesterday but from phone. Also now I'm away from my computer and I hate write from phone. I'll replay tobyiu later cause I've some question about your reply.