Out of the box - LiveCD encryption

[Sandoz]

Hi,

I want to get away from all these price discussions and try to understand whether someone has a good answer to this:
is there some kind of good encryption (file or volume) that is usually supported out of the box on linux/unix LiveCD's? Maybe some command line tool usually available?

I would love to use bitcoin from a random LiveCD (fear of keyloggers) and know I could decrypt my wallet (delivered via USB stick or downloaded from a server) without the need to burn my own customised LiveCD.

Truecrypt is not an option for instance, as most LiveCD's don't ship with it preinstalled.
Booting from USB is not an option as I want a relatively tamperproof CD.

(And, the less bloated the linux distro, the better)

I hope you can help me, in fact I am sure there are plenty of linux/unix experts on this forum!!

[1713442567]

1713442567

[error]

LUKS is available on some Live CDs (and not others).

Some things to think about are:

If you boot from a CD, where are you storing your files?

You'll need to set up your encrypted volume manually. Doing this right is tricky.

[theymos]

dm-crypt is probably available on many liveCDs. It comes with the kernel.

[ctoon6]

Have you tried using a VM and using an onscreen keyboard inside the VM?

[Sandoz]

Have you tried using a VM and using an onscreen keyboard inside the VM?

That's actually a good idea. But I don't like the idea of someone tampering with the VM image. It would need to be read only.

I will look into LUKS, I guess TAILS linux is the most trustworthy live CD...

[ThiagoCMC]

Fellas!

 Take a look at this:

 Wallet in the Cloud - Keeping your Bitcoins encrypted and saved into the Cloud!
 http://forum.bitcoin.org/index.php?topic=22386.0

 What do you guys think about my solution?!

 It is really easy to do by everybody...

 And it can be easily changed, or used with a USB pendrive instead a Cloud environment...

Cheers!
Thiago

[Sukrim]

Just use Wuala, it works on Windows too - unlike some FUSE magic stuff... 

[ThiagoCMC]

Sure!

 The "Ubuntu One" part of this setup can be changed to use Wuala, GMailFS, DropBox or even your USB PenDrive!  

 Also, the EncFS is compatible with DropBox / BoxCryptor and a nice GUI interface, called Cryptkeeper. Look: http://blog.boxcryptor.com/how-to-use-boxcryptor-with-encfs-in-ubuntu-ma

 But this is more complicated to setup and needs more (and third party) softwares. My solution is simple for grandma. And it is a Live system! 

 The "good thing" with my original post is that you do not need any third party software... Just Ubuntu stuff and Bitcoin packaged for it from Launchpad.

 BTW, Windows is too risky for everybody. You know, it catch viruses! And Linux does not.

 Anyway, thanks for the tip!

Cheers,
Thiago

[hugolp]

Fellas!

 Take a look at this:

 Wallet in the Cloud - Keeping your Bitcoins encrypted and saved into the Cloud!
 http://forum.bitcoin.org/index.php?topic=22386.0

 What do you guys think about my solution?!

 It is really easy to do by everybody...

 And it can be easily changed, or used with a USB pendrive instead a Cloud environment...

Cheers!
Thiago

I would not upload my private keys to the internet no matter how much encryption. That is just my personal perference though.

[Isosceles]

I've just finished writing up instructions on making a secure Bitcoin USB linux stick :

https://squarethought.wordpress.com/2011/06/26/bitcoin-on-a-stick-usb/

[hazek]

LiveUSB makes a whole lot more sense to me.

[ThiagoCMC]

Sure...

 You can change the "Internet" to a "USB" kind of setup... The point is which may interest to people is the Live session and the entire Bitcoin data encrypted for ever.

 I liked http://bitcoinsforcharity.org/ very much!! IT IS AWESOME!

Regards,
Thiago

[unk]

gpg is common, even on cd/dvd distributions of linux.

truecrypt is available in tails (formerly known as 'incognito'), although you need to specify a kernel boot option to enable it. (the tails developers are perhaps overly skeptical of truecrypt because of its license.) i have had some interaction with the tails developers in the past, and they seem on top of a variety of systems-security issues, though i have not evaluated their system in detail myself.

[ThiagoCMC]

LiveUSB makes a whole lot more sense to me.

And about the backup?! It can be hosted in the Cloud too... I mean, using your "LiveUSB" suggestion (which is in fact, not Live, because it is just installed on USB) plus Ubuntu One service, you have the good thing of both worlds: a system dedicated only to Bitcoin (LiveUSB+Bitcoin client), encrypted and in sync with the Cloud (for backup).

[Sandoz]

LiveUSB makes a whole lot more sense to me.

A liveUSB has some problems: someone could modify the distro on your stick so as to look perfectly normal but steal your password / wallet. No one would do that? Well, if your whole life savings are in bitcoin it's absolutely worth it doing that!

A liveCD is safer in that regard (just sign the CD-R and check your signature). Reboot and you start from scratch. Sure, you will have to download the whole blockchain from scratch every time, but if your intended use is a savings account, that's a viable option.

[ThiagoCMC]

LiveUSB makes a whole lot more sense to me.

A liveUSB has some problems: someone could modify the distro on your stick so as to look perfectly normal but steal your password / wallet. No one would do that? Well, if your whole life savings are in bitcoin it's absolutely worth it doing that!

A liveCD is safer in that regard (just sign the CD-R and check your signature). Reboot and you start from scratch. Sure, you will have to download the whole blockchain from scratch every time, but if your intended use is a savings account, that's a viable option.

Good point! I almost forget this detail...

1- If you use a "LiveCD", wich means Ubuntu installed on a USB PenDrive and;
2- Just encrypt your /home/ directory and;
3- Somebody knows that you have B$1.000.000,00 there.

 The thief can do:

1- Steal temporarily you PenDrive, when you're at bathroom;
2- Change the bitcoin binary (or any other binary of the system, like shell, etc) for a malicious version;
3- Give back to you, without your knowledge;
4- Wait until you open the system to stole your coins.

 This can not be happen if you have a Ubuntu Live CD with you signature write on it or, if you encrypt the entire file system of the USB PenDrive.

Best,
Thiago

[rebuilder]

You can make a livecd with custom packages such as truecrypt preinstalled. Look into Ubuntu Customization Kit for an easy way to do it, at least if you already have Ubuntu installed somewhere.

Note: be very, very careful when using a livecd for these purposes. Everything you write "to disk" while running the OS off a cd will get erased when you shut down the computer! One way to use such a cd would be to have both Dropbox and Truecrypt installed and store the wallet in an encrypted container on Dropbox. Again, exercise caution when setting your system up. It's very easy to do something silly and lose a lot of coins. At the very least, whatever you do, test your setup thoroughly, reboots and all, before sending any significant amount of coins to the secure wallet. Also, back the wallet up elsewhere than Dropbox as well.

Edit: BTW, if you store the block index on Dropbox as well, you won't need to re-verify the whole thing. You still have to re-download the file of course, but in my experience it's still faster than waiting for the client to verify everything. You might want to store the index on an encrypted volume as well, I'm not sure what kind of attacks are possible if someone manages to tamper with your index, but better safe than sorry...

[ThiagoCMC]

You can make a livecd with custom packages such as truecrypt preinstalled. Look into Ubuntu Customization Kit for an easy way to do it, at least if you already have Ubuntu installed somewhere.

Note: be very, very careful when using a livecd for these purposes. Everything you write "to disk" while running the OS off a cd will get erased when you shut down the computer! One way to use such a cd would be to have both Dropbox and Truecrypt installed and store the wallet in an encrypted container on Dropbox. Again, exercise caution when setting your system up. It's very easy to do something silly and lose a lot of coins. At the very least, whatever you do, test your setup thoroughly, reboots and all, before sending any significant amount of coins to the secure wallet. Also, back the wallet up elsewhere than Dropbox as well.

Edit: BTW, if you store the block index on Dropbox as well, you won't need to re-verify the whole thing. You still have to re-download the file of course, but in my experience it's still faster than waiting for the client to verify everything. You might want to store the index on an encrypted volume as well, I'm not sure what kind of attacks are possible if someone manages to tamper with your index, but better safe than sorry...

 Your concern about lose the information when you shutdown is 100% right! But I left everything about this very clear on the following guide:

 Wallet in the Cloud - Keeping your Bitcoins encrypted and saved into the Cloud!
 http://forum.bitcoin.org/index.php?topic=22386.0

 But we need some observations:

1- Not use truecrypt, dropbox, or anything from the "outside", just the standards (out of the box) of some distro, this is a requirement;
2- Not use any customization, which raise people's concerns about the system;

 My guide is SIMPLE and 99% out of the box. Only the Bitcoin binaries comes from Launchpad, but I'm sure that Bitcoin will be part of Ubuntu 11.10.

 I'm preparing some screenshots to make it even more easy to follow.

 Anyway, you're right, pay attention is never something bad...

Cheers!
Thiago

[nhodges]

Sure...

 You can change the "Internet" to a "USB" kind of setup... The point is which may interest to people is the Live session and the entire Bitcoin data encrypted for ever.

 I liked http://bitcoinsforcharity.org/ very much!! IT IS AWESOME!

Regards,
Thiago

Thanks, I designed/developed the site. If you ever have any suggestions for charities we should send flyers to, just pm or email me!

[hazek]

LiveUSB makes a whole lot more sense to me.

A liveUSB has some problems: someone could modify the distro on your stick so as to look perfectly normal but steal your password / wallet. No one would do that? Well, if your whole life savings are in bitcoin it's absolutely worth it doing that!

A liveCD is safer in that regard (just sign the CD-R and check your signature). Reboot and you start from scratch. Sure, you will have to download the whole blockchain from scratch every time, but if your intended use is a savings account, that's a viable option.

Good point! I almost forget this detail...

1- If you use a "LiveCD", wich means Ubuntu installed on a USB PenDrive and;
2- Just encrypt your /home/ directory and;
3- Somebody knows that you have B$1.000.000,00 there.

 The thief can do:

1- Steal temporarily you PenDrive, when you're at bathroom;
2- Change the bitcoin binary (or any other binary of the system, like shell, etc) for a malicious version;
3- Give back to you, without your knowledge;
4- Wait until you open the system to stole your coins.

 This can not be happen if you have a Ubuntu Live CD with you signature write on it or, if you encrypt the entire file system of the USB PenDrive.

Best,
Thiago