Two questions:
Why use Truecrypt instead of LUKS/dmcrypt?
Does the Gentoo LiveDVD include CUPS and hplip?
Topic: Making a portable offline Armory installation with the Gentoo Linux LiveDVD (Read 3920 times)
November 14, 2012, 09:30:10 PM
November 14, 2012, 05:40:03 PM
All this security, but you don't check github's SSL certs?
Using wget to download tarballs from GitHub produces a couple of errors: (1) the certificate isn't trusted and (2) the certificate is issued by an unknown CA. Since you can download the files within a browser without issue, I suspect it's just some brokenness with wget. If you wanted to do so, you could use Firefox, Konqueror, or whatever to download the files.
November 14, 2012, 03:03:34 PM
All this security, but you don't check github's SSL certs?
October 07, 2012, 01:55:26 PM
A usage tip that would improve security: rather than use an existing TrueCrypt volume that might be used on another machine, consider creating a new one just for Armory. Create it with an outer volume with a password you don't mind giving up if coerced. Have Armory create a wallet in the outer volume that you will never use. Next, create a hidden volume with a nice long password, and have Armory create another wallet in it. This will be your offline wallet. While the outer volume must be FAT32, you can make the inner volume ext2; this should make it inaccessible to most Windows systems even if the password is given.
October 05, 2012, 04:11:32 AM
Nice tut. Currently I use lvm_cyrpt on Ubuntu, auth on boot.
October 04, 2012, 05:20:37 PM
I had tried this first with SystemRescueCD, but wasn't able to get that working. With a little bit less work, though, I was able to get the results I wanted by starting with the Gentoo Linux LiveDVD. This post outlines the steps needed to get it working. You'll need an empty flashstick of at least 8 GB capacity (4 GB might work, but there won't be much space left for a TrueCrypt volume and other files) to put this together. When done, the LiveDVD will be augmented with a copy of Armory that you can boot offline on any computer, plus vanitygen, bitaddress.org, a QR-code generator, and TrueCrypt.
(First, a convention: commands that can be run as a normal user are prefixed below with $. Commands that must be run as root are prefixed with #.)
First, download the image, burn it to a DVD-R, and boot from the DVD. (When asked, pick the x86 kernel.) Open a root prompt ( konsole sudo su - ), insert the empty flashstick, check the output of dmesg to see where it showed up (it was /dev/sdb on my notebook), and copy the image from the DVD to the flashstick:
Next, we will make the remaining space available. To do that, though, the partition table on the flashstick needs to be edited so that Windows can access it (if you should need that ability). This sequence of commands will do that (since the LiveDVD partition starts at block 0, you can't use fdisk to move it):
We can now boot off of the flashstick (it's faster than continuing to run from the DVD) for the rest of the process. Log in as the default user again, mount the CRYPTOKEY partition (click the Device Notifier in the system tray, if it's not already showing), and open a shell prompt.
First, we'll add/update some ebuilds that Armory will need:
Next, we'll build qtreactor, an Armory dependency not available in Portage:
Next, we'll build Armory:
vanitygen would be nice to have:
So would bitaddress.org and a QR-code generator, both of which I've combined into one file with a couple of data: URLs:
Now we need to create a couple of scripts in /media/CRYPTOKEY/livedvd-btc-tools. The first, setup.sh, is run when you first start the system. It copies all of the updates into place:
The second script, armory.sh, launches Armory. Before that, it mounts a TrueCrypt volume that will hold your Armory wallet; when it exits, it unmounts the volume. (Note that the TrueCrypt volume should have an empty directory named .armory in its root.)
Finally, it would be nice to have a README you can glance at when you've forgotten how this works:
With all of those files in place, you should be able to reboot from the flashstick, mount the CRYPTOKEY volume, and follow the README to get into your offline Armory.
(First, a convention: commands that can be run as a normal user are prefixed below with $. Commands that must be run as root are prefixed with #.)
First, download the image, burn it to a DVD-R, and boot from the DVD. (When asked, pick the x86 kernel.) Open a root prompt (
Code:
# dd if=/dev/sr0 of=/dev/sdb
Next, we will make the remaining space available. To do that, though, the partition table on the flashstick needs to be edited so that Windows can access it (if you should need that ability). This sequence of commands will do that (since the LiveDVD partition starts at block 0, you can't use fdisk to move it):
Code:
# dd if=/dev/sdb of=mbr.prefix bs=1 count=446
# dd if=/dev/sdb of=mbr.gentoo bs=1 count=16 skip=446
# dd if=/dev/sdb of=mbr.empty bs=1 count=16 skip=462
# dd if=/dev/sdb of=mbr.suffix bs=1 count=34 skip=478
# cat mbr.prefix mbr.empty mbr.gentoo mbr.suffix >mbr
# dd if=mbr of=/dev/sdb bs=512 count=1
# fdisk /dev/sdb
(make partition #1 a FAT32 partition that uses the remaining space)
(unplug and replug the flashstick to make sure the new partition table is loaded)
# mkfs.vfat -n CRYPTOKEY -F 32 /dev/sdb1
# dd if=/dev/sdb of=mbr.gentoo bs=1 count=16 skip=446
# dd if=/dev/sdb of=mbr.empty bs=1 count=16 skip=462
# dd if=/dev/sdb of=mbr.suffix bs=1 count=34 skip=478
# cat mbr.prefix mbr.empty mbr.gentoo mbr.suffix >mbr
# dd if=mbr of=/dev/sdb bs=512 count=1
# fdisk /dev/sdb
(make partition #1 a FAT32 partition that uses the remaining space)
(unplug and replug the flashstick to make sure the new partition table is loaded)
# mkfs.vfat -n CRYPTOKEY -F 32 /dev/sdb1
We can now boot off of the flashstick (it's faster than continuing to run from the DVD) for the rest of the process. Log in as the default user again, mount the CRYPTOKEY partition (click the Device Notifier in the system tray, if it's not already showing), and open a shell prompt.
First, we'll add/update some ebuilds that Armory will need:
Code:
$ mkdir /media/CRYPTOKEY/livedvd-btc-tools
$ sudo su -
# euse -D bindist
# emerge -1 truecrypt crypto++ openssl pyopenssl twisted zope-fixers zope-interface
# quickpkg truecrypt crypto++ openssl pyopenssl twisted zope-fixers zope-interface
# rsync -av /usr/portage/packages /media/CRYPTOKEY/livedvd-btc-tools/
# exit
$ sudo su -
# euse -D bindist
# emerge -1 truecrypt crypto++ openssl pyopenssl twisted zope-fixers zope-interface
# quickpkg truecrypt crypto++ openssl pyopenssl twisted zope-fixers zope-interface
# rsync -av /usr/portage/packages /media/CRYPTOKEY/livedvd-btc-tools/
# exit
Next, we'll build qtreactor, an Armory dependency not available in Portage:
Code:
$ wget --no-check-certificate https://github.com/ghtdak/qtreactor/zipball/master -O qtreactor-src.zip
$ unzip qtreactor-src.zip
$ (cd ghtdak-qtreactor-* && python setup.py build && sudo python setup.py install)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/qtreactor.tar.gz /usr/lib/python2.7/site-packages/gtrial.py \
/usr/lib/python2.7/site-packages/gtrial.pyc \
/usr/lib/python2.7/site-packages/qt4reactor-1.0-py2.7.egg-info \
/usr/lib/python2.7/site-packages/qt4reactor.py \
/usr/lib/python2.7/site-packages/qt4reactor.pyc \
/usr/bin/gtrial
$ unzip qtreactor-src.zip
$ (cd ghtdak-qtreactor-* && python setup.py build && sudo python setup.py install)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/qtreactor.tar.gz /usr/lib/python2.7/site-packages/gtrial.py \
/usr/lib/python2.7/site-packages/gtrial.pyc \
/usr/lib/python2.7/site-packages/qt4reactor-1.0-py2.7.egg-info \
/usr/lib/python2.7/site-packages/qt4reactor.py \
/usr/lib/python2.7/site-packages/qt4reactor.pyc \
/usr/bin/gtrial
Next, we'll build Armory:
Code:
$ wget --no-check-certificate https://github.com/etotheipi/BitcoinArmory/zipball/master -O armory-src.zip
$ unzip armory-src.zip
$ (cd etotheipi-BitcoinArmory-*/cppForSwig && make swig)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/armory.tar.gz etotheipi-BitcoinArmory*
$ unzip armory-src.zip
$ (cd etotheipi-BitcoinArmory-*/cppForSwig && make swig)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/armory.tar.gz etotheipi-BitcoinArmory*
vanitygen would be nice to have:
Code:
$ wget --no-check-certificate https://github.com/samr7/vanitygen/zipball/master -O vanitygen-src.zip
$ unzip vanitygen-src.zip
$ (cd samr7-vanitygen-* && make vanitygen && make keyconv && sudo cp vanitygen keyconv /usr/bin)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/vanitygen.tar.gz /usr/bin/vanitygen /usr/bin/keyconv
$ unzip vanitygen-src.zip
$ (cd samr7-vanitygen-* && make vanitygen && make keyconv && sudo cp vanitygen keyconv /usr/bin)
$ tar czf /media/CRYPTOKEY/livedvd-btc-tools/vanitygen.tar.gz /usr/bin/vanitygen /usr/bin/keyconv
So would bitaddress.org and a QR-code generator, both of which I've combined into one file with a couple of data: URLs:
Code:
$ (cd /media/CRYPTOKEY/livedvd-btc-tools && wget http://alfter.us/files/bitcoin-tools-compressed-urls.html)
Now we need to create a couple of scripts in /media/CRYPTOKEY/livedvd-btc-tools. The first, setup.sh, is run when you first start the system. It copies all of the updates into place:
Code:
#!/bin/bash
for i in `find packages -name \*.tbz2`
do
bzcat $i 2>/dev/null | (cd /; tar xf -)
done
zcat qtreactor.tar.gz | (cd /; tar xf -)
zcat vanitygen.tar.gz | (cd /; tar xf -)
zcat armory.tar.gz | (cd ~gentoo; tar xf -)
if [ \! -d /mnt/tc ]
then
mkdir /mnt/tc
fi
for i in README bitcoin-tools-compressed-urls.html armory.sh
do
cp $i ~gentoo && chown gentoo ~gentoo/$i && chmod 700 ~gentoo/$i
done
for i in `find packages -name \*.tbz2`
do
bzcat $i 2>/dev/null | (cd /; tar xf -)
done
zcat qtreactor.tar.gz | (cd /; tar xf -)
zcat vanitygen.tar.gz | (cd /; tar xf -)
zcat armory.tar.gz | (cd ~gentoo; tar xf -)
if [ \! -d /mnt/tc ]
then
mkdir /mnt/tc
fi
for i in README bitcoin-tools-compressed-urls.html armory.sh
do
cp $i ~gentoo && chown gentoo ~gentoo/$i && chmod 700 ~gentoo/$i
done
The second script, armory.sh, launches Armory. Before that, it mounts a TrueCrypt volume that will hold your Armory wallet; when it exits, it unmounts the volume. (Note that the TrueCrypt volume should have an empty directory named .armory in its root.)
Code:
#!/bin/bash
if [ \! -d /mnt/tc/.armory ]
then
truecrypt /media/CRYPTOKEY/wallets.tc /mnt/tc && \
unmount_when_done=y
fi
if [ -d /mnt/tc/.armory ]
then
(cd etotheipi-BitcoinArmory-*; python ArmoryQt.py --offline --datadir=/mnt/tc/.armory/)
fi
if [ "$unmount_when_done" == "y" ]
then
truecrypt -d
fi
if [ \! -d /mnt/tc/.armory ]
then
truecrypt /media/CRYPTOKEY/wallets.tc /mnt/tc && \
unmount_when_done=y
fi
if [ -d /mnt/tc/.armory ]
then
(cd etotheipi-BitcoinArmory-*; python ArmoryQt.py --offline --datadir=/mnt/tc/.armory/)
fi
if [ "$unmount_when_done" == "y" ]
then
truecrypt -d
fi
Finally, it would be nice to have a README you can glance at when you've forgotten how this works:
Code:
Installing This Package
=======================
$ sudo bash setup.sh
Running Armory Offline
======================
$ bash armory.sh
This will mount the TrueCrypt volume (if it isn't already) and launch
Armory. When Armory is closed, if the TrueCrypt volume needed to be
mounted, it is unmounted.
Offline bitaddress.org & QR-code generator
==========================================
$ firefox bitcoin-tools-compressed-urls.html
Konqueror works, too.
Vanity Key Generation
=====================
The Gentoo LiveDVD doesn't include proper drivers for OpenCL acceleration,
so splitting the generation between this machine and another machine on
which acceleration is available might be a bit faster than using the offline
machine's CPU.
Here, get a new key:
$ keyconv -G
Pubkey (hex): 0452a0bc0f001ee81c388b89e190cc72fccea836336a2f1e6c72fa0b46150a6d70c2a5f194bf171ffea8b7a634d752b64bbfbf6fc1a9fd5581294436f462418072
Privkey (hex): 126A4ECE0B27B37B6DE41B93AB57F4767C84419806A6881F83290D88F47CF910
Address: 1M5EMEM15DZkt8ZCYdEM3aH9dpaXodCJNp
Privkey: 5HxPyVGXV8mrCYgSNHGEtJTc4byJWM8vUkxCPhZj5Kq96bqEAbC
Transfer the hex pubkey to the machine with the GPU. Run oclvanitygen:
$ oclvanitygen -P 0452a0bc0f001ee81c388b89e190cc72fccea836336a2f1e6c72fa0b46150a6d70c2a5f194bf171ffea8b7a634d752b64bbfbf6fc1a9fd5581294436f462418072 1foo
Difficulty: 4553521
Pattern: 1foo
Address: 1foogbZ1fJE7J6xat7KvrGMWtgDpCZMUU
PrivkeyPart: 5HqWG19tTpLunqoPzUeDCUndyxsamy5Fi2EkCeFMGmC7Kg5qCZR
Transfer the PrivkeyPart back here. Combine it with the Privkey generated
here to get your vanity address and private key:
$ keyconv -c 5HxPyVGXV8mrCYgSNHGEtJTc4byJWM8vUkxCPhZj5Kq96bqEAbC 5HqWG19tTpLunqoPzUeDCUndyxsamy5Fi2EkCeFMGmC7Kg5qCZR
Address: 1foogbZ1fJE7J6xat7KvrGMWtgDpCZMUU
Privkey: 5HyceoyKsVYmjP6ZKZTYzjW7py1y5BM6Ty8ANAmL7DAcFXrAbPA
=======================
$ sudo bash setup.sh
Running Armory Offline
======================
$ bash armory.sh
This will mount the TrueCrypt volume (if it isn't already) and launch
Armory. When Armory is closed, if the TrueCrypt volume needed to be
mounted, it is unmounted.
Offline bitaddress.org & QR-code generator
==========================================
$ firefox bitcoin-tools-compressed-urls.html
Konqueror works, too.
Vanity Key Generation
=====================
The Gentoo LiveDVD doesn't include proper drivers for OpenCL acceleration,
so splitting the generation between this machine and another machine on
which acceleration is available might be a bit faster than using the offline
machine's CPU.
Here, get a new key:
$ keyconv -G
Pubkey (hex): 0452a0bc0f001ee81c388b89e190cc72fccea836336a2f1e6c72fa0b46150a6d70c2a5f194bf171ffea8b7a634d752b64bbfbf6fc1a9fd5581294436f462418072
Privkey (hex): 126A4ECE0B27B37B6DE41B93AB57F4767C84419806A6881F83290D88F47CF910
Address: 1M5EMEM15DZkt8ZCYdEM3aH9dpaXodCJNp
Privkey: 5HxPyVGXV8mrCYgSNHGEtJTc4byJWM8vUkxCPhZj5Kq96bqEAbC
Transfer the hex pubkey to the machine with the GPU. Run oclvanitygen:
$ oclvanitygen -P 0452a0bc0f001ee81c388b89e190cc72fccea836336a2f1e6c72fa0b46150a6d70c2a5f194bf171ffea8b7a634d752b64bbfbf6fc1a9fd5581294436f462418072 1foo
Difficulty: 4553521
Pattern: 1foo
Address: 1foogbZ1fJE7J6xat7KvrGMWtgDpCZMUU
PrivkeyPart: 5HqWG19tTpLunqoPzUeDCUndyxsamy5Fi2EkCeFMGmC7Kg5qCZR
Transfer the PrivkeyPart back here. Combine it with the Privkey generated
here to get your vanity address and private key:
$ keyconv -c 5HxPyVGXV8mrCYgSNHGEtJTc4byJWM8vUkxCPhZj5Kq96bqEAbC 5HqWG19tTpLunqoPzUeDCUndyxsamy5Fi2EkCeFMGmC7Kg5qCZR
Address: 1foogbZ1fJE7J6xat7KvrGMWtgDpCZMUU
Privkey: 5HyceoyKsVYmjP6ZKZTYzjW7py1y5BM6Ty8ANAmL7DAcFXrAbPA
With all of those files in place, you should be able to reboot from the flashstick, mount the CRYPTOKEY volume, and follow the README to get into your offline Armory.
Jump to: