Hi everyone, electrum newbie here wondering about how safe it is to sign transactions. My actual cold storage wallet was created on bootable USB with tails absolutely no internet. In the scenario where I would need to send coins I go on separate online computer on watch-only address, put the unsigned transaction on my USB and put it on the computer running Tails to sign it offline.
The concern I have is what if I had some kind of malware on the online computer, could it potentially attach to the unsigned transaction file and try to steal my private key when I put the USB in my cold storage device to sign the transaction offline? The malware could potentially take my key/seed and put it on the signed transaction file then, then when I go to broadcast the payment on the online computer I could be compromised.
I make sure to enter my seed in Electrum on the offline computer before I put the USB with the unsigned transaction file in it, but even then I'm not sure if there is malware capable of grabbing my private key even after I entered the key/seed and am in the wallet. From what I have seen of people having Electrum wallet hacked it usually happens when they download from a false source, I would assume the phony electrum just keylogs the persons seed and then sends it off to the attacker but is there other attacks I have to worry about other than a keylog? Hopefully this question makes sense, i probably sound super paranoid but I don't want to take any chances.
This scenario is very unlikely, since most malware writers are focusing on popular platforms and not some rare cases. But you can also reduce the risk of such malware by following this protocol:
1. Boot your Tails, insert USB with unsigned transaction, open tx file, copy it to cliboard.
2. Format your USB and unplug it.
3. Now plug another USB that has encrypted wallet files on it, launch Electrum, paste raw transaction from clipboard and sign it.
4. Scan QR code of signed transaction with your phone and broadcast it with official android Electrum wallet.
