Are VMs adequate for cold/cool wallets?

[enmaku]

Specifically the sort of mid-security cool wallet that clients like Armory offer. I already have split-secret paper wallets for the "savings account" but I need something more accessible for more regular mid-grade purchases. I know a thing or two about a thing or two and would secure the VM holding private keys quite well - TrueCrypt full volume encryption on the guest OS and the virtual disk stored on a hardware-encrypted external USB that would only ever be plugged in when in use. No network adapters on the VM and so on. The only missing piece is I don't know enough about VMs from a security standpoint to know what new security vulnerabilities might be introduced - I'm not sure how much access the host PC has to the VM's RAM, for example, or if there is any way to limit that sort of vulnerability.

Thoughts?

[cypherdoc]

https://bitcointalk.org/index.php?topic=15052.0;all

[enmaku]

https://bitcointalk.org/index.php?topic=15052.0;all

So the gist I'm getting is that the host OS is well-secured against bad actions taken against the guest, but not vice versa. Unidirectional security in exactly the wrong direction 

Oh well, it was worth a shot. Guess I'll be buying a cheap netbook just to run Armory, although Armory seems pretty resource-intensive for them to recommend running the offline client on a netbook. Has anyone had first-hand experience with this?

[cypherdoc]

read the post about security via obscurity.  worked for me.

[cypherdoc]

Maybe your next podcast should be on high level security of wallets?

[cypherdoc]

I'd also love to hear one on the intricacies of ecdsa.

[MWNinja]

The average consumer-grade VM solution is crap and offers very little protection (still it's useful in a defense in depth approach).  That said, there is a secure hypervisor solution that is suitable for protecting cold/cool wallets offered by this company http://www.integrityglobalsecurity.com/.  It's not geared toward the consumer market, but certainly would be suitable for a business looking to create a bitcoin "bank".


 

[dwolfman]

read the post about security via obscurity.  worked for me.

Link?

Tried searching the forums, but can't single it out of the hundreds of hits... 

[enmaku]

The average consumer-grade VM solution is crap and offers very little protection (still it's useful in a defense in depth approach).  That said, there is a secure hypervisor solution that is suitable for protecting cold/cool wallets offered by this company http://www.integrityglobalsecurity.com/.  It's not geared toward the consumer market, but certainly would be suitable for a business looking to create a bitcoin "bank".


 

Definitely more hammer than I need for this particular nail, but I like the idea of a VM being part of a DiD approach. I might just set this up with two different offline wallets, one stored on the offline computer directly and one stored in a VM's disk a hardware-encrypted external disk that only ever gets plugged into the offline computer... But maybe I'm over-thinking this.

[film2240]

Only if you completely disable any form of internet access to that VM first otherwise viruses/hackers can still find a way in,especially without anti-virus or a firewall.

[proudhon]

I've been playing around with Windows to Go on a USB thumbdrive lately.  I downloaded the Windows 8 Enterprise trial ISO from Microsoft and installed it on freshly formatted hard drive in an offline PC.  From that Enterprise installation I created a live and bootable Windows 8 Enterprise USB using the Windows to Go feature.  You can choose to use Microsoft's BitLocker encryption on the USB drive from the Windows to Go installation wizard.  Once Go is finished installing, you can boot up that installation of Windows on any capable system.  On boot you'll be prompted for the BitLocker password to decrypt the drive.

On any systems you use with your USB drive you'd just want to make sure any network cables are disconnected before you boot up.  The first time I booted from my USB drive I just went ahead and uninstalled all network devices.  I installed Armory and have used it for a few small offline wallets.  I think this gives you something almost as secure as a dedicated offline computer for Armory with more flexibility.  The way I've set it up you need the BitLocker decryption key, the regular Windows password, and the password for the Armory wallets in order to sign transactions to be moved to an online system for broadcasting.

Of course, you can do something similar with Linux, but I wanted to try it out with Windows because Armory updates typically go out to Windows first, and I wanted to avoid worrying about dependencies and stuff like that.  What's nice is that I think you can do this for free.  You can get the trial Enterprise ISO directly from Microsoft.  The standard installation is limited to 90 days, but you just need to install it in order to create a Windows to Go USB drive.  After that, you don't need it anymore.  The Go installation will tell you it's not activated with a watermark, but being unactivated, as far as I can tell, just means you can use some Windows features like the Windows store - stuff you don't need on an offline installation anyway.

I guess it's a slight step down from a dedicated Armory offline computer because I it's conceivable that a wallet compromising virus could travel from the hard drive of host computer onto the USB installation; although, from my USB Go installation I've never been able to access the drive resources of the host computer, so I assume there some partitioning going on to protect against that sort of thing.  Anyway, like I said, probably a slight step down in security from the recommended Armory setup, but a step up in security, I think, from VMs on network connected computers.  Plus you get a lot more flexibility since you could more easily travel with an encrypted USB that you can use on your main laptop or any other computer.

Just something I've been playing with.

[Berend de Boer]

Specifically the sort of mid-security cool wallet that clients like Armory offer. I already have split-secret paper wallets for the "savings account" but I need something more accessible for more regular mid-grade purchases. I know a thing or two about a thing or two and would secure the VM holding private keys quite well - TrueCrypt full volume encryption on the guest OS and the virtual disk stored on a hardware-encrypted external USB that would only ever be plugged in when in use. No network adapters on the VM and so on. The only missing piece is I don't know enough about VMs from a security standpoint to know what new security vulnerabilities might be introduced - I'm not sure how much access the host PC has to the VM's RAM, for example, or if there is any way to limit that sort of vulnerability.

Thoughts?

I would say it's not much safer than not using a vm. Your disks are encrypted, so you might think the host cannot read/modify your wallets. But the host can read the guest's memory and extract it from there. Such attacks do not yet exist, but are not beyond a teenager with nothing better to do, and who's happy with a few thousand dollars in return (people get murdered for less).

The only additional safety is that when the vm is not running, even if your host is compromised, you're safe. But if the host is compromised, and you don't know, and turn on the vm, all bets are off again. Given your mid-security requirements, I assume you have the vm running most of the time, so you have no additional security.

[gweedo]

https://bitcointalk.org/index.php?topic=15052.0;all

So the gist I'm getting is that the host OS is well-secured against bad actions taken against the guest, but not vice versa. Unidirectional security in exactly the wrong direction  

Oh well, it was worth a shot. Guess I'll be buying a cheap netbook just to run Armory, although Armory seems pretty resource-intensive for them to recommend running the offline client on a netbook. Has anyone had first-hand experience with this?

The offline client isn't that intensive. Don't install windows, get Ubuntu, and 2gb of ram should be more then enough if your worried about the requirements.

[cypherdoc]

read the post about security via obscurity.  worked for me.

Link?

Tried searching the forums, but can't single it out of the hundreds of hits... 

It's in the thread i linked to below

[enmaku]

https://bitcointalk.org/index.php?topic=15052.0;all

So the gist I'm getting is that the host OS is well-secured against bad actions taken against the guest, but not vice versa. Unidirectional security in exactly the wrong direction  

Oh well, it was worth a shot. Guess I'll be buying a cheap netbook just to run Armory, although Armory seems pretty resource-intensive for them to recommend running the offline client on a netbook. Has anyone had first-hand experience with this?

The offline client isn't that intensive. Don't install windows, get Ubuntu, and 2gb of ram should be more then enough if your worried about the requirements.

Ah, so it's only the online client that sucks down 4 to 8 gigs of RAM as indicated on their site

[dwolfman]

read the post about security via obscurity.  worked for me.

Link?

Tried searching the forums, but can't single it out of the hundreds of hits... 

It's in the thread i linked to below

Well, that's a lot of reading to find it (76 pages!!).  Think I'll save that for sometime when I have a couple days to waste. 

[BTCLuke]

You guys are really making me want to get one of these beauties and figure out how to install Armory on it:


$74, full PC specs! Link to review.

Anyone done it?

[cypherdoc]

Specifically the sort of mid-security cool wallet that clients like Armory offer. I already have split-secret paper wallets for the "savings account" but I need something more accessible for more regular mid-grade purchases. I know a thing or two about a thing or two and would secure the VM holding private keys quite well - TrueCrypt full volume encryption on the guest OS and the virtual disk stored on a hardware-encrypted external USB that would only ever be plugged in when in use. No network adapters on the VM and so on. The only missing piece is I don't know enough about VMs from a security standpoint to know what new security vulnerabilities might be introduced - I'm not sure how much access the host PC has to the VM's RAM, for example, or if there is any way to limit that sort of vulnerability.

Thoughts?

I would say it's not much safer than not using a vm. Your disks are encrypted, so you might think the host cannot read/modify your wallets. But the host can read the guest's memory and extract it from there. Such attacks do not yet exist, but are not beyond a teenager with nothing better to do, and who's happy with a few thousand dollars in return (people get murdered for less).

The only additional safety is that when the vm is not running, even if your host is compromised, you're safe. But if the host is compromised, and you don't know, and turn on the vm, all bets are off again. Given your mid-security requirements, I assume you have the vm running most of the time, so you have no additional security.

I don't think thats true.

VMWare fusion connects to the mac os via a nat connection which acts like a one way router.   

[cypherdoc]

I've been playing around with Windows to Go on a USB thumbdrive lately.  I downloaded the Windows 8 Enterprise trial ISO from Microsoft and installed it on freshly formatted hard drive in an offline PC.  From that Enterprise installation I created a live and bootable Windows 8 Enterprise USB using the Windows to Go feature.  You can choose to use Microsoft's BitLocker encryption on the USB drive from the Windows to Go installation wizard.  Once Go is finished installing, you can boot up that installation of Windows on any capable system.  On boot you'll be prompted for the BitLocker password to decrypt the drive.

On any systems you use with your USB drive you'd just want to make sure any network cables are disconnected before you boot up.  The first time I booted from my USB drive I just went ahead and uninstalled all network devices.  I installed Armory and have used it for a few small offline wallets.  I think this gives you something almost as secure as a dedicated offline computer for Armory with more flexibility.  The way I've set it up you need the BitLocker decryption key, the regular Windows password, and the password for the Armory wallets in order to sign transactions to be moved to an online system for broadcasting.

Of course, you can do something similar with Linux, but I wanted to try it out with Windows because Armory updates typically go out to Windows first, and I wanted to avoid worrying about dependencies and stuff like that.  What's nice is that I think you can do this for free.  You can get the trial Enterprise ISO directly from Microsoft.  The standard installation is limited to 90 days, but you just need to install it in order to create a Windows to Go USB drive.  After that, you don't need it anymore.  The Go installation will tell you it's not activated with a watermark, but being unactivated, as far as I can tell, just means you can use some Windows features like the Windows store - stuff you don't need on an offline installation anyway.

I guess it's a slight step down from a dedicated Armory offline computer because I it's conceivable that a wallet compromising virus could travel from the hard drive of host computer onto the USB installation; although, from my USB Go installation I've never been able to access the drive resources of the host computer, so I assume there some partitioning going on to protect against that sort of thing.  Anyway, like I said, probably a slight step down in security from the recommended Armory setup, but a step up in security, I think, from VMs on network connected computers.  Plus you get a lot more flexibility since you could more easily travel with an encrypted USB that you can use on your main laptop or any other computer.

Just something I've been playing with.

Were you able to set that up for free?

You might be interested in the ironkey that's coming out later this year that will have hardware encryption with windows to go and can boot up in ram.

[Berend de Boer]

But the host can read the guest's memory and extract [the encryption keys] from there.

I don't think thats true.

VMWare fusion connects to the mac os via a nat connection which acts like a one way router.  

It sounds like either you didn't read my post, or you are very confused. The host can read ANYTHING in a vm. That's by definition.

No clue what you mean with nat connection, that's completely irrelevant if the host can directly read the network buffer of the virtualised NIC.