Question:

Storage of Private Keys

James: 2 weeks ago

Most web apps that accept bitcoin (whether it's an exchange, a gambling site, etc) provide the user with a public address for depositing bitcoins into their account.

How are these web applications storing the private key associated with the deposit address? What is the best practise for the storage of the private keys from a security standpoint? What is the best storage procedure for web developers looking to create large quantities of key pairs for their web applications?

Answer:
William: 2 weeks ago

If you only need receiving addresses, then you need only a table for those along with a column that flags to prevent it from from being used a second time.

Keys can be generated in bulk: - http://bitcointalk.org/index.php?topic=101708.0

Now just because you aren't saving the private key on the web host doesn't mean security can be lax. If a host were compromised, the attacker could replace the Bitcoin addresses in the table with addresses under the control of the attacker.

For situations where the Bitcoin client needs to send transactions, a cold wallet / hot wallet method will help lessen the damage should the system become compromised.

Here's additional information for Securing online services:

  • http://en.bitcoin.it/wiki/Securing_online_services