-
Notifications
You must be signed in to change notification settings - Fork 36.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[backups] Automatic backups basics #5266
Conversation
Would it be possible to use the |
6c5af7f
to
604c462
Compare
@sipa hmm... it would be more open to other wallets. correct. On the other hand; how easy would it be for endusers to restore a backup? I think there is no easy way to import a RPC dumped wallet. |
Yes there is a way to import it, using |
@sipa: ah. right. Somebody should update https://en.bitcoin.it/wiki/Original_Bitcoin_client/API_calls_list :) |
@jonasschnelli the GUI has no way to restore a backup at all - whether it's done using backupwallet or dumpwallet. That definitely needs fixing, but I would really advise against using the BDB-based format for anything but legacy. |
@sipa i just thought through the whole thing again. Your right. Restore per file won't work anyway without rescan everything. |
@sipa i only see a huge drawback when using the walletdumps-txt: encryption. Unencrypted wallet dumps is IMO very risky. Of course we could encrypt the dumps before the go to the filesystem. But this lead to the question what passphrase/key we use for encrypting the backups dumps. Maybe adding a "backup-key" to the wallet would be a overhead? |
604c462
to
73690b1
Compare
Good point about For example Schildback's Bitcoin Wallet uses a format similar to our dumpwallet format, one line per key, but encrypts the file before writing. This can be decrypted from the command line using As for the key, would be multiple options there:
|
776a9b8
to
2fb996d
Compare
I think we should encrypt the dumps with a key derived from the same password the wallet is encrypted. Additional to that, for experience users, we could allow to set a base64 encoded EC PubKey in the bitcoinconf. The dumps then could be encrypted aes-256-cbc creating a random key with EVP_Seal. The encrypted key length and data will be stored in the dump. |
2fb996d
to
9f39fc0
Compare
Please don't introduce yet another encryption format in the system if it can all be avoided, analyizing and maintaining two is additional work I'd rather avoid. The simpler thing is to just backup the existing files, then we're sure to get all the data, sure that it's already encrypted and not creating additional exposure, etc. |
@gmaxwell agreed. Than i keep the pull request as it is. For now we backup just the wallet.dat. Dumping is IMO not a backup because it lacks of metadata (dump != backup). A backup should be somehow a 1:1 copy. Before working on encrypted dumps as backup possibilities i would prefer to implement the/a backup mechanism in the GUI. |
std::sort(vKeyBirth.begin(), vKeyBirth.end()); | ||
|
||
// produce output | ||
stream << strprintf("# Wallet dump created by Bitcoin %s (%s)\n", CLIENT_BUILD, CLIENT_DATE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By "Bitcoin Core" :)?
@Diapolo okay, did overhaul the code, added some comments, etc. |
strUsage += "\n" + _("Backup options:") + "\n"; | ||
strUsage += " -backups " + strprintf(_("Enable auto creation of UNENCRYPTED backups (dumps) (default: %u)"), DEFAULT_BACKUPS_ENABLED) + "\n"; | ||
strUsage += " -backupsallowunencrypted " + strprintf(_("Allow backups of unencrypted wallets (default: %u)"), DEFAULT_ALLOW_UNENCRYPTED_BACKUPS) + "\n"; | ||
strUsage += " -backupspath=<dir> " + strprintf(_("Specify absolut path to backups directory (default: %s)"), strprintf("<datadir>/%s", DEFAULT_BACKUPS_DIR)) + "\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"absolute"
167fc95
to
b4afdb4
Compare
Any NACKs ACKs? |
@jonasschnelli Concept ACK, haven't looked at the code. I promise I will, but right now I cannot keep up with the number of pulls anymore. |
b4afdb4
to
a2f6fa6
Compare
rebased |
1663543
to
c1b1504
Compare
- allow to do automatic backups (wallet.dat copy or dumps) when keypool gets refilled - by default backups are turned off - by default only encrypted wallets are allowed for backup - user can choose to backup dumps instead of the wallet.dat file
c1b1504
to
c5d5e40
Compare
rebased. |
I'm no longer convinced that this PRs solution is going into the right direction. As example: what means a encrypted wallet? Why are metadata like labels and comments (which could harm privacy) not encrypted in a encrypted wallet? |
@jonasschnelli Things other than private keys are not encrypted because otherwise the user is forced to enter their key at every startup or use, which is inconvenient and would punish users for using encryption and would leave their key more vulnerable to observation by malware or people around them. The entry of the key also becomes an important consent point: a user of an encrypted wallet can never accidentally send money no matter how stupidly they click or how far they explore. Encryption of a wallet is not usually adequate for privacy on your local computer in any case: your logs, browser cache, etc all leak much of the same data... When we talk about backups the situation is somewhat different, and I can agree it may make sense to have all the data encrypted there. If I were to do it again I would have an master key encrypted with the hardened user passphrase used to derive separate keys for encrypting the whole wallet and the private keys. At the first use, I'd cache the whole wallet subkey (but not the private key one) in a separate file. This way backups would preserve privacy, so long as they didn't backup the cache. BIP32 is not at all a replacement for backups; at most it protects key material. It does nothing to preserve metadata which can be absolutely critical (keeping in mind that in much of the developed world if your taxes are audited its up to you to prove you were paying what you owed). I somewhat regret inventing the public derivation thats most commonly used now-- it's overused, and in ways that harm security (often by people who do not understand the implications). |
Closing for this older PR. It sounds like there is general agreement that something like this is a good direction, but it's doesn't seem to be coalescing into a specific solution that is liked. My own criticism: I don't think this low level functionality is needed at all for non-GUI daemon. It can be implemented with a simple, external cron script that applies well to the local site. Suggestions:
|
Agree with @jgarzik in general. |
This could be the basic for later adding backup possibilities for Bitcoin-Qt including visual elements for latest and amount of backups as also validity-check-display of backup files.