Today, I'm announcing an early release of my dedicated operating system image for securely generating, printing, and manipulating key material - this is primarily geared towards collectibles and their makers (and has support for things like vanity addresses), but in theory could be used to bootstrap any wallet.
Presently, this thread is an
early preview - things mostly work, but it's not the easiest to use, and can be improved in many ways (mostly ease of use).
Demohttps://ibb.co/9N6RmpjThis doesn't show the printing aspect as it is running in a virtual machine. Using it on real hardware is also significantly faster (20x or more faster keygen)
ApproachThe approach here is simple:
1. The computer must be able to boot off a USB made from my ISO file
2. With absolutely no internet access, no additional USBs plugged in to copy over files/programs, and no roll-your-own-keygen shenanigans, it should be able to generate keys
3. With no external inputs or internet, you can print those keys in a variety of fonts, formats, and QR codes using the tools already installed
4. You shut down the computer, and set the USB stick on fire
FeaturesThe base OS image contains:
1. An offline copy of bitaddress.org
2. An offline copy of iancoleman's bip39 tool
3. A fully compiled vanitygen (oclvanitygen is not included for the moment) with support for multiple processors and vanity addresses
4. Electrum
5. libbitcoin-explorer (also known as the bx cli tool) - very useful for manipulating extended keys, WIFs, hex keys, addresses, seeds, and more
6. A word processor (free and open source -
https://en.wikipedia.org/wiki/AbiWord) - It doesn't have all the bells and whistles of Microsoft Word or Google Docs, but it gets the job done, as long as the job you want to do is printing things in a range of font sizes, fonts, and layouts.
7. qrencode cli tool - convert any random data to QR codes and export as an image
8. Ungoogled Chromium - Like Chrome, but without the Google bits
9. dieharder - a well established tool to test the quality of randomness in your system. Mostly intended for advanced users
The bundled tools have been carefully selected to only rely on longstanding, established projects - especially when they might interact with key generation.
The operating system is 100% offline - by default, all network related things are disabled. In theory, you could bring it online, but it would take active effort on your part to hook up a cable and configure the network (DHCP is disabled, as is wireless)
SecurityThis is all built on top of NixOS - some of you who hang around the technical forums here may have seen it mentioned before, along with GUIX. Both of them are operating systems that focus on declarative builds.
This means that every piece of software loaded into this has an associated derivation (think of it like a recipe) - this instructs the system on how to obtain the source for that software, compile it, and make it usable.
This gives the wonderful benefit that anyone out there can verify that:
1. I have not substituted the code for any of the included software with malicious ones - every input to the system is hashed, and any changes to the code will result in the hash checks failing
2. Anyone else can build this OS image using the derivation I have prepared and independently verify that all the stated inputs are indeed what they are stated to be
This minimizes trust in me, and allows anyone to build it from scratch without relying on any pre-assembled ISOs provided by me.
The ISOs published on GitHub are generated using GitHub actions, with public logs for anyone to see.
CaveatsAs always, nothing is perfect. There are a number of caveats any user should be aware of:
1. This is NOT immune to widespread supply chain attacks like the ones recently observed with SSH's backdooring - if an upstream attack makes it into the Nixpkgs repository upstream, it may propagate down to the ISOs prepared by my derivation.
2. vanitygen in particular has a patch (
https://github.com/RaghavSood/vanitygen/commit/f0dfc1040732e0a9843e0efa2906bd25748382aa) - this is necessary to make it compile with openssl3. It was originally written to use openssl1, which hit end of life in September 2023 (
https://endoflife.date/openssl) and is no longer recommended or supported for security sensitive applications. Due to the magic of Nix, anyone can verify that the only changes made to the samr7 vanitygen code are the ones in the patch linked above, and nothing else. Obviously, if you aren't comfortable with this, you should rely on other tools like electrum, bx, bitaddress, or iancoleman's bip39 tool for the key generation.
3. This only works on x86 computers - it's not going to work on a Raspberry Pi
4. You must be using a fairly common printer - fancy ones are probably not going to have drivers, and you can't install them easily.
5. There is no support for minikeys at the moment
6. There is no support for fancy graphics work like warping text for curved keys (unless you can figure out how to do it in the AbiWord word processor, I couldn't)
7. Usability is still geared towards advanced users - setting up printing and managing the keys into a workable format (especially if you need hundreds of them) is a decent amount of effort. If you have basic scripting skills and know your way around a terminal, it gets much easier.
How do I use this?It's pretty easy - grab the ISO from my
GitHub releases, create a bootable USB drive (plenty of tutorials out there), and boot up a PC. I recommend using a small, dedicated Mini PC (Intel NUC etc) that is solely reserved for key generation and has the SSD/HDD and wifi removed.
If you are familiar with nix, you can also build the ISO yourself using the nix flake in the same repository.
Once you're in, wait for it to finish booting up before you end up on the desktop environment. It's decently intuitive from there if you've used a linux environment before (See the demo gif for a fast walkthrough)
FutureThis is mostly an early announcement - I will be doing up significantly more in-depth documentation and blog posts on technical details and usage. It is already usable by advanced users in its current state, but for non-technically inclined, there can be some polishing.
If there is sufficient interest, I may put in the effort to prepare a more point and click wrapper around the existing tools that can quickly generate keys, formate them to predefined templates/QRs, and print them out.
Show me the Codehttps://github.com/RaghavSood/nixos-keygen 
