offline air-gapped electrum | Bitcointalksearch.org

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: Yamane_Keto on June 13, 2023, 04:16:29 AM

I do not think that there is a way to QR phishing here.

The point here is that you should check the address, whether you copy-paste it or you use a QR code. As mentioned by o_e_l_e_o, the risk is never zero.

Quote from: Yamane_Keto on June 13, 2023, 04:16:29 AM

Can hackers modify signed message?

No.
If you change the receiving address or any other data, the signature will become invalid and you have to sign the transaction again.

Quote from: Yamane_Keto on June 13, 2023, 04:16:29 AM

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

I remember Metamask used to display the first 4 and the last 4 characters.
I just pasted an ETH address in Metamask to see if it's still the same. It displayed the first 11 and the last 4 characters.

Yamane_Keto

sr. member

Activity: 406

Merit: 443

Quote from: o_e_l_e_o on June 13, 2023, 02:59:09 AM

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

I do not know, but the chances of this succeeding seem slim, because either by changing the receiving address, which I liken to a clipboard virus, or that the software that you downloaded is not official, otherwise I do not think that there is a way to QR phishing here.

Can hackers modify signed message? Or tamper with the content of master public key without downloading an unofficial version?

Quote from: adaseb on June 13, 2023, 12:52:27 AM

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: adaseb on June 13, 2023, 12:52:27 AM

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

adaseb

legendary

Activity: 3738

Merit: 1708

Quote from: o_e_l_e_o on June 05, 2023, 10:59:28 AM

Quote from: Aikidoka on June 05, 2023, 10:17:16 AM

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Just read that you replied to my earlier post.

Yes I agree that it’s possible the watch only online wallet can have a phishing QR code which if signed and broadcasted could lead to sending the funds to the wrong address.

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: new19980 on June 05, 2023, 03:49:40 PM

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

This is the exact same method as using QR codes to transfer transactions between online and airgapped wallets. This method simply says "transfer the transaction file to your offline machine (e.g. with a usb stick)."

Transferring with QR codes or USB sticks are both equally possible. I prefer using QR codes for two reasons. First of all, it's a bit quicker to simply point a camera at a QR code than it is to save a file, transfer to a USB stick, and move that USB stick between devices. Secondly, and more importantly, is it is harder to transfer malware or leak private keys via a QR code than it is via a USB stick. Even the smallest USB stick will have hundreds of megabytes of empty space in which malware could copy itself to, whereas this is largely not possible (or at least far more difficult and noticeable) with QR codes.

So yes, you can use USB sticks if you like, and it is still very safe, but QR codes are safer (provided you are double checking everything as I explained two posts up).

new19980

newbie

Activity: 42

Merit: 0

Quote from: o_e_l_e_o on June 04, 2023, 01:58:45 PM

Quote from: new19980 on June 04, 2023, 01:41:52 PM

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Aikidoka on June 05, 2023, 10:17:16 AM

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

Quote from: adaseb on June 05, 2023, 12:19:55 AM

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

After reading your post, I remembered that I have an old camera with an SD card port which I rarely use and my air-gapped laptop has an SD card slot, so it would be great to use it. I think I could also connect my camera to the laptop using a USB cable and transfer the picture. Later, I can use a QR decoder to broadcast the transaction via Electrum.

I recently watched a YouTube video where a person shared credentials using an air-gapped computer without any networking or USB connection. He did that by utilizing two laptops with cameras, which is also a highly secure method. You can watch the video here

adaseb

legendary

Activity: 3738

Merit: 1708

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: new19980 on June 04, 2023, 01:41:52 PM

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.

new19980

newbie

Activity: 42

Merit: 0

Quote from: Z-tight on June 01, 2023, 07:27:26 AM

I use the QR code option for importing created transactions from the watch-only wallet into the air-gapped wallet, and also for importing signed transactions into the online watch-only wallet for broadcasting, i think this option is more user-friendly.

After creating the tx in the watch-only wallet, you click on the QR code, and you use the offline wallet to scan this QR code, the transaction will be imported into the offline wallet, after signing, you click on the QR code and use the watch-only wallet to scan the QR code, once it is imported into the online wallet, you can now broadcast the transaction to the network.

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

BitMaxz

legendary

Activity: 3234

Merit: 2943

Block halving is coming.

Quote from: 22bits on June 01, 2023, 09:49:24 PM

Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum?

If you talking about ETH then you should make another thread to the altcoin section to get the right response.

And I think there is no app yet for ETH that can make offline transaction but they do have a web version that you can also with your phone check this link here

khaled0111

legendary

Activity: 2506

Merit: 2832

Top Crypto Casino

^^
If you want full anonymity and full privacy then you should connect you Electrum wallet to your own server.
Even if you look up one if your addresses on an online explorer (without providing the master public key) then there is a high risk of exposing your other addresses (by tracking change addresses and consumed inputs).
If you want full privacy then better connect to your own servers.

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Quote from: Aikidoka on June 02, 2023, 07:18:56 AM

Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.

This is one of the worst thing to do. But using Electrum without the use of Tor means no anonymity too. If you want anonymity, you can check address on an explorer with Tor, but inputting your master public key on an explorer is insane.

For privacy, you have no other option than to go for full node wallet, using Tor with it.

For anonymity, you have no option than to use Tor while using a wallet.

If you use IP address on a wallet, no privacy no anonymity too.

But inputting your master public key on an explorer is insane. Watch-only wallet is the proper way.

Aikidoka

sr. member

Activity: 1078

Merit: 342

Sinbad Mixer: Mix Your BTC Quickly

Quote from: Sarah Azhari on June 01, 2023, 08:02:56 PM

~snip~

He doesn't need to create two wallets, it's just one wallet on the air-gapped device. The other one is a watch-only wallet that uses his MPK. I haven't tried any Explorer like the one on blockchain.com, I just clicked on the link you posted and I couldn't find the addresses that belongs to that MPK. Maybe it's not there or I just don't know how?

To be honest, I think Electrum would be better. It shows basically everything and all the addresses of your wallet, as you can see in the picture below. Using any online website by sharing your MPK with them would put your privacy at risk, so in my opinion it's better to use the watch-only wallet created by Electrum.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18509

Quote from: Sarah Azhari on June 01, 2023, 08:02:56 PM

-snip-

He needs a watch only wallet in order to create transactions for his airgapped wallet to sign. You cannot do this with a block explorer. Further, your watch only wallet should be connected to your own node for your privacy. Handing your xpub to a blockchain explorer is a privacy disaster.

nc50lc

legendary

Activity: 2394

Merit: 5531

Self-proclaimed Genius

Quote from: 22bits on June 01, 2023, 10:20:51 AM

Interesting about scanning the QR code, what do you use the scan it? Not sure how I would have the airgapped computer read a QR code.

I have a reply in the link below your reply, but that's only for scanning a raw transaction's QR code.

For the master public key, you can scan it in 'install wizard' menu: "Standard wallet->Use a master key" via the camera icon [

] below the area where you normally type/paste the master public key.
For the offline wallet's master public key QR Code, you can display it in the "Wallet->Information" menu using the QR code icon: [

]

22bits

jr. member

Activity: 54

Merit: 15

I will ask this new but related question here as someone using Electrum on Tails might be able to help. Feedback so far has been great by the way, thanks all

So I will be running Tails offline and then using offline signing in Electrum and use usb thumb drive to go back and forth to broadcast. I would actually like to do a similar technique with ETH, and see most of the offline signing options available involve using another device like android, but I would like to use the app on Tails the same as Electrum. Is anyone doing this and what is the app they are using to allow offline signing of ETH transactions and then port over to separate computer to broadcast, same flow as with Electrum?

Sarah Azhari

hero member

Activity: 854

Merit: 737

Quote from: hosseinimr93 on May 31, 2023, 08:53:00 PM

You need to have two wallets. One of them should be an offline wallet and the other one should be a watch-only wallet on an online device.
The offline wallet is used for signing transactions and the online wallet is used for seeing your balance and transactions history, creating unsinged transactions, and broadcasting transactions.

Another way is Explorer, OP shouldn't create 2 wallets or a watch-only wallet for just tracking his balance, he can use Explorer, like blockchain.com. This is more simple and can save his device space.

For example, xpub/zpub I create from electrum:

https://www.blockchain.com/explorer/assets/btc/xpub/zpub6oLs8QUeZV4d4g4686uK5ZC4ApUhMYAG4AQznZpik7gcyqbXBNquxP9ir2XDqpvnkgZAeWUrSatVNjBgspRFuo59o1TuAfTf2EzmdCn6iWA

If OP doesn't know how to get the master public key, he must go to the wallet setting on top, and then click the information, like the picture below:

Sidney986

member

Activity: 81

Merit: 30

See this link for adding camera

https://bitcointalksearch.org/topic/webcam-electrum-5369457

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: Yamane_Keto on June 01, 2023, 10:07:24 AM

That public key starts with Xpub

The master public key starts with xpub, only if your wallet is legacy.
If your wallet is native segwit (which is the default wallet type, when you generate a new wallet on electrum), your master public key would start with zpub.

22bits

jr. member

Activity: 54

Merit: 15

Quote

I use the QR code option for importing created transactions from the watch-only wallet into the air-gapped wallet, and also for importing signed transactions into the online watch-only wallet for broadcasting, i think this option is more user-friendly.

Interesting about scanning the QR code, what do you use the scan it? Not sure how I would have the airgapped computer read a QR code.

Yamane_Keto

sr. member

Activity: 406

Merit: 443

Quote from: 22bits on May 31, 2023, 10:11:33 PM

Thank you, thought about this after posting the question also. All makes sense now, the offline wallet always can be 'zero' because its only job is to sign transactions. It does nothing else.

To understand it more deeply, you need a private key that enables you to sign transaction. That private key in the case of air-gapped was not and will not be on a device connected to the Internet, after you prepare the air-gapped and download electrum, you create a new wallet and get 12 wallet seeds.

from your seed you will get master node that will generate many if child private keys (Xpriv) then you can obtain the master public key (XPUB,) which enables you to manage and generate new addresses, all of which can be controlled by those seeds. This process is generated without the need to connect to the Internet, but if you do it in an environment connected to the Internet, no one will be able to access to your private key. Safely use that master public key in any online environment to check your balance or generate new addresses.

How to obtain it was explained above.

~~That public key starts with Xpub~~

Edit thanks hosseinimr93

Quote from: hosseinimr93 on June 01, 2023, 10:26:45 AM

The master public key starts with xpub, only if your wallet is legacy.
If your wallet is native segwit (which is the default wallet type, when you generate a new wallet on electrum), your master public key would start with zpub.

Z-tight

hero member

Activity: 854

Merit: 1031

Only BTC

Quote from: AB de Royse777 on May 31, 2023, 10:18:35 PM

Once a transaction is created then export the file or texts and from the offline wallet (main wallet) use Tools > Load transaction > depending on your exporting choice go for From File or From Text or one of other two options. Sign the transaction and export it again to follow the same options from the watch-only wallet (Tools > Load transaction > ...... ). Now you will see the broadcast button is active. Finally, broadcast the signed transaction.

I use the QR code option for importing created transactions from the watch-only wallet into the air-gapped wallet, and also for importing signed transactions into the online watch-only wallet for broadcasting, i think this option is more user-friendly.

After creating the tx in the watch-only wallet, you click on the QR code, and you use the offline wallet to scan this QR code, the transaction will be imported into the offline wallet, after signing, you click on the QR code and use the watch-only wallet to scan the QR code, once it is imported into the online wallet, you can now broadcast the transaction to the network.

un_rank

hero member

Activity: 644

Merit: 661

- Leo -

Quote from: 22bits on May 31, 2023, 10:11:33 PM

All makes sense now, the offline wallet always can be 'zero' because its only job is to sign transactions. It does nothing else.

Yes, it can possibly not be in sync with the blockchain cause it is offline. It just signs transactions.

Quote from: AB de Royse777 on May 31, 2023, 10:18:35 PM

Restore the wallet in an online device using the "Master Public Key". This new wallet (actually it's a same wallet) is your watch-only wallet. You can check balance, get addresses, create transactions. Everything except sign and broadcasting a transaction.

Online watch-only wallets are used to broadcast transactions. It can do everything except signing the transaction, cause you need the master private key to do that.
Offline air-gapped wallets cannot broadcast transactions.

- Jay -

AB de Royse777

legendary

Activity: 2464

Merit: 3878

Visit: r7promotions.com

Quote from: hosseinimr93 on May 31, 2023, 08:53:00 PM

You need to have two wallets. One of them should be an offline wallet and the other one should be a watch-only wallet on an online device.

@22bits, to create the watch only wallet go to Wallet > Information.

From the pop up you will know "Master Public Key" of the wallet if it's a standard wallet.

Restore the wallet in an online device using the "Master Public Key". This new wallet (actually it's a same wallet) is your watch-only wallet. You can check balance, get addresses, create transactions. Everything except sign and broadcasting a transaction. Once a transaction is created then export the file or texts and from the offline wallet (main wallet) use Tools > Load transaction > depending on your exporting choice go for From File or From Text or one of other two options. Sign the transaction and export it again to follow the same options from the watch-only wallet (Tools > Load transaction > ...... ). Now you will see the broadcast button is active. Finally, broadcast the signed transaction.

Quote from: 22bits on May 31, 2023, 10:11:33 PM

All makes sense now, the offline wallet always can be 'zero' because its only job is to sign transactions.

Yes, the watch-only wallet helps you to check balance and everything else

22bits

jr. member

Activity: 54

Merit: 15

Thank you, thought about this after posting the question also. All makes sense now, the offline wallet always can be 'zero' because its only job is to sign transactions. It does nothing else.

hosseinimr93

legendary

Activity: 2380

Merit: 5213

You need to have two wallets. One of them should be an offline wallet and the other one should be a watch-only wallet on an online device.
The offline wallet is used for signing transactions and the online wallet is used for seeing your balance and transactions history, creating unsinged transactions and broadcasting transaction.

22bits

jr. member

Activity: 54

Merit: 15

I am a little confused about one point and how this works. When I set up a 'air-gapped' offline wallet (running off tails for example), how does Electrum know about an incoming transaction? So say I send the new air gapped .01 BTC, how would it see it to add it to the balance so I could later create a transaction to send it and then get it signed on the offline wallet?

Topic: offline air-gapped electrum (Read 331 times)