So, what's the deal?
I've always been interested in building my own BIP38 tool. Honestly, there are already some really solid options out there, so I didn't feel the need to create something entirely new. Instead, I thought it would be neat to whip up a simple bash script that makes it easier to work with the Python library.
And the cool part? You can use this tool completely offline!
What you’ll need:
1. A Linux device that stays offline to generate your private keys.
2. An online computer to grab the libraries (just make sure you have pip set up there).
3. A USB drive (or something similar) to move the libraries from your online machine to your offline one.
How to Download the Libraries:
Fire up your online computer and open a terminal. Make a folder for the dependencies and use pip to pull the libraries:
Your offline device probably won't have pip right away, but most Linux versions come with Python already installed. So, let’s get pip ready too:
After that, copy the whole requirements folder to your USB drive.
Installing the Libraries on the Offline Device:
Plug the USB stick into your offline computer and transfer the requirements folder over. Open a terminal and set up pip:
Then, create a virtual environment and activate it:
Now, install the Python libraries from your local folder:
Let’s Run the Code
Time to get going! Create a bash file and make it executable:
Copy and paste the following script into bip38.sh:
How to Use:
Example Run:
A couple of notes:
1. This is just a fun project!
2. Sure, you could use Python directly, but where’s the fun in that? The Bash script adds a little twist.
BASH38 A bash script for using BIP38 in Python (works offline)
3 replies 457 views
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#2Jul 25, 2021, 07:36 AM
Nice script apogio. I can't really say much since my python coding is kinda on the drop streak over the years since I don't play around with codes more frequently like I used to. Anyways so far the offline capability is kinda like the standout feature here so would it be possible to apply updates to the bip38 or bitcoinlib libraries in your offline environment given the permanently offline requirement?
All that comes to my mind currently is updates would need to be done manually if necessary. Also can any other entropy be used? Plus are there ways to verify before installation? Just asking for theoretical purposes though.
You can follow the same pattern again. As long as you have an offline device and an offline one, you can take the same steps.
Sure, as you can see, I am using entropy=\$(head -c 32 /dev/urandom | xxd -p -c 32)
Obviously the python library bitcoinlib can generate the entropy as well, but I am not aware of the specific implementation, it may be using /dev/urandom as well.
You must mean to verify the python libraries. There must be ways to verify them, but I thought the tutorial was stretched enough anyways, so I didn't search for it.
I am seeing in the script now, that when I copied it from nano into sublime and then into this post, there are some backslashes, probably put in the code by sublime. It may not be an issue, I will need to check.
paul.ninjaFull Member
Posts: 152 · Reputation: 539
#4Jul 25, 2021, 01:56 PM
Fun project and I like the fully offline flow.
Some suggestions and important points:
Build wheels on the online box and record hashes:
On the offline box:
Pinning + hashes beats a blind pip install and avoids surprise upgrades.
Right now you pass the passphrase as an arg, which shows up in shell history and ps. Prompt instead: read -rsp "Passphrase: " passphrase; echo. Feed it to Python via stdin or env, then unset passphrase afterward.
Add at the top, check return codes, and fail fast if the venv is missing or the libs are not importable.
Run the official BIP38 vectors and one cross-implementation check (Electrum or another lib). Print a clear PASS/FAIL before letting users trust real keys.
Document exactly what the encrypt/decrypt functions accept: WIF vs raw 32-byte hex, mainnet vs testnet prefix, and which BIP38 mode you use (non-EC vs EC-multiply with optional lot/sequence). Ambiguity here is how people lock themselves out.
Ensure the generator uses os.urandom only. Offer a --qr flag to dump the BIP38 string as a QR for paper backup. Never echo the passphrase back to the screen or logs.
BIP38 is for single private keys, not BIP39 seeds. For HD wallets prefer a seed with a passphrase or Shamir. If someone insists on BIP38, tell them to use a long, unique passphrase.
?Reply
Sign in to reply to this topic
Related topics
- Using Cold Electrum with Core in watch mode 11
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- New Optional Hourglass Implementation is Live 3
- Ways to earn some sats by contributing to bitcoin core development 5