This major release to the Bitcoin client hit the digital stacks September 23, 2011 and it includes a long-awaited security feature: encrypted wallets. Of late, users of the cryptocurrency have suffered increased attempts by outside parties to get at the wallets of Bitcoin owners (since during the boom there were quite a few Bitcoin millionaires out there.) The update will permit users to set an encryption passphrase which will be required to send Bitcoins from the wallet.

Here’s the meat of the announcement covering the native wallet encryption,

Bitcoin supports native wallet encryption so that people who steal your wallet file don’t automatically get access to all of your Bitcoins. In order to enable this feature, chose “Encrypt Wallet” from the Options menu. You will be prompted to enter a passphrase, which will be used as the key to encrypt your wallet and will be needed every time you wish to send Bitcoins. If you lose this passphrase, you will lose access to spend all of the bitcoins in your wallet, no one, not even the Bitcoin developers can recover your Bitcoins. This means you are responsible for your own security, store your passphrase in a secure location and do not forget it.

Remember that the encryption built into bitcoin only encrypts the actual keys which are required to send your bitcoins, not the full wallet. This means that someone who steals your wallet file will be able to see all the addresses which belong to you, as well as the relevant transactions, you are only protected from someone spending your coins.

The encryption of the wallet appears to be an interative SHA512 hash to derive the password key, AES256-CBC using the password key in order to encrypt the master key, and finally AES256-CBC will use the master key to encrypt the wallet keys. Repeated iterations are often used on encrypted keys to increase the level of complexity of the key and make it more difficult to unroll again. At this level, the encryption is more than sufficient for most conventional users.

For most users, this would stop the current wallet-thief Trojan malware in its tracks; however, even the announcement warns that it will not stop malware developers to both steal your wallet and install a keylogger in order to sniff out the encrypted passphrase. This is part of the Red Queen race between security and thieves in any instance. However, keyloggers are much harder to get away with under the nose of modern antivirus than a program that simply surreptitiously grabs a file and e-mails it away.

However, this probably won’t be good enough for most enterprise-level or rapid-send use of wallets such as exchanges who might still want to offload most of their bitcoins within an encrypted volume of their own and only access it through a secure API.

Encrypting the wallet might mitigate future hacks against users and exchanges where the wallet is stolen such as what seems to have happened to MyBitcoin.org—but maybe not what happened to Mt. Gox (i.e. an intruder gaining access to the wallet trading directly) and it won’t stop disasters like Bitomat.pl who actually had their wallet deleted.