Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 1 from 1 user
Re: Bitcoin Core encryption questions
by
BattleDog
on 09/09/2025, 09:43:21 UTC
⭐ Merited by apogio (1)
I always appreciate it when others take encryption seriously and want to learn more.

1) "Core encrypts wallet.dat with AES-256, right?"
Core encrypts the key material, not the whole file. Each private key/seed is encrypted with a random master key using AES-256-CBC. The master key is encrypted with your passphrase via EVP_BytesToKey(SHA-512 + salt + iterations). Metadata (labels, txs, watch-only, etc.) stays readable so the wallet can load while locked.

2) If I GPG-encrypt wallet.dat externally…
Correct: you'll encrypt the entire file and Core can't open it until you decrypt it first. Native encryption lets Core load/receive/watch while keeping spends locked.

3) Should I "double-encrypt"?
For backups, yes--keeping a copy of the Core-encrypted wallet.dat additionally wrapped in GPG/VeraCrypt/LUKS is fine. Just keep at least one copy you know you can restore (test a restore!), and don't overwrite the only good backup with a failed re-encryption.

4) BIP-38?
Core does not support BIP-38 (and never did). If you export WIF keys you'd need an external tool to BIP-38 them. Recommended path today is descriptor/seed backups, not BIP-38.

5) Paper/descriptors backup
Core already lets you export the descriptor set (including privkeys) via RPC:

listdescriptors true --> JSON of descriptors with xprv.

dumpwallet <file> --> legacy: all keys + metadata in text.

You can take that JSON/text offline and GPG-encrypt it. Printing a QR is your choice (be mindful of QR size; you'll likely split across multiple QRs). Core doesn't do the QR/encryption for you in the GUI; you'd script this yourself on an air-gapped machine.

Use a long, unique wallet passphrase; Core's KDF has an iteration count but passphrase quality dominates. Make multiple offline backups (wallet.dat and/or listdescriptors true) in separate locations.

If you want extra protection at rest, put the backup inside an encrypted container or GPG it--in addition to Core's native encryption. Test your restore procedure once, then seal the backups.

The above setup gives you: usable day-to-day wallet (locked), plus verifiable offline backups with defense-in-depth.