Topic: Cold storage and using USB to transfer files without malware or viruses? (Read 271 times)

Yes. But i unable to find out whether most distro follow default freedesktop specification or explicitly ignore autostart files.


Webcam support on Linux is great these days, at least for basic/common feature on webcam.

You could potentially make use of Qubes OS for isolating any USB inserted into the device, however to be able to install a operating system in the first place you need some sort of medium. Since, as recommended XP doesn't really cut it. Alternatively, Linux is free, and you could just use whatever distro you want, whack your wallet software (Electrum) on there, and be assured that the software is 100% compatible with the operating system. Who knows what problems a unsupported operating system go throw at you, and ideally when generating a private key or whatever you want that reassurance that its doing it correctly.

Obviously, it would be easy enough to check, but I think it's worth considering.

Highly depends on what distribution you go for, right? Ubuntu these days is basically as user friendly as Windows. Alright, not quite, but it's pretty simple, and the UI/UX has improved ten fold over recent years. Most average users can make the switch within a couple of days. Especially, since if you aren't having the computer connect to the internet or bluetooth, you don't have to worry too much about driver issues from them, which is a common problem I suppose, and since Electrum has a easy way of running the app, simply download, allow to run as executable, and click. It's basically as easy as Windows for this specific usage. Web cam could potentially be an issue without downloading the drivers, but that's something you'd just have to find out if it works without any further configuration/troubleshooting.

Airgap-jumping malware is rare, because it's harder to implement and it's too specific, while hackers are trying to target as many systems as possible. But this doesn't mean that you should ignore it. If you are  transferring data with USB sticks between your laptop and other device, then it's not really cold storage. You could wipe the USB before unplugging it from the laptop to prevent any data from leaving the laptop, but this won't prevent potential malware from doing something like replacing addresses.

Since your laptop has a camera, you could transfer unsigned transaction to the laptop by scanning their QR code, then scan the QR code of signed transaction with your phone or other device with camera. This is nearly the highest level of security you can achieve with this setup, because you can be sure that the only data that flows in and out of cold storage is the data of your transactions.

To be honest, if I were in the place of the OP, it would be more difficult for me to figure out how to create the wallet that the OP plans than to take two or three days to figure out how to set up Linux.
I have been using Linux systems for a long time and trying every system that interests me was very interesting for me at one time. You can install them on VirtualBox, try them, and then understand what is convenient for the user and what is not.

You are creating an airgapped wallet like this, [Guide] Secure air-gapped crypto wallet storage method

It's good to see you are careful with your Bitcoin and how to use your wallet to store your Bitcoin.

You might need a hot wallet to use for more regular transactions. If so, create another wallet and store small part of your Bitcoin there. When you need to spend Bitcoin for something, you can use that hot wallet.

You are right but I didn't mean that the autorun . inf file is the virus/malware (it's nothing but a text file usually used to tell windows which file to auto-execute).
However, if you didn't store any file that needs to be auto-executed (like installers) and see the .inf file then you have to suspect your flash drive has been infected.
Anyway, what I wanted to point out is that USB sticks are one of the quickest mediums to spread malwares and you need to be careful when using them.

While there are many linux distro created/suitable for old computer, some of them probably not suitable for new user. Not all of them are actively developed, have decent amount of user base or good documentation/tutorial.


That's true. But take note autostart/autorun file[1] is exist on linux, although it require user confirmation before it's started. Although IMO it shouldn't be problem as long as user doesn't click "Ok" or "Yes" without reading the message.

[1] https://specifications.freedesktop.org/autostart-spec/latest/ar01s03.html

Whoa, that's quite an old misconception. (I used to see/hear info related to it about 5 years ago)
Autorun.inf isn't a virus, some virus are just utilizing that file to automatically launch itself once the flash drive is plugged in.
But even if your device isn't infected, you'll likely see an autorun.inf file there as long as the owner plugged to a Windows PC and set Windows' autorun feature once.

My old flash drives (with installer files) have one and it was set to launch an installer (which I set to automatically launch):


More info in wikipedia: en.wikipedia.org/wiki/Autorun.inf

Installing linux os will almost eliminate any fear of malware, and you can also use USB just fine.
There is special software called USbGuard that limits and whitelists only specific USB devices, while making all other usb devices unusable:
https://usbguard.github.io/

You can add anything you want offline using USB connection, but make you don't transfer some malware.

I would never use windows XP OS in 2022, it's much better to format hard drive and install fresh Linux OS (Fedora, Ubuntu, etc.).
For camera you can use simple plastic cover that can be purchased for little as $1, and you can this both for privacy protection and for QR codes scanning.
Most Linux OS have camera software by default and you can try finding separate QR code apps.

Personally, I believe using USB sticks to transfer files is more dangerous than being connected to the internet especially for windows users.

Due to the nature of my job in real life, I use them quite frequently and it's rare to find one that is not infected with an autorun virus: when you plug an USB disk, enable the show hidden files option and you're likely to see an autorun. inf file.
The best option to mitigate this risk is to use a Linux distro as most of those malwares and viruses are designed to work on Windows. Besides, Linux OSs prevent files from being executed automatically.
I had Ubuntu 18.04 installed on an old pc with low specs and recently upgraded it to 20.04 and both work just fine with almost all crypto-related apps.

The OP writes that he has an old laptop. This is probably the reason why he preferred to choose such an outdated system as Windows XP.
I remember my first computers, where the RAM was only 512 MB, and I had to disable all unnecessary processes in Windows XP to somehow stir it up.
But OP, choosing one of the Linux systems might help you with speed.
Now, several systems have been created for older computers that allow users to work without loss of performance.

https://www.tecmint.com/lightweight-linux-distributions/

I would get rid of XP and put a Linux on it. And I'm telling you this as a Windows user.
Especially under Windows USB is a high risk, hence, no matter what OS you use, I advise you transfer the information via camera.

On my Win10 Electrum opens the camera directly when I do Tools->Load Transaction->From QR code
Do some tests yourself. If you have another (live) laptop you can start both on testnet and do a test with signing a tx with your cold storage. Then you know you have all you need and can do the proper install and configuration.

To me, there is still risk if you intend to use a USB anyway. If you can use a laptop to make it air-gapped I believe you can afford to buy a laptop that will secure your funds from hackers. The transaction won't happen without a device unless compromise the seed phrase. Hope you got your desired answer from above on how should use the air-gapped device to make a transaction. But still, if you are really concern about funds security then buy a hardware wallet.

I can't test this, but I'm almost certain it won't. Since version 4.2.0, Electrum hasn't worked on Windows 7, so I doubt very much it would work on such an outdated OS: https://github.com/spesmilo/electrum/issues/7728

Even although this is cold storage, I wouldn't feel comfortable using an OS which is decades out of date. OP, you also probably have no choice but to change. The best option will be to format your hard drive and clean install a Linux distro of your choice. If you are used to working with Windows, then Linux Mint might be your best option and the most straightforward to set up. Any decent Linux distro should be able to support your webcam and not require any additional software.

In terms of your questions about installing Electrum, make sure you also verify your download before transferring it to your airgapped computer, and make sure you format the USB drive you are going to use first.

You can still use other USB devices again but be careful of the malware from the(se) previous USBs which might infected your laptop the time you used them. Also be careful of using your laptop online, you might catch some malware if you visit, clicked some malicious websites/services, or installed some malicious applications.

About the QR code, I believe Windows XP can scan QR codes. I'm not aware of the specifics though.

There is a risk and I would advice you do not use a USD or drive on the laptop, to keep it completely airgapped.

You wouldn't need to transfer anything. All you need is to copy the unsigned raw transaction and send that to the air gapped pc. You can also scan the tx qrcode to get the transaction.

AFAIK, it should work alright without you needing to get any other software. Other members could drop that input on that.

As long as you are using the USB stick for no other thing than sending unsigned and signed transaction. But you still have to be very careful of malware, I mean on the device you have your watch-only wallet. It is worth avoiding malware completely.

I will advice you to make use of QR code for transaction signing.

It depends.

Assuming you just want to use the device for cold storage wallet creation in a way you will not have to be using it for making transaction, then no need for transfering anything (which are what is pertaining to signed and unsigned transactions), but in this regard, you can just decide to use the computer to create a cold storage, back up your seed phrase in two or three different locations and you are good. You can just use the computer again for what you want to use it for but after you have deleted the wallet or formatted the device (recommended) to erase to wallet that you created on it.

But you can use the cold storage wallet to sign transactions. Read this: Creating a Cold Storage wallet in Electrum

You will have a watch-only wallet to create unsigned transaction, send it to the cold storage wallet using QR code or USB stick, sign the transaction, use QR code or USB stick to send the signed transaction from your cold storage wallet (back, but signed) to the watch-only wallet to broadcast the signed transaction.

As long as your laptop have webcam, you can use it. I am not certain if the latest Electrum wallet will support Windows XP.

I finally got my laptop ready for cold storage. I removed the bluetooth and Wifi card.

I will next install electrum on the computer by transferring the files from a USB thumb drive.

My question is, should I ever use a USB on this laptop again or is there a risk of transferring viruses?


My other question is, will I ever need to have to transfer anything to the cold storage laptop again after installing electrum? What about the offline signing to send transactions?



The laptop does have a camera on it and its an old windows xp laptop, will I be able to use that camera to read QR codes for offline signing? If so, should I also install software to make sure that feature works?


Thanks, and any additional information on the best way to make this electrum cold storage, with offline signing to send bitcoins from my online computer.