Topic: using tails OS on usb as a secure hardware wallet? (Read 3403 times)

wow great, so if im using tails, and i use blockchain.info with a read only wallet,
and i would like to send a transaction, it will ask me to input my private key, at that moment when i input the private key, in order to sign the transaction, is my private key being uploaded to blockchain.info server? or it only stays in my browser, and thats all..
if it does NOT get uploaded i believe this is more then enough for me for the time being,

also i see your method, but atm its a bit more difficult for me to do that. i rather be able to use the USB almost anywhere at anytime and still be secure, rather then having to physically be near my (offline specific laptop)
because the nature of my life i travel sometimes, and not knowing where i might end up ect.
but what ever works, works

ps thanks!

hmm so i just tested everything out, seems to work fine, booting tails, having a persistence on the tails usb with a simple txt file of the private and public key, making a simple new blockchain wallet, adding read only, signing transaction and adding the private key, (hopefully at that moment ONLY the signature is broadcasted to blockchain and not the private key,
then, wiping(sweeping the public and private key from the new made blockchain wallet)

now problem i encountered is seems like there is no easy way to close the persistence drive on the tails usb, i can clone a new tails usb, but the persistence drive only stays on the current usb, not the new cloned one hmmmm.... this is a little let down, got to figure out a way to bypass this, maybe just have a special encrypted usb with the private/public key like you said, this way i can add it to any new cloned usb that i make, this way i can have a few backups just incase

anyways this stuff is fun lol


edit: ok so i figured out a way, basically boot the tails usb with my persistence volume,
in tails clone tails onto a new usb, then use disk utility to create a new encrypted partition on the cloned usb, add txt file with private/public key to the new encrypted partition on the new cloned usb,

boot new usb, opened encrypted partition, make persistence volume on new cloned usb while in tails, and add the txt file from the encrypted partition to new persistence volume, then can format that encrypted partition or it might be used during creating the persistence, didnt try this yet but will try it soon!!!
new cloned usb with persistence too!!!!

love figuring out new stuff like this lol. most fun thing ever!

I would go with the OS on a (not-rewritable) CD so it can't be altered in any way. From TAILS or virtually any other Linux distro you can use TrueCrypt or LUKS  (Linux native filesystem encryption) to format an encrypted partition on a USB stick. I'd recommend making several USB sticks just in case of accidental damage. I'd recommend making more than one OS CD (or keeping the ISO somewhere safe) for the same reason.

On the encrypted USB sticks, you can store a plaintext file containing your private keys, possibly along with the addresses they map to. You could also keep a copy of vanitygen or bitaddress.org on the USB sticks in case you need to make new keys, but if you're keeping multiple copies of your keys this means you'll have to come up with a way to keep each copy in sync.


If you want to use blockchain info, use a watch-only wallet. Import only your addresses as watch-only addresses, no private keys. You only put the key into your web browser's copy of your wallet (not Blockhain's encrypted copy) when you need to spend coins. It's similar to using a paper wallet, a lot of the steps are covered at https://blockchain.info/wallet/paper-tutorial

That tutorial is specific to Android and bitaddress.org but everything it shows can also be done through the web interface. Speaking of paper wallets, if you're confident that you can store the paper safely and securely (and especially if you have a web cam) you could skip the USB stick altogether and just use bitaddress.org or blockchain.info paper wallets. If you go that route you don't have to keep a bunch of USB sticks synchronized but you have to store paper and you might have to remaster the TAILS ISO to add zbar or some other QR scanning software. An alternative to webcam + zbar would be to get an actual bar code scanner that supports QR codes and plugs into USB, most of these can emulate a keyboard so no special drivers or software would be needed.

--- another way to do it (the same thing can also be done with Armory) ---

Personally I just use an old laptop with XUbuntu and Electrum installed. LUKS encryption on the hard drive so I have to enter a password to boot, another password to log in (unlocking my encrypted home folder) and a third password to unlock my wallet. With this setup, I can type "electrum deseed" from a terminal window, then copy ~/.electrum/electrum.dat.seedless to ~/.electrum/electrum.dat on another machine. This way I keep the laptop completely offline, while another computer can serve as a watch-only wallet and generate transactions for the laptop to sign. The laptop has no phone line plugged into the modem, no ethernet cable is ever plugged into it (except during installation, and unplugged permanently before I generated the wallet) and I physically removed the wifi card.

All transactions move between the online and offline machines on a LUKS encrypted USB stick, although the USB encryption is probably overkill (nothing goes on that stick that isn't going to end up on the blockchain, so it'll be exposed to the world in a couple minutes anyway).

No need for bitaddress, no need for blockchain and it's a true cold storage because the only machine capable of signing transactions never touches a network. Bonus, since Electrum wallets are deterministic I have nothing to back up except my seed, which is my choice of a 128-bit number (hexadecimal) or 12 words.

hmm thnx for the replies,

how if using bitcoin client to generate signature, can u use that signature in blockchain to broadcast it?
this seems interesting,

also thanks for the links ill look into it!

Related:

BTCVault
 - http://dswd.github.io/btcvault/security.html
 - https://bitcointalksearch.org/topic/btc-vault-secure-bitcoin-live-cd-163763

USB wallet (Puppy Linux):
 - https://bitcointalksearch.org/topic/portable-encrypted-usb-bitcoin-wallet-puppy-linux-electrum-257672

I'm not sure I would recommend trusting a CD-ROM with a wallet private key, they're cheap and expendable, which makes them perfect for the Live OS (along with the read-only quality, of course).
Trouble is they're unreliable for long term storage, the dyes that encode the bits are sensitive to all sorts of environmental factors. If you insist on doing it, you would need sophisticated burning software to create a disc with 2 sessions, the first with the Tails image and the second (very small) with the private key, and I would encrypt the key before burning to disc. This involves keeping (preferably, remembering) the encryption key for the private key information too.

As far as signing transactions, your original idea of using the blockchain.info utilities online would be good for both simplicity and anonymity, but not necessarily for security. A good secure routine might be to use bitcoind offline in the terminal to produce manual transaction signatures (having imported your privkey from your chosen safe place), delete or encrypt the private key, then put the host machine online, then use blockchain.info to broadcast the manual transaction. I'm not about to get this security conscious any time soon, any further inputs with direct experience would be appreciated, I've not aware of any threads addressing this before now.

thanks!

is there an easy way to put my private key on the cdrom together with tails OS?
once booted in tails what would be safest way to sign a transaction?

For full peace of mind, I would use a CD-ROM, and not a flash memory based USB device. The CD guarantees that the image burned to it cannot be altered maliciously while you're using it, due to the "Read Only after burning" characteristics of CD-ROMs. This depends on checking the veracity of the image before you burn it too, there should be an MD5 checksum of the Tails image that you can confirm using command line utilities for doing so.

can this be used as a safe secure hardware wallet?
for example store the private key along on the tails usb
boot, create a simple new blockchain.info wallet,
add private key sign transactions, sweep private key from blockchain.info wallet that was just created,
eject usb reboot system,

can something other then blockchain.info be used with tails to sign transactions?