Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 1 from 1 user
Re: Pre bitcoin 0.4 encryption
by
BattleDog
on 08/09/2025, 16:11:47 UTC
⭐ Merited by vapourminer (1)
A few facts that should clear this up and save you some rabbit holes:

Pre-0.4.0 Core had no wallet encryption. Bitcoin Core 0.3.x stored private keys in Berkeley DB as key/wkey (unencrypted). "Encryption" only appears in 0.4.0.

Core 0.4+ encryption (wallet.dat) works the following way:

-- A random 32-byte master key is generated.
-- Your passphrase is run through EVP_BytesToKey(SHA-512) with an 8-byte salt and a stored, wallet-specific nDeriveIterations (chosen to take ~250ms on your machine when you encrypted). These three values live in the mkey record: vchSalt, nDeriveMethod (0=SHA-512), nDeriveIterations, and vchCryptedKey (the master key encrypted with AES-256-CBC).
-- Each private key is then stored as ckey = AES-256-CBC(master_key, IV) of the secret, where IV = first 16 bytes of DoubleSHA256(pubkey).
-- If you see key entries, they're unencrypted; ckey means encrypted; mkey must be present for encrypted wallets.

So, Core doesn't encrypt each key with your passphrase directly; it encrypts a master key with your passphrase, and uses that master key to encrypt each private key.

bitcoinj (0.5 era) is not the same scheme, bitcoinj's default KeyCrypterScrypt uses scrypt (N=16384, r=8, p=1) to derive an AES-256 key, and (by default) encrypts each key with AES using a random IV per key. Different KDF, different layout, different metadata. Don't mix the two.

You can inspect your files quickly by dumping the Berkeley DB and looking for records: mkey (has salt+iterations), ckey (encrypted privkeys), key (plain). Tools you can use: bitcoin-wallet -wallet=<path> -dump on modern Core; or pywallet/simple BDB dumper if you're working offline. Do not post the file.


Now, about your Python attempt, brute-forcing AES on ckey with guesses about fixed IV/format will fail unless you first decrypt the master key using the exact SHA-512 KDF params from mkey.
For bitcoinj wallets, use scrypt with the wallet's salt, then try AES with the per-entry IV. Different code path entirely.


If you want, you can paste (in text) the mkey fields (salt hex + nDeriveIterations + nDeriveMethod) and a single ckey+pubkey pair from a test wallet (no funds) and then I can help you sketch the decryption steps so your script checks the right boxes.