11

When I run cat on one of the files in the keystore directory I see things like id, mac, etc. but I do not see private key.

Is it safe to send the keystore file unencrypted over the internet?

If the private key is in the file, which one is it and can I simply keep a copy of the private key and restore everything from only the private key?

Thanks

sfish
  • 555
  • 6
  • 10

2 Answers2

18

The private key is encrypted and, if you are confident in your password's strength, does not need to be encrypted again. The key is encrypted with 128-bit AES by default if you're using geth, and all of the parameters are in the JSON file. The encrypted private key is in the ciphertext attribute.

  1. I would recommend keeping the entire file,
    • Theoretically, however, the private key could be reconstructed from just the ciphertext, salt and your password.

For your safety,

  1. Ethereum clients do not support exporting cleartext private keys.
  2. I would not attempt to store the private key unencrypted.
    • Geth will import plaintext private keys if need be, via geth account import
Tjaden Hess
  • 37,046
  • 10
  • 91
  • 118
  • Theoretically it could be if you didn't change encryption parameters. Now that is not possible with geth, but it is with other wallets. – axic Mar 09 '16 at 15:43
  • Yes, but there are not that many commonly used encryption parameters, so as long as you didn't pick them at random, you should be able to brute force it. You do need to keep the salt though, I guess. – Tjaden Hess Mar 09 '16 at 15:46
5

Is it safe to send the keystore file unencrypted over the internet?

It is not recommended, no. Even though the important stuff in that keystore file is encrypted, if someone were to obtain it, they could bruteforce all day and night until they discovered the password that you used.

Whether or not you decide to send it over the internet is obviously up to you. I have on occasion in the past but only we small wallets used for testing that would not be missed. If this is your main wallet or contains more ETH than you are willing to lose, I would not under any circumstances send it over the internet.

If the private key is in the file, which one is it and can I simply keep a copy of the private key and restore everything from only the private key?

Geth / Mist do not give you the private key but there are ways to obtain it if you want. My cold-storage wallet is an encrypted private key on an airgapped computer, generated via MyEtherWallet.com's repo. But, I don't let that computer touch the internet, let alone the encrypted private key. I would never send that via email.

If you are using Mist/geth for your day-to-day, keeping the keystore will be the easiest and safest way to store your account access. You could hypothetically encrypt the entire keystore but again, I recommend you find another method (ie: USB drive) to move your keystore from one place to the next.

You should be also keeping your keystore files backed up in duplicate / triplicate in case anything were to happen to your computer or your house / apartment.

tayvano
  • 15,961
  • 4
  • 45
  • 74
  • How secure is the AES128-CTR encryption that is used by default in the keystore file assuming the user uses at least an 8 letter password? Even if brute force was used, wouldn't it take well over a thousand years to decrypt? – Kernel James May 20 '22 at 05:50