Author

Topic: Guide to offline armory install (Read 16774 times)

cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
September 06, 2015, 09:15:52 PM
#9
You could use a persistent live USB instead of a full installation on USB.  But you need to permanently install the software unless you want to re-install it every time.

Whether an updated install is more secure than an un-updated install is difficult to answer.

I would just disable the network in /etc/network/interfaces by setting some dummy value.  I think that wouldn't keep it from giving the annoying waiting for network message on boot?

Very nice tutorial!

I was thinking about a variation: use virtualbox to install Debian inside windows.
The virtual machine would have no network, and an encrypted lvm. I would share files between windows and Linux by sharing a host directory with the VM.

That way, I wouldn't have to reboot each time...

I realise this setup would be a little more vulnerable, but I guess it would still be reasonable.
Or am I missing something?


Every method has a tradeoff of convenience vs security.  Just like in the real world you keep X$ in your wallet that you carry with you, Y$ in your safe, and Z$ in Fort Knox.  Everyone has to decide for themselves what tradeoff they can live with.
legendary
Activity: 3430
Merit: 3080
September 02, 2015, 12:31:03 PM
#8
You could use a persistent live USB instead of a full installation on USB.  But you need to permanently install the software unless you want to re-install it every time.

Whether an updated install is more secure than an un-updated install is difficult to answer.

I would just disable the network in /etc/network/interfaces by setting some dummy value.  I think that wouldn't keep it from giving the annoying waiting for network message on boot?

I realise this setup would be a little more vulnerable, but I guess it would still be reasonable.
Or am I missing something?

Depends on the risk your taking, how much you've got and how much it means to you etc.

You're relying on VirtualBox here, and it's probably not ideal as a secure choice of virtualisation software, but it is true that you'll miss a whole load of dumber attacks doing it that way. You may still get hit by something half-way sophisticated though, so: risk. How much do you want.
hero member
Activity: 547
Merit: 500
Decor in numeris
September 02, 2015, 12:21:19 PM
#7
I was thinking about a variation: use virtualbox to install Debian inside windows.
The virtual machine would have no network, and an encrypted lvm. I would share files between windows and Linux by sharing a host directory with the VM.

That way, I wouldn't have to reboot each time...

I realise this setup would be a little more vulnerable, but I guess it would still be reasonable.
Or am I missing something?

The truly paranoid will tell you what a horrible idea this is.  Personally, I do it that way for my medium-term wallet.  The long-term wallet is on a Raspberry Pi that I rarely turn on.  My short-term wallet on my phone Smiley

It is theoretically possible to write a virus that grabs your password from your keyboard, and then use that to decrypt the lvm and steal your wallet (and your wallet password).  But the encrypted lvm is a significant obstacle, the attacker would almost have to attack you personally instead of just spreading a wallet-stealing virus on the net.  I would not worry, unless we are talking about a really large amount of BTC.
hero member
Activity: 896
Merit: 1006
August 29, 2015, 12:48:19 AM
#6
You could use a persistent live USB instead of a full installation on USB.  But you need to permanently install the software unless you want to re-install it every time.

Whether an updated install is more secure than an un-updated install is difficult to answer.

I would just disable the network in /etc/network/interfaces by setting some dummy value.  I think that wouldn't keep it from giving the annoying waiting for network message on boot?

Very nice tutorial!

I was thinking about a variation: use virtualbox to install Debian inside windows.
The virtual machine would have no network, and an encrypted lvm. I would share files between windows and Linux by sharing a host directory with the VM.

That way, I wouldn't have to reboot each time...

I realise this setup would be a little more vulnerable, but I guess it would still be reasonable.
Or am I missing something?
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
August 29, 2015, 12:30:45 AM
#5
You could use a persistent live USB instead of a full installation on USB.  But you need to permanently install the software unless you want to re-install it every time.

Whether an updated install is more secure than an un-updated install is difficult to answer.

I would just disable the network in /etc/network/interfaces by setting some dummy value.  I think that wouldn't keep it from giving the annoying waiting for network message on boot?
legendary
Activity: 1022
Merit: 1008
Delusional crypto obsessionist
August 25, 2015, 02:52:46 PM
#4

A.  Install Linux

1.  Get the following:
a)  Something to install linux from:  either a CD-R or a USB flash drive (at least 2 GB)
b)  Something to install linux to:  either a USB flash drive (8GB, different from above), or a computer that you'll only use for your bitcoin wallet and nothing else


Why would you install from a USB key to another USB key.
Can't I just download lubuntu for example and burn the ISO to a SD card using Unetbootin?

Quote
22.  Type:  sudo apt-get update
23.  Type:  sudo apt-get upgrade
24.  Get a beer and wait a long time.  It will update your distribution to plug any security holes.  This will be the only time we do this.  If you're paranoid about updating your packages, you can skip this, but you may have problems installing armory.  You could also write your own linux kernel and wallet if you're really paranoid.

Why would you care about security updates when this USB booting machine never should hit the internet or any other network?
Couldn't you better just download a pre bitcoin linux distribution (older than 2008) to have even a better chance of no exploits to be hidden in the OS?

Also, what should be done to completely remove (wireless) network support (ethernet, bluetooth) from such an installation?
Something like? sudo apt-get remove --purge network-manager-gnome network-manager

Shouldn't it be better to remove all network drivers from the installation as well?
eid
hero member
Activity: 616
Merit: 500
November 10, 2013, 01:17:47 PM
#3
Thanks, that was just what I needed.


All safe now  Cheesy




eid
newbie
Activity: 37
Merit: 0
August 30, 2013, 03:36:33 PM
#2
Thanks for sharing. In case it is useful, I have created a guide for the installation portion:

https://docs.google.com/document/d/1YoqeEisXpq4b4eYKjADRaIkopgrN5Ye3OGixPhV_9A8/edit
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
June 24, 2013, 12:21:55 AM
#1
I wrote a guide for newbies on how to get started using armory for offline transactions.  I thought I'd cross-post it here.


Ultimate in Security:  Offline Wallet

This is a guide to create an offline wallet (cold storage) for your bitcoins using the Armory Offline Wallet, https://bitcoinarmory.com/ .  I don't like seeing posts like "My bitcoins were stolen off my computer or from some website wallet" and I feel that newbies trust their precious coins to places they shouldn't.  This is about as secure as you can get while still having access to your bitcoins.  If you make many transactions per day I’d recommend using this offline storage for a majority of your bitcoins and then using an easier-to-use wallet to hold the bitcoins you need for day to day transactions.  I’m sure most people are happy to trust a website or trust windows or trust their phone to store their private keys, but I’m not.

This involves a wallet stored on a USB key with a clean version of linux.  We'll install linux and the armory wallet to the usb key and then never use that usb key on the internet again.  This will keep our private keys safe.  We'll only boot to that drive after disconnecting from the internet.  We’ll never load our private keys into windows (windows sucks for security).  We’ll only load our addresses so that we know our balance.  The whole process looks like this:

1.  Windows installation is used to create the transaction (address, amount)
2.  Unsigned transaction is transferred to our offline linux installation
3.  Offline linux installed on usb-key contains our private keys and is used to sign the transaction
4.  Signed transaction is transferred to our online windows installation
5.  Online windows installation is used to broadcast the transaction to the network

It involves a lot of setup, but once done you'll have a good deal of security.  Think of it as safe-deposit box instead of an online checking account.

If you have a computer that you can dedicate to your offline bitcoin wallet only, then you can use that instead of a usb-key install.  Substitute that computer below for your offline linux installation.


A.  Install Linux

1.  Get the following:
a)  Something to install linux from:  either a CD-R or a USB flash drive (at least 2 GB)
b)  Something to install linux to:  either a USB flash drive (8GB, different from above), or a computer that you'll only use for your bitcoin wallet and nothing else

2.  Download Xubuntu 12.04.  You can really use any linux distrubtion.  This one is lightweight and long term.  You can torrent it or straight download the iso:

a)  http://torrent.ubuntu.com/xubuntu/releases/precise/release/desktop/xubuntu-12.04.2-desktop-i386.iso.torrent
b)  http://mirror.anl.gov/pub/ubuntu-iso/CDs-Xubuntu/12.04/release/xubuntu-12.04.2-desktop-i386.iso

2.  Create a bootable version of the xubuntu installer.
a)  You can burn it to the CD-R (http://infrarecorder.org/) or
b)  Install it on your USB key:  Use YUMI http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

3.  Shutdown, insert your CD or USB key, and boot to that device.
4.  If using the USB key, choose linux distributions -> Xubuntu
5.  Once it boots, choose:  Install to a Hard Disk
6.  Choose your language
7.  Don't let it update anything, you can do that later and don't install 3rd party software
8.  Under installation type choose:  "Something else"
9.  Write down all the devices, they look like /dev/sda, /dev/sdb, etc
10.  Insert the second USB key that you want to install linux to and click revert.
11.  Now you should see a new entry, perhaps /dev/sde or such -- this is the USB key you just inserted.  If you don’t see anything, click back, choose something else, and then continue
12.  Choose that new device (your USB key) and click choose new partition table
13.  It will create "free space" -- click that and click Add
14.     Use as:  Ext4
15.     Mount point:  /      (just type a simple forward slash here)
16.  Choose that same USB device (e.g. /dev/sde) under:  device for boot loader installation
17.  Click install now and set your time zone, etc
18.  Choose a username and password
19.  After it's finished installing shut down.  Remove the USB drive you installed linux from; leave the USB drive you installed linux to inserted.
20.  Close any popups that come up
21.  Right click on the desktop and choose: Open terminal here.  Now you're cooking with gas.
22.  Type:  sudo apt-get update
23.  Type:  sudo apt-get upgrade
24.  Get a beer and wait a long time.  It will update your distribution to plug any security holes.  This will be the only time we do this.  If you're paranoid about updating your packages, you can skip this, but you may have problems installing armory.  You could also write your own linux kernel and wallet if you're really paranoid.
25.  Reboot.  Type:  sudo shutdown -r now

Now you have a clean linux installation.  Don't ever leave this in the computer when booting into windows.  Always remove it if you're not going to boot into it.

B.  Install Armory on linux

1.  Boot to your new linux drive
2.  Right click on your desktop and open a terminal window
3.  First install dependencies needed for our wallet:
    Type:  sudo apt-get install python-qt4 python-twisted python-psutil
4.  Then install armory:
    Type:  wget https://bitcoinarmory.googlecode.com/files/armory_0.88.1-beta_i386.deb
    This will get what is currently the latest version of armory.  If a newer version comes out, change the link.
    Type:  sudo dpkg -i armory_0.88.1-beta_i386.deb (or whichever file you downloaded.  You can even type sudo dpkg -i armory and hit tab to auto-complete)

*** From here on out we need to be offline for highest security.  Disconnect from the network (pull the cable or click the little up/down arrow at the top -> disconnect).  If you're not connected to the internet your wallet can't be stolen ***

5.  Run armory in offline mode:  Click the icon (a bird?) in the upper left > Internet > Armory (offline)
6.  Accept the license and click Create your First Wallet!  Click Accept
7.  Choose a password to encrypt your wallet.  Write it down!!  This is extremely important.
8.  If you have a printer hooked up to your computer you can print your wallet backup.  Otherwise write it down by hand.  This is extremely important.  You may even want to delete your wallet and restore from this printed backup to ensure that you wrote it down correctly.
10.  Highlight your new wallet and click Wallet Properties
11.  Create Watching-Only copy.  Save this to your desktop.  This doesn't hold your private keys, so it's not vulnerable to stealing -- it just holds your addresses.  Well it actually holds the algorithm to create all the addresses you’ll ever need, which is nice because it means you only have to do this step once.
12.  Close Armory.
13.  Copy the watching only copy from your desktop to:
  a)  Any USB key *EXCEPT* the one you're currently using for offline linux
  b)  Your computer's hard drive -- if you're using your regular windows computer, click your hard drive on the desktop and copy it right there.  You will use this location many times to transfer your transactions back and forth from windows to linux
14.  Shutdown (upper right corner, or type:  sudo shutdown -h now)
15.  *** Remove your linux USB Key -- keep it safe from your nasty windows OS! ***

III.  Install Armory on Windows
1.  Reboot to windows (re-install ethernet cable)
2.  Download and install armory:  https://bitcoinarmory.com/get-armory/
3.  Run armory & Follow instructions to install bitcoin-qt through armory.  Don't create a wallet.
4.  Click import wallet
5.  Import the watching only wallet you saved earlier
6.  Wait a long time for bitcoin-qt to sync up (could take a day).  Have some beer.  Eventually your balance will go from (...) to 0
7.  Send some bitcoins to this wallet.  Maybe start with just a little and test it out first.

IV.  Transactions (sending from this wallet)
1.  Highlight your offline wallet and click Send Bitcoins, fill in the address, amount, and fee
2.  Click Create Unsigned Transaction
3.  Click save as file -- save this to the same location you saved your watching wallet
4.  Shutdown windows, insert your linux USB-key, remove your ethernet cable, boot to linux
5.  Run armory (offline).  Click offline transactions -> Sign Offline Transaction
6.  Click Load file, choose the unsigned transaction file from step 3.  Click Sign. Save that file.
7.  Reboot to windows, (re-install ethernet cable)
8.  Open armory, grab a beer and wait 10 minutes for it to scan your history (I know, it's very slow)
9.  Offline Transactions -> Sign and/or Broadcast Transaction
10. Load the signed transaction and broadcast it!  (Make sure it's the signed one, not the unsigned one)

Hooray.  Now you have sent bitcoins without trusting your private keys to windows or a website.  It is a pain, but worth it for the security conscious.  You only need part IV from now on.
Jump to: