Topic: Airgap Vault on desktops (specifically Linux) (Read 215 times)

The VM is only intended for testing the installation/bootstrapping script, since I have no bare metal lying around for testing purposes.

I'm not sure what exactly you mean. I'm not very familiar with how emulators or VMs work, but if the device doesn't have a secure element chip, then it also applies, no matter what kind of emulator you use.


Once I have time I can look into it again, but it has been a few years, so I don't remember how much it space it uses.

But just to make it clear, as I mentioned earlier, I don't see many advantages of running AirGap Vault in a VM. The distro we made isn't supposed to be run as a VM, but rather on a dedicated computer that doesn't have an operating system installed. Our AirGap distro will be the operating system on that system. Once you boot, it boots directly into AirGap Vault and has no other functionality and does not use any persistent storage.

Hi Andy, thanks for your input.

I incidentally have a Debian 11 VM ready on Virtualbox, with GNOME GUI. It does not have an emulator or any other bloat application on it. Yes, I would appreciate the automated setup script being revived for it. Let me know if you need any bug fixes in the script because I'd be happy to help.

Just tell me how much storage space does the setup script require (including temporary storage) because this VM was created a while ago with a crazy partition layout and I only have 2GB storage free on the root filesystem. So I want to know whether it will work with that little space or if it even works on newer Debian so I can make a new installation if needed.

Cheers!

Hi. Andy here, one of the developers on the AirGap project.


I would recommend using TailsOS because it encrypts the persistent storage by default. Just make sure you use a very strong password.


Ideally, you run AirGap Vault on a device that does not have any networking capabilities (eg. a PC without WIFI card).

A while ago, we created an AirGap Vault Linux Distro https://github.com/airgap-it/airgap-distro, which removes any networking capabilities from the OS. At the time, there was only minimal demand for it, so we discontinued it. But we would be happy to revive the project if there is demand for it again. We'd welcome any PRs that would automate the process of adding the latest AirGap Vault version to the Linux Distribution.


As others have pointed out, this is a tricky problem to solve because you do need some kind of input device to interact with the application, but in theory, and keyboard or mouse could send malicious inputs.

---

There were a few comments here about running AirGap Vault in an Android Emulator or VM.

The security when running AirGap Vault on a mobile device (Android or iOS) comes from the built in secure element hardware chip. It allows for strong encryption that the user can unlock easily using biometrics or the PIN code. If you run AirGap Vault in an emulator, this secure chip will be emulated, so you don't really gain security.

It kind of depends what you want to protect yourself from. If you run AirGap Vault inside a VM, you are basically trying to create a secure and isolated environment in a potentially insecure environment. If your host OS has internet access and is infected with malware, setting up a "secure" VM on that system doesn't really help you, because the malware on the host can just read the keyboard inputs when you enter the mnemonic, or it can read the storage of the VM / emulator. So I don't really see the point in doing that, because it's not an air-gapped setup if the host has internet access.

The only reason I can see for trying to create such an isolated environment is if you don't trust that AirGap Vault won't try to somehow leak the keys over the network. In this case, it makes sense to run it in a sandbox.

But if you want the full advantages of an air-gapped setup, you should run AirGap Vault on a fully air-gapped system, without any networking capabilities.

How about creating a ramdisk and putting the app's working directory into it?

Easiest way I know would be a VM (or simpler: docker container) without peripheral and network access.

It's probably possible to allow the vm to port to the biometrics (especially if they're removable or are uninstalled from the host system/deactivated).

If you're wanting to make things a lot more secure and are trying to achieve airgapping on a device you're hoping to use for other things (I'm making assumptions here) you might want to look at having a VM for both.

I've been thinking of using VMs a lot more for common tasks as I think it'll speed up a computer better if you have a lot of things installed normally (and easier to backup).

I reckon I should make a Virtualbox VM that has just Waydroid on some Linux distro running the Airgap Vault; Anbox is very buggy, and Genymotion doesn't even start for me. Although Waydroid itself is not playing well on my Ubuntu box as I just wrote, hence the need for a VM...

Nice stuff. I've been trying to look for an Android emulator that actually works (and is free).

Edit: I just tried using Waydroid and starting a Wayland session on Kubuntu 22.04 but it crashed my workstation instead, so not cool. Bye bye background tmux sessions.


So I'm guessing that the only way you'd be able to send biometrics to such an airgapped wallet is to collect them from the host system and then pass them through to the guest VM via a virtual serial port.

Linux has support for biometrics and encryption depending on desktop environment you are using.
I know that if you run Fedora linux with Gnome de you can add biometric fingerprint and use to instead password or for login, in Fedora KDE you can use it only instead of password, so it works.
During installation of Linux you can enable disk encryption so anything stored in this drive could be considered secure, if strong password is used.

I don't know exactly how Airgap vault is working, and I never managed to read their technical documentation, if they have it.
All I found is some basic documentation page, with lot of pages dedicated to various shitcoins, so maybe we need to hear more from their developers.
https://support.airgap.it/

Simple way for sort-off running Airgap vault on desktop computer is by using some kind of Android emulator, best I know are open source Waydroid, Anbox or Genymotion Desktop.
Windows has much more options for emulators, but many of them are full of adware crap.

Windows 10 was designed to be able to switch between desktop and tablet if a keyboard wasn't attached (and most devices do - except fixed laptops without some fiddling - most don't have touchscreens though). My laptop also came with integrated biometrics (fingerprint scanners) and it's unlikely to buy a computer without a webcam - you can use parts of the data for making biometrics but shouldn't use all and will have to keep it stored as normal biometrics now use pattern matching so the data can change quite a bit while still being accepted (like putting your finger on a slant).

Completely filling and rewriting the drive would work but would also be intensive. I don't think encrypted folders are yet a thing anywhere (they might be) but there might be a way to add an application that's able to encrypt and decrypt the data along with it to resolve that - there might be ways to hide this information in unsuspecting files to further hide it (so you don't have a bunch of dot dats and malware heuristics don't find the files easily)

I'm sure there's a simple program to takes the last few microseconds/milliseconds of a timestamp and presents them as a random number (it's something that could be tested and would work with other things too).

Blocking peripherals is a hard task, especially if you want your keyboard, mouse and biometrics to remain and some devices could disguise themselves as that - you might be better off using an open source VM for this, controlling the clip pard and limiting Internet access - it's much easier to guarantee if it's segregated. I've seen an example of one of these online but haven't looked into it too much in the past - you can obviously use VMware or virtualbox for the same thing (they're free but not open source).

Over here, it says that AirGap Vault relies on some "mobile specific features (eg. Secure Storage and Biometrics) to secure your mnemonic".

Now as far as I know, Linux doesn't have any of that by default. Windows & Mac don't have this stuff at all, so let's forget about them.

It should be fairly straightforward to make a workflow that can run AirGap Vault with the same security provided by the version for mobile devices. Only a few questions arise:

- How can we securely erase the working data while AirGap Wallet is exiting? Remember that filesystems don't overwrite files in-place so merely writing random data won't work. There must be some kind of package for this. Even better would be some program that makes a temporary, encrypted filesystem before AirGap starts - probably connected by FUSE or something. At least that way, the working directory is scrambled even if the system loses power.
- How to make it run inside a "network jail" where all networking is disabled or a particular process? I am thinking of something like "seccomp-bpf" that is also used in Bitcoin Core but again, there must already be some kind package for this.
- By the same vein, how can USB, serial/parallel ports, and direct peripheral access be disabled for that particular program?
- It is well-known that PCs do not have biometrics scanners, but given that these can simply be purchased separately, and that there are probably libraries that can enable this kind of thing to be done, that's not the least of the problems, but it would be nice if there was a way to require that a key with strong entropy was used for locking the vault, whether it's a fingerprint or some dice rolls (imagine if computer keyboards shipped with a random-number-generator screen with associated ARM processor and you could directly tap a hardware button to send random numbers to the program...)