This page is for securing your Bitcoins when storing them on a computer using the following popular wallets. These rules should also apply to others as well.

  • Default Bitcoin Wallet (Bitcoin-Qt)
  • Armory Wallet

This applies to the following systems and is written to prevent Malware and malicious attackers from stealing your wallet.dat files by using a tool such as Metasploit Bitcoin Jacker:

  • Windows XP
  • Windows 7
  • Mac OSX (various)
  • Linux (various)

By default, the wallets above store wallet files (called wallet.dat) into a directory.

#Windows .dat file location - bitcoin-qt
%APPDATA%\Bitcoin

#Windows Armory .dat file location
%APPDATA%\Armory

#Linux .dat file location - bitcoin-qt
~/.bitcoin/

#Armory Linux .dat file location
~/.armory/

#OSX .dat file location - bitcoin-qt
~/Library/Application Support/Bitcoin/

#Armory OSX .dat file location 
~/Library/Application Support/Bitcoin/

If you are using Bitcoin-Qt, by default the wallet.dat file is not encrypted. However, Armory wallets are encrypted by default.

If an attacker was to gain physical access to your machine or they got some malware installed on your computer (which is more likely), they could use it to exfiltrate your wallet.dat files.

There are two recommended approaches to mitigating this vulnerability. Ideally you should do both.

  1. Always encrypt your wallet
  2. Specify to your Bitcoin wallet client to point to a removable drive

To encrypt your wallet in Bitcoin-Qt, open the program, go to Settings > Encrypt Wallet. You will be prompted to choose a secure password. Your password should be at least 12 characters in length and contain numbers, upper case, lower case, and special characters. It is your responsibility to make sure that the password is never lost. Otherwise, the Bitcoins in the encrypted wallet.dat file will not be retrievable.

To specify a different location for your Bitcoin wallet, go to the data directory specified in the location above and open or create the file called bitcoin.conf. Then you can simply add a name/value pair in the bitcoin.conf file such as:

datadir=/path/to/external/usb/drive/

You can also simply add the following parameter to the Bitcoin-Qt startup script:

#Windows example
"C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe" -datadir=G:\Path\To\External\Drive