Bitcoin Forum

When I say air gap, I mean using 2 devices only to be used for crypto transactions. One of them is always offline. The other only
goes online to broadcast a transaction. Signing the transaction is done on the offline computer using a USB flash, which is then
put into the online device to broadcast.

I have both Trezor and Ledger, and I have always been skeptical about keeping my funds in a device where a company has the potential (not saying they do it, probably not, but I feel uneasy due to the potential) to have control of them whether through firmware exploit, hardware exploit (bugging 1 out of every 100 devices, when only 1  out of 100 people whine, the other 99 will be quick to assume they did some kind of goof up themselves), or some other method.   

I've read some bad stories about people losing funds during the updates and I believe most of them. Recently was bummed to read that Trezor has a hardware exploit, so if someone gets their hands on my device they can take my funds. And then Ledger is closed-source.

So I'm thinking about just moving my funds to my own devices as described above....I do you think I would like to hear some opinions?

There is nothing bad to move your bitcoin or other funds to airgapped wallet that you described above. Electrum is open source and completely open source, you can make use of electrum wallet as both cold wallet for signing transactions and the other as watch-only wallet.

But, if you have been using trezor for long, I do not think there will be anything bad about using it but to be careful of malware, especially the malware that can change address which is possible on hardware wallets including ledger nano. About ledger, it is close source like you commented and also the recent phishing attack would discourage many people from using it. And, in my opinion, I prefer airgapped wallet, especially if using QR code to sign transactions which I believe is free from attack.

This works, as long as you know what you're doing and don't make mistakes. Why not hook a dumb laser printer to the offline computer, so you can create offline paper wallets? I trust they last longer than any hardware, and can be encrypted.

I think it's a great idea. I stopped using my Trezor devices completely after the revelation of their unpatchable critical vulnerability. I have now also stopped using my Ledger devices after their recent security breach, even though I was unaffected, as I simply have zero trust left in the company. I always used airgapped storage for my long term cold storage, but I am now using it for the majority of my coins, with only a small amount of day-to-day spending money being held in hot software wallets.

You clearly understand the basics, but I'll mention a few additional things that people often overlook which are important for such a set up.

• The airgapped computer must be clean and free from malware. The best way to achieve this is to format it and then install a fresh copy of an open source Linux distro.
• The airgapped computer must be permanently airgapped. Remove all connectivity hardware if you can. Install your Linux distro from a USB drive, and then install your bitcoin wallet from a USB drive as well. Do not connect to the internet with your airgapped computer to download your wallet software.
• Verify both your OS and wallet prior to installing them.
• Ideally, use full disk encryption to protect your airgapped computer from physical access. LUKS is good for Linux. VeraCrypt is also good.
• If you can use webcams to transfer transactions back and forth via QR codes, then this removes the possibility of accidentally and unknowingly transferring malware via a USB drive. The webcams should be unplugged when not being actively used for your own privacy.

Thanks for the topic. I've had quite a few discussions with the community here regarding this and I've maintain my stand that hardware wallets are better than airgapped wallets (at least perhaps till this thread).

Don't get me wrong, airgapped wallets are probably secure, enough for normal use anyways. I don't think there is a major risk of anyone getting their funds stolen through this and I've personally been using a Raspberry Pi airgapped till now, well if my ColdCard arrives and it wasn't lost in the mail.

I think the main argument that I've seen so far is that they don't trust the hardware and the internals of the hardware wallets. Well, to be fair I don't think you would specifically open up your computer to inspect the internals as well, given that most of it is proprietary and some of them are hard to decipher. Most hardware wallets are fairly open about what they use and the reason why I chose ColdCard is because I wanted to see the internals for myself and the fact that it's open sourced does give me extra assurance and the ability for me to inspect it further.

If you want to seriously compare the security of airgapped vs hardware wallets, then the sidechannel attacks are impossible to defend though I think secp256k1 is less susceptible to some of it than others. Hardware wallets are usually hardened against those. When I use cold storage, I always compare my Electrum implementation to an actual hardware wallet. Truth is, it is very hard to bruteforce the hardware wallets, given that the secure chip will almost definitely brick your device after X attempts. I can probably clone my SD card for my RPI wallet and spend some time trying to crack it. Well, it's hypothetical because I do take extra steps to secure it but I think bricking a device would make it impenetrable. Of course, plausible deniability is a huge plus for HW wallet as well.

Now, I can definitely see some points for airgapped wallet given it's more traditional approach as well as the fact that you won't tell the whole world that you have Bitcoins (erm Ledger) and that it is much cheaper. I think there are arguments to be made for both sides but I think in terms of both it's absolute security and it's balance between both, hardware wallets are still a compelling option.

As for the exploits that you see, I think Trezor got unlucky but they tried to mitigate it still. I don't think anything is inpenetrable but given how their business is centered around the security of their wallets, I would still trust that they can try to detect and mitigate most vulnerabilities that would appear, more than a cold storage definitely.

The database leak for Ledger was a giant facepalm and I was quite disappointed as well. Using a reshipper or a PO box could be useful when buying things online.

I don't think he's looking for a cold storage solution, but an alternative to a hardware wallet. A paper wallet is good for keeping coins safe, but it's impractical for spending, imho.

I personally still recommend hardware wallets over airgapped cold storage set ups to newcomers since they're much easier to use which makes them more reliable and secure for most people. As long as you know what you're doing using an airgapped PC is a good alternative though. o_e_l_e_o has pretty much summed up the most important things to keep in mind. Other than that what you describe is pretty solid standard cold storage.



Remember that this is also true for your airgapped device though. Also given a strong enough passphrase merely extracting the seed from the hardware wallet won't be enough.

You can use plausible deniability with cold storage as well, and arguably it can be even better than a hardware wallet.

If you set up some hidden volumes on your devices, then you can have your bitcoin wallets completely hidden. You can decrypt their containers to reveal other non-crypto related "sensitive" data, while keeping your wallets not only encrypted and safe, but not even revealing that they exist at all. The very existence of a hardware wallet in your possession reveals that you own at least some crypto.

If, like using passphrases with a hardware wallet, you want some "dummy" wallets you can hand over to an attacker, then again, this is possible by simply leaving them unencrypted, or decrypting them first and handing them over, or putting them in the non-hidden side of the hidden volume.

My advice is to use airgapped cold storage setup for bigger funds, or all if you simply HODL. And for smaller funds you may want to spend now and then the hardware wallets are just fine.
This way you benefit the convenience you paid for when you bought hardware wallets and your big funds are also 99.999999% safe and untouchable.

Electrum has proper docs for setting up such a cold storage: https://electrum.readthedocs.io/en/latest/coldstorage.html
And whatever you do, make sure your seed is backed up onto something physical (paper, steel, name it).

The main difference between a hardware wallet with proprietary firmware/hardware (such as Ledger's Secure Element) and a PC that has proprietary firmware/hardware is to me that the latter can be purchased from batches that have been produced before Bitcoin's inception. It makes me paranoid that a hardware wallet, which has been specifically created to hold cryptocurrencies on it, has closed-source components in it.

What keeps me in between cold wallets and hardware ones is that HWs come with a preinstalled, verified OS compared to cold wallets for which you download and verify everything on your own, which means you make your own security. Makes me a bit anxious that I might be creating a cold wallet and not verifying everything the right way, making all my funds poof in a matter of milliseconds. I could be sending 0.05BTC as a test and leave it there for a month, just to test whether it's a malicious version or not - only to send everything else there after a month's passed, without knowing I have a malicious version that steals funds from BTC wallets once the balance goes past 0.1BTC.

On the other hand, the fact that HWs come with preinstalled OS is also bad, especially in extreme cases such as Snowden's. You could easily be a target and have a malicious OS installed on it.

(possibly off-topic) To be honest, the safest way I think we could ever have to be able to create cold wallets is if we could create a seed and derive addresses from it solely using a paper and a pen, to then use the seed completely offline on an airgapped PC to sign txs. If we could do that and verify things using our own hand & brain (which aren't perfect, but are easier to trust than a software's code), that would eliminate most risks such as those posed by proprietary software/hardware or by not verifying a software the right way.

There's no guarantees that there are possible backdoors or vulnerabilities that could be intentionally or inadvertently inserted as well. If it's of any assurance, some hardware wallets are actually audited regularly and/or has their schematics and firmware open source online. That's the reason why I bought a ColdCard.

To be fair, NSA did try to backdoor Linux quite a few times. Doesn't make it any more safer than an opensource firmware which certain HW wallet manufacturers provide.



You can build and compile the firmware yourself. You can also build your own ColdCard[1].

IMO, verifying something is often referred to comparing the hashes and/or using the PGP signature file to authenticate authenticity. When such an argument about security (with a high degree of paranoia) is put forth, the rational thinking is to assume that everything is compromised, not being able to trust the OS and thus reading through the entire source code and understanding how everything works. In this scenario, I would prefer to scour through the firmware of HW wallets since they're relatively light weight and more transparent than most.


[1] https://github.com/Coldcard/firmware/tree/master/hardware

Of course! But usually the kind of person that learns to set up airgapped cold storage by themselves is not the one to ask how to store their crypto long term or what wallet to use :)

I think on practice there's not much difference between a DIY cold storage setup and a hardware wallet - both protect you from the common malware, and situations where thieves get physical access to your storage are quite rare. Most times in situations with physical access a $5 wrench attack happens, rather than some high-tech hacking with abusing hardware bugs and such. If you trust hardware wallet manufacturers and distrust computer component vendors, that's fine, and vice versa.

I really do want to believe that the HW wallet audits of source code and firmware...as well as hardware are being done thoroughly. And that a number of people with as much expertise as the security team members at these big crypto companies --at least in the context of the HW audit--are doing them.

One reason I have skepticism lies in the fact that Gerald Cotton's (QuadricaCX) business partner supposedly had a sketchy past from what I read online--such that if Quadrica clients knew about his past then I'd doubt they'd feel safe having their funds in custody of the company. BUT why didn't people search the background of the Quadrica top dawgs BEFORE SHTF?

If I was the average user of QuadricaCX before SHTF I would probably have just passively assumed that everyone had audited the background of the those involved in the company. Similar to how I assume people have done this background with all the big exchanges right now ( do they?).

I find the line of reasoning very similar to how people on reddit say "don't worry the source code is open and firmware is open" [and just assume it's audited by experts].

Also just wanted to throw in there that if there was perfect time for Ledger to do an exit (or not even necessarily exit) scam it would be now given the high price of BTC and probably the lowest ever approval rating for the company. Even if 1 or 2 out of every 100 wallets lose funds it would be hard to prove fraud. They could probably get away with it. I doubt they will do something like that, but I'm just saying.

Let me make sure I interpreting this correctly.

So, if I went to best buy I bought 2 HP laptops with Windows 10, I should be concerned that there may be malware in them even if they don't go online--perhaps by some of the pre-installed software?

Also, what do you suggest to be a lightweight option. I travel a lot and if I took this route I'd like to not have to carry around 2 laptops with me all the time. This weight issue might be the only reason I stick with Trezor.

I was hoping I can just use 2 phones (remove wifi card and antenna of the offline one)?

Well, then I guess you're better off with airgapped storage. It really boils down to if you trust the HW wallet manufacturer in this case, if you don't want to trust anyone else. At the same time, you have to make the same assumption about your cold storage wallet as well as the OS.

I wouldn't say that it's hard to prove. I'll be able to see the various commits to the github page if I were watching it and it makes inspecting the code before updates much easier.

Might have some spyware, after all they tend to include a ton of spyware. I'll wipe them and just install Linux. The popularity and the design behind Linux based OS makes the chances for persistent malware infection harder.
Your use case would probably make hardware wallets more attractive.

If you'd like, you can just purchase 2 Raspberry Pis and use them as cold wallets. My personal preference would just be to put some funds in a hot wallet and bring it around. Even if I were to lose them, I wouldn't lose all my funds.

As far as I am concerned, Windows 10 is malware, but that's another discussion. :P

But yes, I would not use a brand new store bought laptop as cold storage without formatting it first. You have no idea if that laptop has gone online before you bought it, what has been installed on it, what prepackaged software it comes with, what that prepackaged software has lurking in it, and so on. Physically airgap (i.e. remove relevant hardware), format, install Linux, set up full disk encryption, install wallet.

Raspberry Pi as suggested, provided you also have the necessary peripherals to plug in. If not then you can have a slightly less secure but still pretty good solution using a single laptop, and carrying a USB with Linux and your encrypted wallet on it. Use your laptop as you normally would with a watch only wallet on it. When you want to sign a transaction, shut down the laptop, disconnect your WiFi card (plus any other connectivity hardware and ideally also your hard drive), live boot to Linux, sign your transaction, shut down, reconnect your hardware, and boot back up to your normal OS.

Two mobile phones is another good solution, provided you make sure the cold storage one is securely encrypted and really airgapped (I wouldn't trust simply turning on airplane mode, and would want to physically remove or disable the relevant hardware).

can you elaborate on this? what is the theoretical threat to an airgapped wallet setup?


the wrench attack angle is why i strongly prefer general purpose hardware. hardware wallets just scream "rob me!"

the only hardware wallet that appeals to me is bitbox---nice and discreet. anyone tried it?

Side channel attacks. Most of your devices are not specifically hardened to withstand side-channel attacks by reducing the potential attack vectors associated with the sidechannel, (eg. EM wave leakage, timing attacks). There has been a study conducted on this[1] but, interpret it as you want, it isn't that recent or conducted on major wallets. I wouldn't consider it to be THAT big of a threat but if we were to compare the specifics, might as well mention it.

I understand that Trezor and some of the secure chip used were vulnerable to such attacks as well. They've fixed the problem and most of them requires tearing entire device apart and the victim's participation while it's hooked up to an oscilloscope.

** I'm not sure if someone conducted similar experiments on Electrum but I'd like to see if there is one.


[1] https://eprint.iacr.org/2016/230.pdf

The wrench attack can also happen to your bank account in a home robbery: having a verified account at any exchange is enough to be forced to deposit your life savings, after which the attacker buys Bitcoin with your money.

Now, I am by no means an expert on this so please correct me if I'm wrong, but reading this paper it seems this does not apply to most bitcoin wallets (emphasis mine):


Bitcoin Core has been using libsecp256k1 since 0.10 in 2015. Which wallets are still using OpenSSL and not libsecp256k1?

---

I would imagine most banks would put some kind of hold on a transfer if you suddenly decided to empty your entire account in a single transaction. I would also hope that people don't have their entire life savings sitting in a checking account with immediate access, because all you are doing there is slowly (or in some cases quickly) losing money as fiat constantly devalues. Most fiat accounts or investment vehicles which offer enough interest to at least match inflation require several days notice to access your money, although I assume this can vary quite widely between countries.

The limit here is usually 50k euro, although some banks have a 5k limit (and a few hours delay to increase it). Savings accounts are also fast, and stock brokers are fast too. Welcome to the Dutch banking system ;)

Hopefully not, secp256k1 has a lot more benefits than that :P.

Thanks! Someone mentioned (I think a few weeks ago) that secp256k1 isn't that susceptible to certain sidechannel attacks but I couldn't find any literature on that. I didn't do any in depth research on the feasibility on the various other sidechannel attacks. But I suspect an attack could also be mounted on the encrypting/decrypting process of the wallet instead of the signing itself or through the RNG. Don't quote me on this, just a thought.

I've read through the firmware of ColdCard briefly and they did actually implement a few measures to reduce the signature.

Are AES encrypted USB Flash Drives (PNY or San Disk) susceptible to hardware exploits like the Trezor?

Another problem I see with Trezor is that if an officer stops you and searches you and knows what a Trezor is then he can take it, and from what I've read it only takes 15 minutes to hardware exploit it. Good luck trying to actual go through litigation and get it back or prove anything during that route.

I feel really uneasy with my Trezor knowing that hardware exploit is possible, especially in 15 minutes. And then Ledger is closed source which makes me uneasy. Ugh. Tough decisions.

what i'm talking about is akin to flashing wads of cash in public, where less savory opportunists might notice and come after you. this is why i wouldn't wanna bust out a hardware wallet in a retail setting, show it off in public, etc.

a home invasion is a targeted attack. that's some next level shit. i don't think anyone is targeting me for a home invasion just because i own a cheap netbook! call me paranoid, but announcing yourself as a dedicated crypto investor in public with a ledger or trezor---that may be a different story.

and that's the distinction i'm making---it's not really about hardware wallet vs other security models like airgapping a PC. if you use a hardware wallet only online in your own home, then what i'm saying doesn't apply.

No. But to software exploits, depending on how you handle it:

If you mean storing a wallet on an AES encrypted USB drive to then plug it into your computer when you want to make a transaction -- that's suspectible to any old malware attack and not much more secure than a regular hot wallet. Your private keys will get exposed as soon as you decrypt your wallet to make a transaction and if your computer is compromised so will be your wallet.

If you mean storing a wallet on an AES encrypted USB drive for use with an airgapped computer only, then you should be fine.



What sort of officer has a bread board, fitting electronic components and the knowledge ready to build a Trezor glitching device on the go? :D

On a more serious note, use a strong passphrase. Even after someone extracts the seed it will then still take them a couple of millenia [1] to get through (at least with the technology available for the foreseeable future)

[1] https://coldbit.com/can-bip-39-passphrase-be-cracked/

Given BadUSB and the like, if someone sees using a hardware wallet as a liability (ideally a Trezor with a passphrase as the closed source Secure Element in Ledger could one day lead to a critical vulnerability), webcams to read QR codes are the only reasonable alternative.

I don't find it too much of a problem. As long as you have a passphrase, the attacker would have a hard time trying to get your seed.

There are a lot more choices than those two companies, maybe you could try exploring your options. Regarding the attack, what makes you think that your devices would be more protected than your hardware wallet? Attacking Trezor requires the attacker to specifically extract the encrypted seed from the secure elements by desoldering it and using specialized tools, after that start to crack your keys. I've seen more vulnerabilities affecting mobile devices than most hardware wallet and they don't require special skills.

I feel like most attacks are often blown out of proportion and companies has been relatively quick (at least those competent ones) to respond and provide a mitigation to it.

Please critique my proposed setup:

1) Use a reputable-brand USB stick (Sandisk, PNY, Kingston). Put portable electrum, veracrypt, and wallet files on it. Encrypt it with 20+ character password using AES.

2) Use 2 raspberry pi devices. One always offline. One online , but only for crypto transactions.

3) Display. Do I need 1 for each device?

Could the online device get malware, transfer it to the display, and then display transfer it to the offline device?

4) When transferring the transaction file between devices do I need to use an encrypted USB for this?

A MicroSD card would be required for both devices. USB Flash drive would be necessary if you're transferring raw transactions across the online to offline device and signed transaction the other way.
If you're thinking of using the QR code to transfer the raw transactions, then possibly. If not, a monitor/TV screen would be sufficient.
Not that I've ever heard of. That'll have to be a very complex malware.
Depends. Are you afraid that the Flash drive could get stolen between the time the raw/signed transactions are deleted? If it's stolen, whoever opens that USB drive can see your transaction information and thus compromising your privacy. Security wise, it doesn't matter if it's encrypted or not.

I would wipe my flash drive every time after using it so I wouldn't think of encrypting it.

I don't follow the logic of putting these files in the USB drive. If you put your wallet on the USB and then move the USB back and forth between your two devices, including the one which has internet access, then you have completely negated the whole point of an airgapped setup.

For transferring transactions back and forth, the most preferable solution is to use QR codes and a webcam, to eliminate the possibility of accidentally transferring malware or your private keys on the USB drive. You can buy a Raspberry Pi camera module for $25.

I'm not sure what's the configuration for the maximum size of QR codes in most wallets but I believe if the size of the transaction is too large, it would reach the limit of the maximum size allowable for the QR code after the error correction. Could be a bit difficult to scan for the QR code if the display/camera has a low resolution or if it's too small.

You can probably use a different encoded string within the QR code for a larger size but can be slightly more complicated.

Is there a reason you are using a dedicated device for broadcasting them?
I mean, it definitely doesn't hurt. But it's not that necessary. You could use your daily online PC for that.

Further, if you have one dedicated offline device.. what is the point of storing the wallet files encrypted on the USB flash drives?
Why not simply store it on the SD card of the raspberry pi encrypted?




Highly unlikely.
One display should be enough. At least if you aren't edward snowden and are being hunted by 3 letter agencies all around the world.




Not necessarily.
You'll only transfer data which isn't confidential. It might be worth to check the integrity by using signatures or encrypting it, but that's not necessary.

However, using cameras and QR codes to transfer data is a more secure way.

If I'm not mistaken, the limit is 3 kB. That's big enough for a consolidation transaction with 20 inputs and one output, and also big enough for a pay-to-many with one input up to about 80 outputs, even when using all legacy addresses. That's more than enough for the vast majority of individuals who aren't running a shop or some other service. And you can always fall back on USB if you need to.

You could also save to clipboard and use a third party program to break that down in to multiple QR codes or even one animated code and reconstruct the transaction from that, but I'd always manually check everything if you do use any other software (in reality, I would manually check everything anyway).

According to qrencode (https://linux.die.net/man/1/qrencode):
However, I can't make one that large. I could copy your post 4 times (2820 characters), so it looks like 3 kB is indeed the maximum:
https://loyce.club/other/largeQR.gif
This works better than I expected!