Easy cold storage with Tails Linux, and Electrum for newbies

[cellard]

I was considering usnig Electrum to create a cold storage setup, however I have been convinced that using anything but a full client is insanity. Look at the recent events as posted by theymos on the sticky:

https://bitcointalk.org/index.php?topic=5090097.0

Just stick to full blockchains. Get a full client that you can trust like Core, run it in an online computer with no coins, then run another Core client in the airgapped computer. Move raw transactions into the online computer and broadcast them.

I don't see why bother with any other software. "As a newbie" is not really an excuse. Start with the real thing. Developing bad habits its not good in Bitcoin.

There's no arguing that Core is better than any other wallet, but it's wrong to dismiss other wallets. Electrum has been around for years, it was reviewed by many people, it's one of the most popular wallets, and for a reason.
Almost every software has some bugs, this is a reality. When a serious bug was discovered in Core client earlier this year, people didn't say that it's insane to use Bitcoin, we just accepted that software is not perfect.
The recent Electrum vulnerability didn't render it broken in a sense that attackers could easily steal private keys, it abused error massages from servers to execute a social engineering attack. If you are using it as cold storage, you would be unlikely to get affected because you'd need to get through many steps - first you'd need to broadcast a transaction on your watch-only Electrum wallet that is connected to a malicious server, than you'd need to download a malicious client and install it on your air-gapped machine, and only then your coins would get stolen if you sent some coins again.

Bitcoin ecosystem remains a harsh place for unexperienced people, and for anyone involved it's important to develop a deeper understanding of cybersecurity.

Plus let's be in the reality that not all Bitcoin investors will be patient or motivated enough to run bitcoind/Core wallet, and download the blockchain. That was one of the causes why we have other tools that were developed for the community, such as Electrum.

For purely cold storage purposes, I believe the guide is as good as the user's ability to secure his seeds.

You can't really compare the bug that was found in Core, which was theoretical at best, and fixed anyway before it even had a chance to do anything.

The Electrum bug as explained by theymos sounded as if you were just a click away from losing your coins:

This message is false, sent to you by a hacker. If you click the link in the message and install the software, then your BTC will be stolen.

When has Bitcoin Core had anything like that? I mean fuck, I could have believed that was a real update myself and click on there. At least if you are going to use Electrum with Tails, be sure to download the latest one, check the gpg keys, and disable internet when generating the wallet, then create a watch-only wallet and put the private keys in cold storage to never see the internet again. This also requires a level of expertise, at the end of the day there are no shortcuts to Bitcoin security. I understand not wanting to download the entire blockchain but you will still need the watch-only/airgap private keys dual setup as a must.

[1714679036]

1714679036

[1714679036]

1714679036

[1714679036]

1714679036

[1714679036]

1714679036

[1714679036]

1714679036

[squatter]

You can't really compare the bug that was found in Core, which was theoretical at best, and fixed anyway before it even had a chance to do anything.

The Electrum bug as explained by theymos sounded as if you were just a click away from losing your coins:

This message is false, sent to you by a hacker. If you click the link in the message and install the software, then your BTC will be stolen.

When has Bitcoin Core had anything like that?

I wouldn't compare the two either, but the recent bug in Core was far more serious. It was "theoretical" in the sense that all bugs that haven't been exploited yet are theoretical. Since you quoted theymos:

The bug fixed in Bitcoin Core 0.16.3 was really bad. IMO it was the worst bug since 2010. If it had been exploited in a 0-day fashion, significant & widespread losses (due to acceptance of counterfeit BTC) would've been likely, and Bitcoin's reputation would've long been tarnished. Furthermore, since a ton of altcoins are based on Bitcoin Core, this would've affected a huge swath of the crypto space all at once.

I encountered the Electrum attack. To be honest, it wasn't very convincing. It was a social engineering attack, not an actual vulnerability in the software. You would have had to open an external untrusted website, download the software, and also neglect to verify it. Plus, the malware only worked if you kept your Electrum keys online, which isn't necessary.

[Kakmakr]

The Electrum wallet in Tails are outdated, so some exploit might be used to capture your seed. It is also not recommended to create the persistent volume, if you are prompted to do that.

Some early malware like BADUsb hides in the firmware of the USB drives, so it can be adapted to capture private keys and your Seed, if they wanted to. If you re-use the USB before you destroy it, then your Seed will be compromised.

These days you can buy a old second hand computer for the price of a USB drive, so I would much rather buy a old computer and printer <low specs> and print a bunch of paper wallets and destroy that.   

[Wind_FURY]

The Electrum wallet in Tails are outdated, so some exploit might be used to capture your seed. It is also not recommended to create the persistent volume, if you are prompted to do that.

Some early malware like BADUsb hides in the firmware of the USB drives, so it can be adapted to capture private keys and your Seed, if they wanted to. If you re-use the USB before you destroy it, then your Seed will be compromised.

These days you can buy a old second hand computer for the price of a USB drive, so I would much rather buy a old computer and printer <low specs> and print a bunch of paper wallets and destroy that.   

But if we are talking about that level of paranoia, then everything can be hacked, and stolen from you. Hardware wallets, your smart phones, your computers, the software, the operating systems, Bitcoin, everything.

[HURETO]

The Electrum wallet in Tails are outdated, so some exploit might be used to capture your seed. It is also not recommended to create the persistent volume, if you are prompted to do that.

Some early malware like BADUsb hides in the firmware of the USB drives, so it can be adapted to capture private keys and your Seed, if they wanted to. If you re-use the USB before you destroy it, then your Seed will be compromised.

These days you can buy a old second hand computer for the price of a USB drive, so I would much rather buy a old computer and printer <low specs> and print a bunch of paper wallets and destroy that.    

Good point. For this purpose there's really no need for a persistent volume.
About the rest, this is way above my level of paranoidity.

I'm still happy with my ledger nanos. Of course eventually every hardware wallet can get hacked - as seen on wallet.fail - but you would need physical access. To get motivated to break into my house one would first need to know that I even have bitcoins.

I think the short howto is really good.

Speaking about alternatives for Tails, has anyone used the distro bitkey? I've been using that quite a lot lately and its really convenient.
https://bitkey.io/

But I'm not completely sure this is safe, too. Could theoretically include a malicious electrum version, too.

[Wind_FURY]

Bitkey is ok, but it has not been updated since since 2017, or early 2018. For purposes of cold storage, I would still choose Tails, and follow as instructed in the OP.

The people maintaining Tails are very active in patching the OS for bugs and from security exploits.