Backup security

I have been backing up my full node’s Chia related data (not plots) by simply copying everything in the …\mainnet directory to an external drive (ensuring that no Chia processes are running during the copying).

When I double-click on my desktop Chia icon, the application launches, presents me with my wallet, I click on it, and everything starts.

What would happen if someone got their hands on my external drive that has a copy of everything in mainnet?
Would they be able to start up Chia and have access to my wallet?

I recall that in some version of Chia I was asked to store my password inside of Windows Credential Manager, and I clicked “Yes”.

Does that mean that if I handed someone a copy of my mainnet directory that it would be useless to them?

I want to keep a backup copy of mainnet. But I want to know what, if any, risks are involved.
I do not want to encrypt the external drive, if the data is of no use to anyone, due to them not having whatever it is I have in Credential Manager.

The only thing that is usefull to backup is the blockchain database file.

That file, no one can fuck you with if they get their hands on.

I dont think there is anything in the mainnet folder that someone can use against you, but im not 100%

But i do know you dont need to backup the rest, just do the db, that’s the thing you want backup of.


It is easier to grab the whole bundle, rather than choosing specific files. And the blockchain is the big one. All of the rest only take another minute. So I would rather copy the whole thing.

And if all of the other files are not necessary, then that would mean that the following would do no harm:
– Stop all Chia processes.
– Delete everything in mainnet, except for the blockchain files (and config.yaml).
– Start up Chia.

Presumably, everything will start like nothing happened (except the automatic wallet database rebuild)?

I would add to that config.yaml. I don’t think that there is anything in that file that can help hacking. Sure, there are rcv addresses there, but if those are there, it implies that those were already used, so are potentially accessible on the blockchain.

On the other hand, I would kill wallet db, as that is purely your setup specific. I am not sure whether it is possible to just open it up with sqlite tools, or just drop it into a freshly installed setup, and try to see whether it will be picked up (and then use RPC to lift your mnemonics). Kind of long stretch, but seeing how Chia is making sure that all is secure, I would really kill that db.

What it also means that maybe you need to create another wallet (semi-cold would do), and start using it, as if you had it, this would be a moot discussion.

So, bc db to get you a fast start in case of a db corruption / drive failure, and config.yaml to have the latest settings (most likely around pool section), so you will not need to start tweaking it again.

And are worth that much - nothing, as those are auto-gen files (except wallet that should not be backed up).

Also, I think you most likely have the wrong startup order. You would need to start clean chia, let it generate everything. Then stop it and replace bc db and config.yaml, and restart it again. The chia code is just too vulnerable to see surprises, so having just bc and config.yaml may not be what it expects to see, thus may start sideways. (At least, I would do it this way just to be on the safe side.)

Yes, if I was in a situation where my Chia rig needed to be restored, I would do a fresh Chia installation.

VeraCrypt produces encrypted volumes. So I could use it to hold a copy of mainnet, where no one other than me will have access to the data within the encrypted volume. That will make things simple, as I can just copy everything.

I just do not want to install any 3rd party software on my Chia rigs.
But VeraCrypt offers a “Portable” version. I am assuming that that does not install anything, and simply runs the application?

Then write a short bat file that will copy your mainnet, and purge from that copy everything but bc and config. You can even add the final zip and move using UNC path to your final destination. You don’t need the previous version, so just purge that network folder before you do move. One click does it all, and simpler than VeraCrypt or USB drives, and no headaches whether it could be used by some malware.

. chia_ Keys and mainnet save your login password and 24 mnemonic words. If you lose the hard disk, you give the bank password to someone else. Deletion is useless. Hackers have the technology to recover at the bottom of HDD. Therefore, it is best to save it on SSD. If it is broken, destroy it.

What is the final zip?

What network folder?

I am referring to my backup being on a portable USB drive. That would be the safest place, because aside from when I perform the backup, it is unplugged.

A bat file along those lines:

set SRC=mainnet
set TMP1=some_tmp1
set TMP2=some_tmp2
set DST=dst

del /f %DST%/*
xcopy /s SRC TMP1
del /f %TMP1%/whatever_is_not_needed_multiple_times
powershell Compress-Archive %TMP1% %TMP2%/
move %TMP2%/ %DST%

Once you connect your USB drive, that DST will be a location on that drive. No need for UNC / network, as you are using USB drive. That zip file will hold just bc db and config.yaml, so you can give it to anyone who asks, nothing security related in it, basically no headaches, but jumpstarts chia installation if needed.

By the way, if you have some old SSD and have one free SATA port, I would just add that SSD to your box, and not bother with the external USB drive. All that work is to have a duplicate to jump start if a catastrophic failure happens on your mainnet folder, so having two separate drives in one box is more than good enough. In case your whole box will be fried, your jump-start backup is the last part to worry about.

Actually, not sure why I wrote that xcopy / del there. If only those two files need to be backed up, then just make two copy commands instead, and it will be much cleaner. I guess, I still cannot get over my win today.

I don’t see how it’s any harder to grab the folder /user/mainnet/db/ than it is to grab the folder /user/mainnet/

Not sure if this will work but it might. But that’s not implied by “you don’t need to back those up”. It just means that when you do a fresh install all you need is your mnemonic and copy of the DB.

I’ve tried copy pasting an old config file back and it didn’t work very well. But you can copy past selected parts back to save some time like the plot directories if you have a big farm.
Config file might come in handy, the rest of those folder for sure not.

The only thing I can think of in the mainnet folder that could be an issue is the ssl certificates. I don’t know if that is a problem or not.

Keys are stored in the key files and are in a separate folder outside outside of /Mainnet/

1 Like