A pseudo-airgapped offline hardware wallet for cryptocurrency
For numerous causes, I have been experimenting with the Bitcoin and Etherium currencies. Whereas I don’t have an enormous fortune, I nonetheless needed to generate and store my personal keys in a protected and safe method.
What I really needed was a Leger Nano S. These on the time, nevertheless, are backorered for months. So I started to explore strategies for generating and storing keys.
I made a decision the Raspberry Pi Zero 1.three was an good platform for this endevor:
Pi Zero (this can be a Pi Zero W I am using for improvement)
The reason why I chosen a Pi Zero 1.3:
- It has no onboard networking hardware, making it straightforward to take care of separation by simply by no means connecting a community interface.
- It’s small, so when carried out, you’ll be able to retailer the factor in a protected place, akin to a safety deposit box.
- The serial gadget makes it potential to attach the Pi Zero to a number machine and login to the command line. This is what I imply by “pseudo-airgapped”. Sure I’m connecting the machine to a different by way of USB… however in principle, only by way of a easy serial connection. I’m positive there are state-level hackers that would do something malicious with this connection, but I’m fairly glad that it’s considerably safe for my functions. (In case you are actually paranoid, you can use the Pi Zero’s serial port and use a USB-to-TTL-Serial thingy, and utterly isolate the Pi from something however a serial console)
The problem was to build a Pi with all the required software while by no means connecting the Pi Zero to the web. What follows are my directions on how I did this.
I am doing this to explore the world of cryptocurrency, not as an funding. I presently hold TENS of US dollars in cryptocurrency. That is safe sufficient for my function. I’m not an professional, so evaluate the risks earlier than you set any vital investment in cryptocurrency at risk on some random individual’s answer to the wallet drawback. I am not accountable in case your coins are misplaced or stolen.
What you want
Here is my bill of supplies
- Raspberry Pi 1.three – $5 at microcenter
- An 8GB MicroSD card – may be had for $2 on eBay when you’re prepared to gamble
- Non-compulsory: The stuff want to attach the Pi Zero to a monitor, keyboard, and mouse. – $14 – whereas that is elective, I still advocate it.
So for about $21 you have got every little thing you want. Not counting the keyboard, mouse, and monitor.
Advantages/Disadvantages to a true Hardware Wallet.
The Ledger Nano S has some advanages:
- Professional: True “secure element” hardware protects your keys and the personal keys by no means depart the system after creation.
- Professional: Chrome Plug-in makes managing your wallets and performing transactions straightforward.
- Con: Onerous to get presently
- Con: Costly delivery if purchased from France
- Con: Expensive markup if bought on eBay
The Pi Zero 1.three has some advantages:
- Professional: It’s a learning expertise
- Pro: It’s low cost
- Professional: It’s obtainable
- Professional: Straightforward to “Air-gap” by just protecting community hardware away from it
- Con: No Chrome Plug-in. You’ll be able to you a serial login session to use command-line tools to sign transactions manually.
- Con: It has no “secure element” and if somone gets ahold of your Pi Zero or micro SD card, then until you could have encrypted your wallet, your keys are exposed.
- Con: I’m unsure how long-term dependable the SD card is for storage of keys. This is the reason I needed a paper wallet function to again up my keys.
- Con: Have to be properly shut down before removing the facility or danger knowledge loss. For this reason I contemplate the paper wallet my true “wallet”
Options I needed for my Pi Zero wallet
I had a couple of objectives in mind for my Pi Zero Wallet:
- Must not ever hook up with the web or any network
- Should be capable of generate Bitcoin and Etherium addresses absolutely on gadget
- Must be capable of print a paper wallet or seed phrase on to a USB-connected printer
- Should have the ability to signal transactions as a part of a scorching/cold wallet system
To succeed in these objectives, the next prerequsistes have been needed:
- CUPS and all pre-requisites crucial to make use of a USB-connected printer
- Electrum and all the pre-requsites essential to run it.
- Geth to generate Etherium adressses and keys.
- An offline copy of MyEtherWallet.com to print the Etherium wallet (could possibly be used to generate keys as properly if desired)
The best way to accomplish this
Usually, installing software like this on a Raspberry Pi is a matter of some calls to apt-get. The dependencies are resolved and installed, and you’re good to go. This technique, nevertheless, fails once you’re building a computer that’s utterly disconnected from the internet. That is where vendoring comes in:
“Vendoring is the act of making your own copy of the 3rd party packages
your project is using. Those copies are traditionally placed inside
each project and then saved in the project repository.” 
Sadly, I couldn’t discover any software that performed this perform for me when it came to Debian packages (.deb). So I wrote my own little python script that downloads the an inventory of pacakges. Whereas I might have traversed the dependency tree myself, I opted for a neater strategy. I merely put in every package deal on a improvement Rasberry Pi that was related to the web, and took word of what packages have been put in.
After operating the listing of dependencies, you’re left with all the deb information and a shell script in a tarball. The scripts them up and ship them over to the Pi Zero, the place I extract them and run the script to install. Extra on this later.
Listed here are the steps I took to construct my Pi Zero Wallet. Be happy to comply with along.
- Obtain Rasbian and verify the md5 checksum. I exploit the complete version because I like the option of using the GUI interface to Electrum if I would like. Additionally MyEtherWallet requires a browser to use. You are able to do all the things you need with Electrum’s and geth’s command line interface, so in the event you’re not interested, you’ll be able to in all probability do the “Lite” model.
- Write the disk image to your SD card utilizing your technique of selection. As a mac consumer, I exploit dd to write down the image (exchange ridskX with the right gadget, be sure not to destroy the incorrect disk!):
sudo dd bs=1m if=2017-07-05-raspbian-jessie.img of=/dev/rdiskX conv=sync
That conv=sync is essential is left off of some documentation. I found that the complete picture was not correctly written with out it 
- Remove the MicroSD card from your pc and place it into the Pi Zero. Hook up a keyboard, mouse and monotor. We will now begin the method of configuring and installing the software program.
Some belongings you may need to do at this point:
- change the pi consumer’s password
- run the Raspbian configuration device (in the menu) and configure your Pi Zero as well to the CLI slightly than the GUI (you’ll be able to all the time begin the gui from the command immediate by operating startx)
- Localization, Set Locale, Timezone, Keyboard. (word that you’ll have to manually set the clock each boot in case you want, because the Pi does not have an RTC that’s backed up by the battery)
- Disable auto login
- The first little bit of configuration is to setup the “Serial Gadget” interface. This enables you connect the Pi Zero as a shopper system to a PC and communicate over serial. With this, you’ll be able to energy and talk with the Pi utilizing a single USB connection.Comply with the directions from Adafruit on Establishing a Serial Gadget
- edit /boot/config.txt and add dtoverlay=dwc2
- edit /boot/cmdline.txt and add modules-load=dwc2,g_serial
- run sudo systemctl enable [email protected]
Should you don’t have the cabling to hook up a keyboard, mouse, and monitor, you’ll be able to nonetheless allow the serial gadget in case you have a method of mounting the linux file system on one other PC.
I’m not an excellent large fan of this technique, as I like retaining the MicroSD card “air-gapped” as soon as potential after writing the disk picture to the card. If in case you have no various:
- mount the linux file system (and the boot file system) on one other PC
- edit config.txt within the boot filesystem and add dtoverlay=dwc2
- edit cmdline.txt within the boot filesystem and add modules-load=dwc2,g_serial
- within the ext4 file system, rename /and so forth/systemd/system/getty.target.needs/[email protected] to [email protected] – I say “rename” in order that the symlink and attributes remain the identical.
- Since you’ve got the file system mounted, you possibly can copy all the vendored packages to /house/pi and skip a number of the steps later where we transfer the info over the serial link.
- upon getting a command prompt for the first time, run the command sudo systemctl allow [email protected] as to recreate the tty on the hardware serial port.
To test the serial gadget, first shutdown the Raspberry Pi (sudo shutdown -h now) and take away all cables. Join the Pi Zero to your PC utilizing a MicroUSB cable within the USB knowledge port (not the facility port). After a while as well, it is best to se a serial gadget seem. Use your favourite serial terminal app and after a number of more seconds of booting, press enter a number of occasions. You need to get a login immediate. Login to your Pi Zero.
One last item I did– I didn’t need any of the opposite usb serial devices to be used by accident (or maliciously) so I went to /lib/modules/Four.9.35+/kernel/drivers/usb/gadget/legacy and deleted all the othe gadgets besides g_cdc.ko, g_hid.ko, g_multi.ko, and g_serial.ko
- Next we need to set up a strategy to transfer information to the Pi Zero utilizing the serial hyperlink.
My technique is to use a the tried and true Z-Modem protocol. Since I’m on a mac, I used homebrew to install the minicom and lrzsz pacakges:
brew set up minicom
brew set up lrzsz
Minicom is a bit of bear to make use of, however briefly, run it with minicom -s and configure it to level at the serial port /dev/tty.usbmodemXXXX that’s the Pi Zero.
When you’re on a PC, you’ll be able to in all probability find some terminal app that supports Z-Modem.
Now we have now one different situation, whereas your mac now has a method of sending a file by way of Z-modem, we still want a approach of receiving that file on the Pi Zero. Normally it straightforward to put in the lrzsz package deal, however once more, we’re isolated from the interenet.
You’ll want the lrzsz_0.12.21-7_armhf.deb file first:
You’ll need to confirm the SHA-256 checksum. Search the Pacakges file:
- Visit http://mirrordirector.raspbian.org/raspbian/dists/jessie/main/binary-armhf/Packages
- Search for lrzsz_0.12.21-7_armhf.deb
- Find it’s SHA256 hash
- Verify that it matches the file you downloaded.
How are we going to get this file over to the Pi? In a very painful method. We’re going to truly encode the file as base64, after which COPY AND PASTE the base64 illustration into the terminal session!
- Should you’re on a PC, you’ll have to find a method to encode the file as base64. On my mac, I encode the file as follows:
openssl base64 -in lrzsz_0.12.21-7_armhf.deb > lrzsz_0.12.21-7_armhf.deb.b64
- In your terminal app, you need to have a bash prompt on your Pi Zero. Sort the following command to seize all subesquent input to a file:
cat > lrzsz_0.12.21-7_armhf.deb.b64
- Open ‘lrzsz_0.12.21-7_armhf.deb.b64’ on your desktop and replica the contents to the clipboard
- In the terminal window, paste the contents. You’ll see an extended scroll of base64 knowledge.
- When the info stops scrolling, press Ctrl-D to finish the file. It is best to end up again at the command prompt.
Subsequent, we have to decode the b64 knowledge again to a deb file. From the prompt in your Pi Zero:
base64 –decode lrzsz_0.12.21-7_armhf.deb.b64 > lrzsz_0.12.21-7_armhf.deb
I additionally did a fast md5 checksum to verify that the file made it properly.
Next, you put in the package deal:
sudo dpkg -i lrzsz_0.12.21-7_armhf.deb
Now your Pi Zero knows the right way to receive a file by way of ZModem, so we don’t want to do this base64 dance anymore. You possibly can delete the .deb and .b64 information since you gained’t need them anymore.
- Subsequent we need to “vendor” the dependencies and transfer them to the Pi Zero over the serial hyperlink. As I discussed earlier, I used a improvement machine to install the Electrum dependencies and cups and I made an inventory of all the dependencies that have been required. I came up with an inventory of 75 debian packages and python packages that must be put in on a full Raspian distribution. The listing might differ relying on your distribution. My record is for 2017-01-11-raspbian-jessie.img
Manually downloading every file, verifying the checksum, and importing the package deal to the PiZero can be very tedius. I wrote a python script “vendorize.py” to automate the process:
With a textual content file record of debian and python packages, this script:
- Searches two debian pacakge repositories for the SHA-256 hash, or PyPi for the file’s hash.
- Downloads the file
- Verifies the hash
- Creates an “instal.sh” shell script which can set up all of the packages
- Bundles it up as a single tar.gz file for transfer to the Pi Zero.
Yow will discover the listing of dependencies I used, as well as the script on GitHub. Observe that dependencies change typically, so you may have to tweak your record.
Additionally, this python script isn’t actually a common function vendoring software. It worked for my single case and signle record of dependencies. I’ve solely used it on Mac OS, so I can’t converse to how properly it might work on Home windows. Your mileage my differ.
python vendorize.py -l cups_and_electrum_dependencies.txt -i -o dependenceis.tar.gz
After you’ve your .tar.gz of dependencies from the vendoring script, transfer it to the Pi Zero with Z-Modem over the serial link. Since we put in z-modem in step 4, you possibly can execute the command “rz” on the Pi Zero and it will begin ready for a Z-Modem switch.
Depending on your terminal app, you could have to start out your switch in several ways. I’m using minicom (despite the fact that it has an inscrutable consumer interface). In Minicom, Meta-Z (Esc-Z on the Mac) the S to send a file. Navigate the inscrutable file selection consumer interface, and ship your file:
- Extract your tar/gz package deal of dependencies on the PiZero and run the install script with sudo. For those who’re paranoid, read over the set up.sh file first to ensure it isn’t doing anyhting sudden.
tar xvfz dependencies.tar.tz
sudo set up.sh
After a few minutes, you must have all of the dependencies installed. Right here is an instance putting in just the dependencies essential for Electrum to run on a jessie-light set up (command line solely):
- One notice on randomness. Key era depends on entropy, the power for your Pi Zero to generate random numbers. One of many dependencies I’ve in my listing in rng-tools, which helps the hardware entropy source on the Pi Zero. The complete model of Raspian appears to have the divers put in by default.
You possibly can check the randmoness of /dev/random in a number of ways. The simplest is:
Should you get a number under 100, then you definitely’re not using the hardware random quantity generator. You might want to set up the kernel module to get /dev/hwgen operating, and rng-tools to make use of the hardware random number generator for /dev/random. Setup the kernel module:
- add bcm2835_rng to /and so forth/modules
- begin the hwrng: sudo modprobe bcm2835-rng
For those who run that very same entropy check, it is best to get a number ~2000 or so.
One other check of the rng-tools package deal is to run the next command:
sudo kill -USR1 `cat /var/run/rngd.pid` ; sudo grep rngd /var/log/daemon.log
You’ll get a full breakdown of the randomness of the random quantity generator:
rngd 2-unofficial-mt.14 beginning up…
entropy feed to the kernel ready
stats: bits acquired from HRNG supply: 60064
stats: bits sent to kernel pool: 6144
stats: entropy added to kernel pool: 6144
stats: FIPS 140-2 successes: 3
stats: FIPS 140-2 failures: zero
stats: FIPS 140-2(2001-10-10) Monobit: zero
stats: FIPS 140-2(2001-10-10) Poker: zero
stats: FIPS 140-2(2001-10-10) Runs: 0
stats: FIPS 140-2(2001-10-10) Long term: 0
stats: FIPS 140-2(2001-10-10) Steady run: zero
stats: HRNG supply velocity: (min=648.276; avg=661.307; max=669.039)Kibits/s
stats: FIPS exams velocity: (min=eight.863; avg=8.874; max=eight.888)Mibits/s
stats: Lowest ready-buffers degree: 2
stats: Entropy starvations: zero
stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us
- Subsequent its time to switch the remaining pacakges of interest:
- Electrum linux sources – https://electrum.org/#download
- (Elective) arm6 linux construct for Etherium – https://geth.ethereum.org/downloads/
- (Elective) MyEtherWallet – https://github.com/kvhnuke/etherwallet/releases
Again, obtain the information and verify the checksums of gpg signatures of the information (sadly MyEtherWallet doesn’t present any, so you simply type of should trust. I solely use it for paper wallets, not key era)
Use your Z-modem expertise to transfer the packages to your Pi Zero over the serial link.
Set up the packages (I put geth in /usr/local/bin and MyEtherWallet in a folder within the house listing)
For key era, I like to make use of a monitor, keyboard, mouse. There isn’t any cause you couldn’t do it from the command line. Since I would like paper wallets, and wish to make use of a browser, I have to boot into the X11 surroundings.
A bit of 1 time setup when you’re in the GUI: Configure cups. Hook up your printer and I comply with this tutorial Ensure you can print from the chromium browser as you’ll have to later.
Subsequent, you possibly can generate your keys
- Run Electrum and setup a brand new wallet. It’ll display a seed phrase. I needed to have this seed phrase in paper type, so I wrote somewhat python script to generate a paper-wallet type backup. You will discover the script in the GitHub repositoryseedwallet.py -e
Enter your seed phrase and it will open chromium-browser and show a printable representation of the seed phrase. Print it.
- Electrum will require you to re-enter the seed phrase. Enter it off your printed wallet just to verify that it printed appropriately.
- Retailer the paper seed phrase securely. I contemplate this piece of paper my “wallet” not the keys on the Pi Zero — Unsure how a lot to belief the Pi Zero for long run storage.
- Use geth to create your electrum wallet.
geth account new
You possibly can open your UTC wallet from ~/.ethereum and print a paper wallet. Once more, I contemplate this my “real wallet” and the digitial copy on the Pi Zero is just a convenience should I have to spend.
MyEtherWallet supports signing offline transactions, ought to I want that functionality sooner or later.
- Clean-up: I trashed the browser historical past (and the bash history for good measure history -c)
- Shut-down: One thing to note, you actually do have to shutdown the Raspberry Pi once you’re finished.
It isn’t a superb follow to only yank the facility, and may end up in knowledge loss. Knowledge loss relating to wallet crypto keys shouldn’t be a very good factor. (You printed your paper wallets, right?)
Even still a simple shutdown command must be all you need.
sudo shutdown -h now
- Yet one more boot utilizing the serial link to repeat off the general public portion of the keys: Using the serial connection and command line, I copied the general public portion of every wallet utilizing the clipboard, and loaded it into my “Hot wallet” on my desktop.
- electrum getmpk will provide you with your grasp public key, and can be used to set up a “watch only” wallet on your internet-connected desktop
- geth account listing to print your geth accounts
Again, a protected shutdown when full.
- I haven’t truly tried the recent wallet/cold wallet transaction signing course of yet, so ultimately I’d wish to attempt that, however I don’t need to burn the transaction fees proper now.
- I haven’t purchased any Etherium, so there’s more enjoying to do there.
Thanks for studying. This is fairly the disseration on one thing that may usually be very straightforward and easy should you have been prepared to connect your Pi Zero to the web.
If this helped you, otherwise you enjoyed this and want to say thanks, a couple of mBTC or some Ether will help persuade me to do extra issues like this in the future:
If in case you have any suggestions or strategies, please send them to me. You will discover me on Twitter at @AllAboutJake https://www.goinggo.net/2013/10/manage-dependencies-with-godep.html