Can I export and or duplicate my encrypted keys from yoroi and store them on a usb-stick in case my computer crashes? that way i would not only rely on my mnemonic phrase…
the only thing you need is your seedphrase (mnemonic phrase).
Why would you want to export the keys from Yoroi instead of storing your seedphrase one your USB stick?
€ : by the way i dont really recommand that anyway. Get a hardware wallet like Ledger.
because the seedphrase is on a piece of unencrypted analog paper and I’ve been told and also understand that it’s unadvised to keep it digitally if unencrypted. Yoroi however, encrypts the keys with my spending password… and imo people should not be required to buy a hardwarewallet to improve security and keybackup redundancy when there are obvious ways to do this freely…
edit; for instance, if my appartment burns, I’m F’ed…
Im not sure if theres a way to export the encrypted keys from Yoroi but you could simply encrypt a textfile with your seedphrase and store it on a usb stick with a pw.
Anyway as already said i wouldnt recommand to use a normal usb stick to secure your keys or seedphrase.
Yes true, but that already requires a slightly higher level of technical skill… And my point here is not to improve security from theft, but to have more redundancy without sacrificing too much security from theft… as I said in my edit, at this moment, if my apartment burns I’m screwed…
Btw, where are the key’s stored anyway?
As far as I know, they save their settings including the encrypted keys in the IndexedDB in your profile folder. I really don’t know if it is sufficient to backup the folder for the Yoroi extension from IndexedDB. I suppose not, since other settings might be somewhere else in the profile.
It is definitely not supported by Yoroi to backup your secrets like that.
What you could do is just backup the whole Chrome profile: https://www.winhelponline.com/blog/transfer-chrome-profile-another-computer/
Or you could use a complete portable installation of Chrome on a USB stick: Google Chrome Portable (web browser) | PortableApps.com
With all those you would have to check if they are really restorable from time to time. Chrome might change their internal workings, rendering a profile backup worthless, for example.
But the supported way is really to use the seed phrase as a backup. You can split it up in some way (that you can remember) to increase security, put it in a safe-deposit box, carry it around in your boots, whatever. Just don’t put it somewhere digital unencrypted.
To which my question is, why? in a sense, this is like yoroi/emurgo holding my keys security hostage… sure, they’re on my computer but they don’t tell me where they are or let me choose where to store them… Why does my yoroi wallet have to be hot all the time, when it clearly doesn’t need to be? Yes, I can remove yoroi from my browser and that’s fine, but that means I have to risk compromising my passphrase every time I want to send something, and I’m pretty sure that’s a bad idea…
I dont’t know. I’m not Emurgo. But nobody holds anything hostage. You have the seed phrase. That is the way to keep a backup of software as well as hardware wallets.
If you want to be quite safe, get a hardware wallet.
If that’s not your thing, but you also don’t want secrets to be stored, you could use Adalite or ccVault. They do not store, but you give your seed phrase everytime and it’s forgotten, when you log out.
If web-hosted is not your thing (understandable, because you never know if everything is really happening in the client and nothing transmitted to the server, site could be hacked, whatever), we are slowly getting out of options, besides Daedalus.
There was a non-browser wallet proposed here:
The possibility to not store secrets was marked as quite important in the discussion, but we don’t know if and when it will be implemented.
The possibility that you get Emurgo to change their ways by complaining here are rather slim, especially given that most people seem to be just fine with things as they implemented them.
Yes I know, they don’t hold it hostage in a technical sense, I’m just exaggerating to prove a point. Imo you don’t reeeally own something if you don’t get to decide where it’s stored… sure you still have your passpharse but again, that’s completely besides the point. And imo, using your passphrase to recover should be absolutely last resort… since all it takes is a keylogger and or some screen buffer hack and your f’ed…
There’s also one thing I don’t like with hardware wallets; at least the with ledgers (nano etc) you need to buy another device if yours break, that’s a BIG nono imo!
Thanks for that thread-notice, I love the idea and I shall read upon it!
Most people don’t seem to particularly care, where exactly on their hard drive a software stores its data, but yes, I get the point. I’m also kind of curious when such questions pop up, just not quite as judging.
Maybe ccvault.io would suit you? They have a web-hosted and a chrome-like browser plugin version and offer to export the wallet in a JSON file that can be imported again to restore.
(Sounds like day-to-day the secrets are additionally stored somewhere inside the browser storage just like for Yoroi, but it goes a long way to your demands, I think.)
If your system is compromised enough to have a key logger or screen grabber, the secrets are not much safer in a file, I think, even if it’s on a USB drive.
I’d also very much like to have a software implementation of it. Should be possible. I think, everything they do is public. A seed put into such a software would, of course, instantly lose its “hardware wallet security”, but you would keep access and could decide to buy a hardware wallet from another vendor or switch to software wallet or whatever.
Probably true, but, my machine might not be compromised now, but what about next month? if no secrets are on my computer at a later date, then it’s absolutely impossible to steal my assets, right? as it is now, If I stumble upon a sketchy link, (I don’t, but who am I to assume I’m never going to make a mistake.) Then it’s most likely, or at least theoretically possible, to extract the encrypted secrets from the bowls of my browser. Either through holes in firewall, weakness in software, who knows? pick your poison. And after that you can start bruteforcing or try to get my spendingpass… this is definitely made more difficult if my secret is stored offline or even at some arbitrary location on my drive, I mean isn’t improved security through obscurity a true thing?
Then again, I don’t know how many people in the crypto world who’s wallet actually have been hacked like this, I would assume that most people get screwed by giving away their passphrase through pishing attacks and fake apps… Which again to me means that, the passphrase should be entered digitally as an absolute last resort! because the passphrase, is a container which holds all the eggs!
I’ll look into ccvault as well…
Coming from theoretical computer science, I try to not rely on security by obscurity. But you’re probably right that it helps, nevertheless.
On the other hand: If a hypothetical wallet app with an arbitrary file as secret storage would become popular enough, there will be attackers/malwares monitoring for the moment at which the wallet app opens the file and grab it at that point.
A lot of the reports that I have read were from people using Yoroi (which does not require the phrase often) and they swore that they kept their seed phrases totally safe.
Therefore, my guess would have been that it’s most often stored secret stolen through some loophole and spending password either key grabbed or brute-forced.
But without detailed analyses of lots of these cases, monitoring for malware and their operation, or something like that, we will never know for sure.
of course, I wouldn’t either, but it’s an added layer of security!
True, but then perhaps you can say, added security through diversity?
Well that’s a massive point of concern then, but as you say it’s impossible to know for sure… Heck, it could even be FUD … btw, where are the people developing yoroi?
I’d also again like to point out that this is not just about security from thieves, it’s equally much about backup redundancy without having to rely on your passphrase…