Author

Topic: [Guide] Secure air-gapped crypto wallet storage method (Read 706 times)

legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
You need to bump this more often.
sr. member
Activity: 532
Merit: 327
Has anybody else used this guide? If you guys need any help reply here Smiley
sr. member
Activity: 532
Merit: 327
Sure, feel free to spread the knowledge  Smiley
legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
Fascinating guide, congrats.
If you allow me I want to list it in my Comprehensive guide into the useful links section.
member
Activity: 138
Merit: 74
NotYourKeys.Org
If anybody needs help or anything let me know by replying here. I will be checking this thread from time to time for new responses.

Hi Sowik! I liked this post so much that I added it on our site that's focused on cryptocurrency security. Don't worry, I didn't copypaste your post. I just linked this post directly. Hope you don't mind. I could take it down if you're not fine with it: https://cryptosec.info/
sr. member
Activity: 532
Merit: 327
If anybody needs help or anything let me know by replying here. I will be checking this thread from time to time for new responses.
sr. member
Activity: 532
Merit: 327
Hey OP, I've noticed some mistakes in the guide. I've PMed you to fix them Smiley

Thanks, I have to edit it on so many websites now  Grin
full member
Activity: 361
Merit: 137
Hey OP, I've noticed some mistakes in the guide. I've PMed you to fix them Smiley
sr. member
Activity: 532
Merit: 327
OK, thanks for the explanation.
This is about software version of wallet on desktop computer.

What if I want to use light mobile HD wallet, like Coinomi for example?
I install it on factory reseted separate mobile phone, which is NEVER connected to network.
Is it still possible to secure-use mobile wallet to deposits and withdrawals?

Not sure, I'm not familiar with Mobile bitcoin wallets. I think Electrum can save and also sign trasactions on its mobile app.
You can't secure the phone like the laptop we secured using this guide.
jr. member
Activity: 61
Merit: 6
OK, thanks for the explanation.
This is about software version of wallet on desktop computer.

What if I want to use light mobile HD wallet, like Coinomi for example?
I install it on factory reseted separate mobile phone, which is NEVER connected to network.
Is it still possible to secure-use mobile wallet to deposits and withdrawals?
sr. member
Activity: 532
Merit: 327
Noob question. Suppose I set up this air-gapped crypto wallet either on laptop or brand fresh Android device.
Just out of curiosity - if I setup a cold wallet without connectivity, how can I check balance and make deposits and withdrawals?

I know, that this question may seem to you trivial, but I really cannot wrap my mind around this idea...

You can check the balance on Bitcoin Block Explorer like blockchain.info.

About making transactions - its in the main post:

Making transactions:

  • When setting up a workflow to make transactions, create a WATCH_ONLY_WALLET by importing your MASTER_PUBLIC_KEY on a networked UNSECURE_MACHINE.  This will create a WATCH_ONLY_WALLET with which you can view the balance of your wallet and create UNSIGNED_TRANSACTION files, but even if a hacker stole this data from you they couldn't steal any of your funds, only look at them.  
  • You can initiate transactions using this WATCH_ONLY_WALLET on a networked UNSECURE_MACHINE, and save them to an UNSIGNED_TRANSACTION file on your flash drive.  
  • The UNSIGNED_TRANSACTION must be signed before being broadcasted to the network as a SIGNED_TRANSACTION so we will sign it securely now
  • Boot your AIR_GAPPED_LAPTOP and open your PRIVATE_DATA wallet, then open the UNSIGNED_TRANSACTION file located on your flash drive, then sign the transaction using this wallet since this is your PRIVATE_KEY version of the wallet on your AIR_GAPPED_LAPTOP, and then save the SIGNED_TRANSACTION file to your flash drive again.
  • Copy the SIGNED_TRANSACTION file back over to your networked UNSECURE_MACHINE and open it in your WATCH_ONLY_WALLET, then broadcast it to the network.
  • There, you've just made a crypto transaction without your PRIVATE_DATA EVER touching a networked UNSECURE_MACHINE!
  • Note, these instructions are very generic but they apply to all crypto wallets that are sufficiently robust.  Figure out how to do it for your specific crypto through your own research, but all of the steps must be identical to this, all you're researching is the specific interface and buttons to press for your specific crypto.
jr. member
Activity: 61
Merit: 6
Noob question. Suppose I set up this air-gapped crypto wallet either on laptop or brand fresh Android device.
Just out of curiosity - if I setup a cold wallet without connectivity, how can I check balance and make deposits and withdrawals?

I know, that this question may seem to you trivial, but I really cannot wrap my mind around this idea...
sr. member
Activity: 350
Merit: 250
So I tried this with my old laptop and I have to say it's a lot harder than it looks. I managed to do it tho, thanks for the guide!
sr. member
Activity: 532
Merit: 327
I feel like this kind of measure is financially justifiable only when you are holding big sum of crypto currencies.

Or when you have an old laptop that you don't use. No point to sell it for like $200.
sr. member
Activity: 350
Merit: 250
Now thats a post that desrves merit!

I feel like this kind of measure is financially justifiable only when you are holding big sum of crypto currencies.
hero member
Activity: 644
Merit: 501
Posting to come back to this later.
sr. member
Activity: 532
Merit: 327
Introduction:

I will use a capitalized syntax for important terms and maintain consistency throughout.  Private data is prefixed with PRIVATE i.e. PRIVATE_DATA.  Containers storing something have that thing's name postfixed with _CONTAINER i.e. PRIVATE_DATA_CONTAINER.  Passwords of a container are postfixed with PASSWORD i.e. PRIVATE_DATA_CONTAINER_PASSWORD. You get the idea.

This guide is harder to create than I thought because there is so much information.  I can't tell whether it's even useful because it assumes you already know a lot of things, and it's hard to enumerate everything you need to know.  If you don't understand how cryptocurrencies even work this guide is not for you.  If you do understand, and you understand concepts like encryption, PUBLIC_KEYs vs PRIVATE_KEYs, etc, and just want a good workflow to set up a secure workstation, this is the guide for you.

NOTE: PLEASE READ THE ENTIRE INSTRUCTIONS BEFORE STARTING ANY OF THE STEPS, AND MAKE SURE YOU UNDERSTAND EVERY INSTRUCTION BEFORE EVEN STARTING.  IF THERE IS ANYTHING YOU DON'T FULLY UNDERSTAND, AND ALSO UNDERSTAND WHY THE INSTRUCTION IS THAT WAY, ASK A QUESTION IN THIS THREAD.  MISUNDERSTANDINGS LEAD TO MISTAKES, AND IF YOU MAKE A MISTAKE YOU LOSE YOUR CRYPTO.

EVERY SINGLE INSTRUCTION MATTERS JUST AS MUCH AS ANY OTHER.  IF YOU CHOOSE TO IGNORE ONE OF THESE INSTRUCTIONS, YOUR ENTIRE SECURITY WORKFLOW BREAKS DOWN AND YOU are --NOT-- SECURE.  FOLLOW EVERY SINGLE INSTRUCTION DOWN TO THE LETTER.

This guide will tell you how to set up a secure air-gapped crypto wallet storage method, called your AIR_GAPPED_LAPTOP which is much more secure than the machine you're using now - your UNSECURE_MACHINE.  Any networked machine that wasn't set up specifically using these directions should be considered an UNSECURE_MACHINE.  It's important to always be in possession of your own private keys (PRIVATE_KEYs), and not let exchanges hold them for you.  It's also important to make sure your PRIVATE_KEYs never touch the internet, PERIOD.  If an UNSECURE_MACHINE gets infected and contains your PRIVATE_DATA (which includes your SEED_PHRASE, PRIVATE_KEYs, and any PRIVATE_DATA like this), your PRIVATE_KEYs can potentially instantly be stolen meaning your crypto is gone.  So let's get down to business

PRIVATE_DATA = red, can ONLY EVER exist in unencrypted form inside of your PRIVATE_DATA_CONTAINER
PUBLIC_DATA = green, can copy to any machine and it doesn't matter too much if someone steals it

This diagram is for hierarchical deterministic wallets which generate ALL of your keys, both PUBLIC_KEYs and PRIVATE_KEYs, from a single SEED_PHRASE:

SEED_PHRASE -> MASTER_PRIVATE_KEY -> PRIVATE_KEYs -> PUBLIC_KEYs -> ADDRESSES
SEED_PHRASE -> MASTER_PRIVATE_KEY -> MASTER_PUBLIC_KEY -> PUBLIC_KEYs -> ADDRESSES

Your PRIVATE_DATA in red: PASSWORDs, SEED_PHRASEs, PRIVATE_KEYs etc. can NEVER touch a network connected machine or be written down.  Period, no exceptions, 100% they cannot ever.  It is unsafe and you can lose your crypto.  You have to be smarter than that.  So store your PRIVATE_DATA in an encrypted file container called PRIVATE_DATA_CONTAINER on an encrypted air-gapped machine so that even if it were hypothetically filled with crypto stealer viruses (which should never happen because you will not be connected to any network and you will not run any unsafe executables) your crypto will never be stolen.  

Note I am highlighting PRIVATE_DATA_CONTAINER in green because since it's encrypted, it's safe to be stolen.  That is the format here.  Red means that you have to make it so that it's 100% impossible to steal because it's heavily encrypted.  Green means it can be stolen and nothing bad happens because they can't access anything private in red.  Furthermore, the AIR_GAPPED_LAPTOP is also in green because someone should be able to steal your laptop and they can't access anything.  PASSWORDs are also in red because they can never be shared or written down anywhere, they should only exist in your brain and only ever be typed on your AIR_GAPPED_MACHINE.

Your MASTER_PUBLIC_KEYs and all data derivable from them can safely be used on even malware infected public library computers, it's not a relevant security issue.  But the PRIVATE_KEYs and ALL PRIVATE_DATA, can never touch anything but the inside of your PRIVATE_DATA_CONTAINER, only decrypted and mounted on your AIR_GAPPED_LAPTOP, not even once, not even if you temporarily disconnect the UNSECURE_MACHINE from the network.  Period.

Note once again the split between PUBLIC_DATA and PRIVATE_DATA.  PUBLIC_DATA can safely be used on any UNSECURE_MACHINE or be given to or stolen by anyone and it doesn't matter.  PRIVATE_DATA must NEVER leave the inside of your PRIVATE_DATA_CONTAINER on your AIR_GAPPED_LAPTOP

Preparation:

  • PRIVATE_DATA_CONTAINER_PASSWORD: Think for a few days of a 64 character password that you will ONLY EVER type into this air-gapped machine.  You will never write it down anywhere, or type it on a network connected machine.  I won't go into password selection techniques, you can figure that out yourself through research if you don't already know, but make it an extremely good one.  This will be the password used to encrypt your PRIVATE_DATA_CONTAINER which is the only place that stores your PRIVATE_DATA
  • OS_CONTAINER_PASSWORD: Think of another password of a similar level of security, but it's not as important as the above password so if it's straining your brain to create two passwords, focus on extra security for the PRIVATE_DATA_CONTAINER_PASSWORD, not the OS_CONTAINER_PASSWORD.  They have to both be completely different, and ideally both as strong as possible, but if you had to favor one password's strength, favor the PRIVATE_DATA_CONTAINER_PASSWORD over the OS_CONTAINER_PASSWORD.
.
Hardware required:

  • "Disposable" LAPTOP (in red because it's not secured yet - this LAPTOP, once turned into an AIR_GAPPED_LAPTOP, is a computer that will ONLY be used for this purpose from now on) which has a removable wireless card and bluetooth card (they are likely on the same chip) and which uses a disk based HDD, not an SSD
  • Flash drive (replace this with read-only CD-R's if you want 100% safety because technically USBs can be infected, but this is typically a state-sponsored, targeted attack not one which spreads online, if I'm wrong please re-inform me.  This is a hassle though and you're most likely safe to just use a flash drive.  Ideally have ONE dedicated brand new flash drive that you ONLY use for communicating between your AIR_GAPPED_LAPTOP and primary UNSECURE_MACHINE which despite being called "UNSECURE" should be well secured in the traditional way with regular OS reinstalls and things like this, but this is all up to your level of hassle and skill here)
  • A handful of microSD cards, they can be small, like 4GB, since you will only store your PRIVATE_DATA_CONTAINER container on them, but make sure they're good high quality name brand ones

AIR_GAPPED_LAPTOP setup instructions:

  • Remove the wireless and bluetooth card from your LAPTOP and plan to NEVER put them back in again, now it has become an AIR_GAPPED_LAPTOP which we still have to set up and encrypt.  Please research your specific model number of laptop and find out every radio transmitter attached to it.  If it's some fancy new laptop with everything built directly into the motherboard this may not work.  You need one a few years old that can let you remove the wireless card and bluetooth card.  If there are any special features like "Samsung SecureCast Data Streaming" or some bullshit (idk just made that up) don't use this laptop unless you're sure it's not a hardware feature that you can remove.
  • We're making it air-gapped by removing all radio transmitters to make sure that even if you got this machine infected with malware, it can't communicate with the outside world so it's less harmful.  Ideally you'd use a Faraday Cage room as well and only ever decrypt anything on this machine inside of that Faraday Cage but that's going overboard by a large margin and it's impractical for most people.
  • Reformat your entire HDD, just delete all partitions so it's in an unformatted and unpartitioned state
  • Partition your machine into two main halves which will both be encrypted, OS_PARTITION and DATA_PARTITION (choose your appropriate sizes based on your OS)  
  • NOTE: the DATA_PARTITION and OS_PARTITION are NOT used to store your PRIVATE_DATA, it is ONLY used to store your encrypted PRIVATE_DATA_CONTAINER.  We are using this separate DATA_PARTITION just for convenience so you can easily wipe your entire OS_PARTITION and reinstall then re-encrypt it if you suspect a security breech, and then you will still have your DATA_PARTITION right there to use immediately after installation.  Note that they are highlighted red because you cannot store private data inside of them, only inside your PRIVATE_DATA_CONTAINER
  • Create an installation disk for your operating system.  Windows is hated for security reasons but it's fine for this scenario because we are running an air-gapped machine, so if you're more comfortable with Windows, use Windows, because correct execution of this method is more important than the distinction between Windows and Linux here.
  • I will give instructions for the Windows scenario because if you use Linux you should be able to translate them into Linux-speak anyway
  • Install your OS on the OS_PARTITION
  • Disable sleep, hibernation, and the page file immediately.  Google how to do this if you don't know how, but make sure you do it.  Reboot multiple times to make sure the settings persist.
  • Copy VeraCrypt onto your flash drive and verify the file hash (this is important).  I suggest installing 7-zip on the AIR_GAPPED_LAPTOP so that you get the easy right click context menu in Windows with a bunch of options for calculating file hashes.  It's really convenient.  Make sure to verify your 7-zip executable file hash too though before trusting any of the hashes it gives you.
  • Like described above, whenever you're copying ANY executable file over to your AIR_GAPPED_LAPTOP, ALWAYS verify the file hash before running it
  • We will use VeraCrypt on Windows for all encryption, for the encryption of everything including the OS_PARTITION, DATA_PARTITION, and most importantly the PRIVATE_DATA_CONTAINER.
  • Implement full-disk encryption on the OS_PARTITION using VeraCrypt.  On the OS, for the Encryption Algorithm you want to use AES(Twofish(Serpent)) and for the Hash Algorithm use SHA-256.
  • Use a Personal Iterations Multiplier (PIM) to increase the number of times your password is hashed to retrieve the drive decryption key, the more the better.  This means when enterring your password it takes longer to verify that it is the correct password, but it also means it takes attackers (really only someone who physically steals your laptop) longer to crack it.  So it's a balance for you between using a high PIM that takes forever to log in, and using a high PIM that stops people from cracking your encryption.  On the OS I believe a value of 98 is the default but you can do more.
  • Note, if you use a PIM you HAVE to remember it, it kind of becomes part of your password.  The higher the number, the more security, but the value itself is not that inherently important so it doesn't need to be semi-random, you can use an easy to remember number like a multiple of hundreds or thousands or a number special to you, but if you want additional security use a seemingly random number that is high, which you will remember.  Note, a higher number is more important than a more random number.
  • Reboot and make sure you can get in safely and remember your password.
  • Encrypt the DATA_PARTITION, you can just use the same settings as the OS_PARITION since this is a convenience partition anyway.  
.
PRIVATE_DATA_CONTAINER setup instructions:

  • You will now create a PRIVATE_DATA_CONTAINER encrypted file container using VeraCrypt.  Store this container file inside your encrypted DATA_PARTITION (and later we will also make many backups of it).  On the PRIVATE_DATA_CONTAINER container, for the Encryption Algorithm you want to use AES(Twofish(Serpent)) and for the Hash Algorithm use Whirlpool.
  • Use a Personal Iterations Multiplier (PIM) to increase the number of times your password is hashed, using the same instructions as earlier.  This is significantly more important though so potentially use a higher number, maybe add a zero to the end of the OS's PIM or something (which makes it 10x more iterations and also makes it take 10x longer to verify the password, but also 10x longer for attackers to crack it).  Ideally it should take 5 to 10 minutes for VeraCrypt to hash your password so it's impossible to crack but still reasonable for you to use it, but this depends on how fast the LAPTOP's CPU is.  Note, you should never be logging into this computer often, it's just a secure workstation for storing your PRIVATE_KEYs and signing UNSIGNED_TRANSACTIONs into SIGNED_TRANSACTIONs.
  • Now that you have your PRIVATE_DATA_CONTAINER, this is where all of your SEED_PHRASEs and therefore PRIVATE_KEYs go.  Keep your entire crypto wallet workflow in here, the executable files for the wallets and everything.  Make sure 100% to verify all of your wallet executable file hashes before executing.
  • I would suggest not running potentially malicious shitcoin wallets on your AIR_GAPPED_LAPTOP.  If you want to do that, please create an entirely new AIR_GAPPED_LAPTOP solely for that purpose please.  If you think you're fancy, dual-boot two different OS_PARTITIONs with different OS_PARTITION_PASSWORDs and also duplicate your DATA_PARTITION and PRIVATE_DATA_CONTAINER.  This is risky and error-phone, use a whole new LAPTOP if you can.
  • Set up your wallets and store the seed phrase in a text file.  Do not write them down irl like wallet programs tell you to because they can be stolen.  Note that this is a single point of failure here - if you forget your PRIVATE_DATA_CONTAINER_PASSWORD or lose all copies of the PRIVATE_DATA_CONTAINER, you're fucked - but we're setting it up so that you can scatter copies all over the world and always have one to retrieve, but only you can access it.  So it's okay.
  • Please note, all PRIVATE_DATA can ONLY ever be written inside of this PRIVATE_DATA_CONTAINER file container.  Do not make a text file containing your SEED_PHRASE on the OS_PARTITION or DATA_PARTITION then copy it into the PRIVATE_DATA_CONTAINER.  This is not safe and you need to securely wipe and delete that file if you do it, but ideally just do not do it at all.  The ONLY place that it is safe to ever write PRIVATE_DATA to the hard drive is WITHIN the PRIVATE_DATA_CONTAINER.
  • Now that all of your PRIVATE_DATA is inside this PRIVATE_DATA_CONTAINER, for all of your wallets, it's time to create redundant backups.  Dismount the container and take all of your handful of microSD cards you bought and copy the container file to each microSD card.  Put one on every backup hard drive you have, on every computer you have.  Put one microSD card in your leather cash money wallet, one in your backpack, one on your desk.  It doesn't matter.  Ideally now if someone steals it they can't get your data because it's encrypted so heavily, as long as you you followed the instructions and made a good password and used a good PIM.  Make sure to have off-site backups too, so store one at your parents house, store one in a safety deposit box, and even upload a copy of the file to reputable private file hosting websites if you want like Google Drive, but if you do that then make sure you have a good password for the website, secured with a password manager etc.  Also some password managers even let you upload some files that are also encrypted according to your password manager's password, so upload your already-encrypted PRIVATE_DATA_CONTAINER there too just like we made copies to microSD cards.  Basically just scatter this container all over the world so you will ALWAYS have a copy, but if someone steals it they can't get inside, and even if you hypothetically had to move all of a sudden or went to jail or something.
  • Note, whenever you add data to your secure container you have to update every backup copy to include it.  I would suggest doing this infrequently and getting everything set up correctly ahead of time.
  • Do it using this method: Adopt a PRIVATE_DATA_CONTAINER naming scheme of PRIVATE_DATA_CONTAINER_2017_05_15.dat, named after the date on which you created it.  Then when you're making an update, copy the current file into your PRIVATE_DATA_CONTAINER_BACKUPS folder.  Now, rename your PRIVATE_DATA_CONTAINER_2017_08_20.dat into PRIVATE_DATA_CONTAINER_2018_01_20.dat with the new current date.  Then open it and add the new data you're wanting to add.  Then, take all of your backup devices and before copying over your new container, put the old one inside that backup device's PRIVATE_DATA_CONTAINER_BACKUPS folder.  I would suggest verifying file hashes of the new container again after copying to make sure there were no undetected data transfer errors.  Better to be safe than sorry.  These backups are just in case you accidentally corrupt your container or deleted something, then propagated it everywhere and had no original copies.  It's better to be safe than sorry.  Repeat this 50 times in your head until it sticks.  It's better to be safe than sorry.

PUBLIC_DATA setup instructions:

  • Now that you've set up your wallets and all of your PRIVATE_DATA is stored securely in your PRIVATE_DATA_CONTAINER which has TONS of redundant backups all over the world, you can now open up your PRIVATE_DATA_CONTAINER on your AIR_GAPPED_LAPTOP and export your PUBLIC_DATA such as your PUBLIC_MASTER_KEYs and ADDRESSES from your wallets.
  • Keep these in an entirely different folder at first within your PRIVATE_DATA_CONTAINER that you will NOT confuse with your PRIVATE_DATA.  Then, one by one copy over this PUBLIC_DATA to your flash drive after manually inspecting the contents of the file in a text editor and verifying that they are indeed only PUBLIC_DATA.  If you don't understand what this means, please ask or do more research...
  • Copy small data like text files containing MASTER_PUBLIC_KEYs (which is all you need but some wallets don't offer this so you'd need ADDRESSES), not large files so you don't accidentally copy any PRIVATE_DATA.  This is EXTREMELY important.  Do NOT accidentally copy PRIVATE_DATA to a flash drive even once, and most important do not ever connect that flash drive to an UNSECURE_MACHINE if you do.  Securely overwrite that file with zeros and then securely wipe the entire flash drive, then delete all partitions, reformat, it, and securely delete the entire device again.
  • Then store the PUBLIC_DATA on a flash drive.  Like I said and I will repeat this again, do NOT copy ANY PRIVATE_DATA to your flash drive even temporarily.  Only PUBLIC_DATA.  So you can safely copy over your MASTER_PUBLIC_KEYs and ADDRESSES, and then make WATCH_ONLY_WALLETs on any UNSECURE_MACHINE.  MASTER_PUBLIC_KEYs are what is used to generate all of your PUBLIC_KEYs and therefore ADDRESSES as described above.  But do NOT copy ANY PRIVATE_DATA
.
Inventory:

  • AIR_GAPPED_LAPTOP: you now have an air gapped machine on which you can safely sign transactions.  This has an OS_CONTAINER_PASSWORD but even if you forget it you don't lose your crypto, you just have to set up the AIR_GAPPED_LAPTOP again
  • PRIVATE_DATA_CONTAINER: you now have a securely encrypted backup copy of all of the private data needed to recover all of your crypto wallets, and it should be stored on many places all throughout the world so you never lose a backup
  • PRIVATE_DATA_CONTAINER_PASSWORD: this should have been a really good 64 character password paired with a good PIM, remember it forever and never write it down, type it on anything but the AIR_GAPPED_LAPTOP, or share it with anyone
  • PUBLIC_DATA: you now have a set of public data which you can safely copy to any unsecure machine and look at wallet balances and created unsigned transaction objects, which you then sign inside of your AIR_GAPPED_LAPTOP
.
Summary:

  • We've basically created a hardware wallet manually
  • Now the only way anyone can steal your funds is by torturing you and making you tell them your PRIVATE_DATA_CONTAINER_PASSWORD, or by spying on you in your own home, or by physically tampering with your AIR_GAPPED_LAPTOP.  Realistically this won't happen but if you're a high profile millionaire make sure not to brag about it.
  • You can now deposit crypto into your ADDRESSES whose PRIVATE_KEYs are held only inside the PRIVATE_DATA_CONTAINER and you can feel safe that they will be there for you to sign transactions with when you want to use them later.
  • You can monitor transaction progress on a networked UNSECURE_MACHINE with your WATCH_ONLY_WALLET created by your MASTER_PUBLIC_KEY described below, which gives you all of the functionality of opening your crypto wallet normally like viewing the balances of addresses and viewing transaction confirmation progress etc., except you can't sign transactions because the PRIVATE_KEYs don't even exist on this UNSECURE_MACHINE and NEVER can because we've made sure of it.
.
Making transactions:

  • When setting up a workflow to make transactions, create a WATCH_ONLY_WALLET by importing your MASTER_PUBLIC_KEY on a networked UNSECURE_MACHINE.  This will create a WATCH_ONLY_WALLET with which you can view the balance of your wallet and create UNSIGNED_TRANSACTION files, but even if a hacker stole this data from you they couldn't steal any of your funds, only look at them.  
  • You can initiate transactions using this WATCH_ONLY_WALLET on a networked UNSECURE_MACHINE, and save them to an UNSIGNED_TRANSACTION file on your flash drive.  
  • The UNSIGNED_TRANSACTION must be signed before being broadcasted to the network as a SIGNED_TRANSACTION so we will sign it securely now
  • Boot your AIR_GAPPED_LAPTOP and open your PRIVATE_DATA wallet, then open the UNSIGNED_TRANSACTION file located on your flash drive, then sign the transaction using this wallet since this is your PRIVATE_KEY version of the wallet on your AIR_GAPPED_LAPTOP, and then save the SIGNED_TRANSACTION file to your flash drive again.
  • Copy the SIGNED_TRANSACTION file back over to your networked UNSECURE_MACHINE and open it in your WATCH_ONLY_WALLET, then broadcast it to the network.
  • There, you've just made a crypto transaction without your PRIVATE_DATA EVER touching a networked UNSECURE_MACHINE!
  • Note, these instructions are very generic but they apply to all crypto wallets that are sufficiently robust.  Figure out how to do it for your specific crypto through your own research, but all of the steps must be identical to this, all you're researching is the specific interface and buttons to press for your specific crypto.
.
Hardware wallets:

  • This is the general principle of how hardware wallets work, you've just implemented one manually yourself on a laptop using this guide.
  • I would highly suggest buying a Ledger Nano S and storing your HARDWARE_WALLET_SEED_PHRASE inside of your PRIVATE_DATA_CONTAINER.  Then you can perform  transactions from the Nano Ledger S.  Keep most of your funds in our hand-crafted PRIVATE_DATA_CONTAINER, but keep your hot wallet funds that you move around and trade with in the Ledger Nano S.
.
Final words:

  • It's better to be safe than sorry overall.  That should be the motto here.  Be security-paranoid over lazy or you will lose your money.  Remember - you are your own bank now, it's your job to secure it.  YOU have to create your own bank vault, our vault is just encryption in this case.  Follow every single direction here perfectly
  • Hopefully this guide is informative.  Note, anything highlighted in RED can ONLY EVER exist in a decrypted state on your AIR_GAPPED_LAPTOP, inside of your PRIVATE_DATA_CONTAINER.
Jump to: