Copayers store its extended private key and their copayer's extended public key locally. We call this the ``Wallet Critical Data``. Extended private keys are never sent to the server.
# Password protection
Local data can be encrypted by the bit-wallet. Use the `-n` parameter to define the access level permited for no password operation. Available access levels are: `none` (password is required for everything, localfile is fully encrypted) `readonly`, `readwrite` and `full` (password is not ever required, local file is fully unencrypted) .
### encrypts everything by default
```
bit create myWallet 2-3 --nopasswd none
Password:
```
### allows readonly operations without password (encrypts xpriv, and leave readonlySigningKey unencrypted)
```
bit create myWallet 2-3 -p --nopasswd readonly
```
### allows readwrite operations without password (only encrypts xpriv)
You can safely access a wallet from different devices. Just copy the wallet file (`bit.dat` by default). If you need to reduce the file to the mínimum (for example to fit it on a QR) or change it's access level (by removing certain data on it), see `export` in the following section.
It is possible to export a wallet with restricted access level. The levels are:
readonly : allows to read wallet data: balance, tx proposals
readwrite: + allows to create addresses and unsigned tx prposals
full : + allows sign tx prposals
`readonly` will only export the Wallet's Extended PublicKeys, and only the derived private key required for signing 'GET' request (readonly) to the server. `readwrite` will add the derived private key required for signing all other requests (as POST) so readwrite access will be possible. And `full` will export also the Extended Private Key, which is necesary for signing wallet's transactions. `bit import` can handle any for the levels correctly.
First time txproposals is running on the air gapped devices, the public keys of the copayers will be imported from the txproposals archive. That information is exported automatically by the proxy machine, and encrypted copayer's xpriv derivatives.
* Extended public keys are stored on the server. This allows the server to easily check wallet balance, send offline notifications to copayers, etc.
* During wallet creation a wallet secret is created by the initial copayer containg a private key. All copayers need to prove they have the secret by signing their information with this private key when joining the wallet. The secret should be shared using secured channels.
* A copayer could join the wallet more than once, and there is no mechanism to prevent it. Copayers should use the command 'confirm' to check other copayer's identity.
* It is not possible to spend wallet funds, since private keys are never sent nor stored at the server
* It is not possible to tamper tx proposals or wallet addresses since they are computed and verified by copayers
* Copayers could switch to another server using their local data (see `recreate` command). In this case only the wallet extended data will be lost (pending and past transaction proposals, some copayer metadata).
