Security Information About Wallet.db

Discussion in 'Security' started by Blizzy, Feb 15, 2016.

  1. 2017/12/15 - Decred v1.1.2 released! → Release Notes  → Downloads
  1. Blizzy

    Blizzy Full Member

    Jan 4, 2016
    225
    109
    Male
    #1 Blizzy, Feb 15, 2016
    Last edited: Feb 16, 2016
    The wallet.db file located in mainnet folder (the path depends on os ) contains all the information about your decred wallet.

    Can anyone explain which kind of information this file have inside?

    - seed ?

    - dcr wallet psw (the one used in wallet creation )?

    - only encrypted information related to the software functionality but not accessible.

    - other..


    This information is important because this file can be easly accessible!
     
  2. davecgh

    davecgh Hero Member
    Developer Organizer

    Dec 31, 2015
    642
    788
    Male
    United States
    The seed is not in the database (currently, it might be in the future), but even if it were it would definitely be encrypted with the private crypto key. The following is a basic overview of how the crypto inside wallet.db works.

    waddrmgr_overview.png

    I assume by psw you mean password? No, the private passphrase is used to derive the private master key (and the public passphrase is used to derive the public master key) as per the diagram above.

    As far as the specific key derivation and crypto algorithms used, we can see those from the feature overview of the waddrmgr package:
    • Scrypt-based key derivation
    • NaCl-based secretbox cryptography (XSalsa20 and Poly1305)

    Perhaps it's also important to note from the diagram that the public crypto key is used to encrypt to account extended public keys and other public keys. These can NOT be used to spend coins, but they can be used to generate all of the addresses you will ever use for that account which of course means it would allow whoever is in possession of them to calculate your exact balances. This is why public encryption is offered as an optional feature for the security conscious.

    Finally, the database contains the transactions which involve your addresses, a bit of account information, the current chain state, and some other minor state-related things.

    ---

    TL;DR

    Nobody can steal your coins if they get access to the wallet.db file unless they also have your private passphrase. If you chose to use public encryption, they also can't get access to any of your extended public keys or addresses.
     
    chappjc and Blizzy like this.
  3. jrick

    jrick Member
    Developer

    Jan 4, 2016
    88
    81
    Male
    dcrwallet changed this. The seed is saved in the db, encrypted along with the rest of your private keys.
     
    Blizzy likes this.
  4. davecgh

    davecgh Hero Member
    Developer Organizer

    Dec 31, 2015
    642
    788
    Male
    United States
    Ok, good to know. I did caveat that with an it might be in the future, so it seems that already happened.
     
  5. sambiohazard

    sambiohazard Sr. Member

    Jan 21, 2016
    844
    372
    The future is here :D
     
    Lee Sharp likes this.
  6. Blizzy

    Blizzy Full Member

    Jan 4, 2016
    225
    109
    Male
    #6 Blizzy, Feb 16, 2016
    Last edited: Feb 16, 2016
    Thanks for the clarification, this is an important security information.

    Always be careful about his backup and safe location.
     

Share This Page