Linux live USB (non-persistent) vs Tails?

[9thsky]

Which would you say is more secure for online wallet? What about offline...no difference?

[1715271406]

1715271406

[ranochigo]

Tails comes with Electrum pre-bundled but you'd have to have persistent storage to update the Electrum to the latest version which would be necessary if its connected to the internet, perhaps not so much if its used as an offline wallet. In terms of security, I don't think they would differ too much. You'll still have to download and verify the Electrum instance (for Tails would be the OS itself).

Tails would be pretty quick and easy to set up as compared to setting up your own Linux instance and install Electrum. Keep in mind that Tails is just like a modified Debian.

[9thsky]

Tails comes with Electrum pre-bundled but you'd have to have persistent storage to update the Electrum to the latest version which would be necessary if its connected to the internet, perhaps not so much if its used as an offline wallet. In terms of security, I don't think they would differ too much. You'll still have to download and verify the Electrum instance (for Tails would be the OS itself).

Tails would be pretty quick and easy to set up as compared to setting up your own Linux instance and install Electrum. Keep in mind that Tails is just like a modified Debian.

What about to use Tails as the offline wallet to create an unsigned transaction. Would I still need to update it for this purpose?

[DireWolfM14]

What about to use Tails as the offline wallet to create an unsigned transaction. Would I still need to update it for this purpose?

I think you mean you would use the offline wallet to sign an unsigned transaction.

The short answer is no.  There have been updates in the past that would prevent an older version from signing an unsigned transaction created by newer version, but if you're talking about a recent release of Tails, you should be fine.  I'm afraid I don't know the exact version numbers that would pose an issue, but for other security issues I would make sure the version of Tails you're using has version 3.0.4 or later.

[20kevin20]

For me, the definition of "secure" depends on how paranoid I'd want to be.

Tails is non-free. In order to be compatible with as many devices and hardware components as possible, the team behind Tails had to add non-free blobs and firmware. Otherwise, the experience on less-known or less-supported hardware would be crappy.

Hence, if you want something that is secure as in an OS that is FOSS, you could get yourself a free copy of Debian and install it on an old PC.

Either use it as an online or an offline wallet together with a verified Electrum install. If you have an old PC laying around, you could actually turn it into a dedicated airgapped wallet for Bitcoin.

Live USBs and Tails are good for when you're on-the-go, but live USBs willl likely require you to reinstall Electrum every single time you boot them. Moreover, if you want to use Tor as well, you will have to go through extra steps every boot. Since Tails comes with Electrum preinstalled and system-wide Tor, it's way more convenient.

Another option is installing Qubes OS, although it's not a newbie-friendly OS to run. You can run multiple operating systems in Virtual Machines at the same time and make two Qubes (VMs) for both offline and online wallets.

If you go for the USB setup, be careful where you're going to plug it since it could still be affected by an infected PC.

[pooya87]

Live USBs and Tails are good for when you're on-the-go, but live USBs willl likely require you to reinstall Electrum every single time you boot them.

That is where "persistence" feature of Linux OS comes in, you basically store your session to be reused on any subsequent boots. You could also simply install the OS on a USB disk just like you would on a hard disk although you should be aware of your disk's lifespan and keep backups.

If you go for the USB setup, be careful where you're going to plug it since it could still be affected by an infected PC.

This shouldn't be an issue although this could be mitigated to some extend by adding 2 partitions to the USB disk, one be a normal NTFS and another a Linux specific format. Windows AFAIK can only recognize one partition no matter what the other is! Also encrypting the home folder, etc helps too.

[Coin-Keeper]

I don't know if you have any concerns over the security/privacy of the physical "sticks" you carry.  Tails is far better (my opinion) but one glaring issue is that persistence is observable since the extra partition is placed on the USB for tails.  My application, which works well, is to carry a second USB stick encrypted with VeraCrypt volumes (Decoy + Hidden).  Tails is already loaded with the software to easily open your VeraCrypt volumes where you can use a hidden volume to store all your "business".  If an adversary confronts you then you can open the decoy volume and you are still safe.  Works quickly and there is no persistent partition to see.  Especially useful for offline things - SEED checks, signing, etc...  On my machines Tails loads in about 10 seconds and its ready to rock!

[20kevin20]

This is ridiculous idea since,
1. It's not supported or recommended by Qubes (https://www.qubes-os.org/faq/#can-i-install-qubes-in-a-virtual-machine-eg-on-vmware)
2. Qubes have high minimum specification

Inside Qubes OS, you can create separate VMs for each need - they're called "qubes". what I was saying is, a setup of two VMs on Qubes OS could be created so that you have one offline qube and one online qube, running at the same time. I cannot call myself a Linux expert, yet I was able to easily create manually-configured qubes using the operating system's UI and a few helping tips from their docs.

From the Getting Started docs:

In Qubes OS, you run all your programs in lightweight virtual machines (VMs) called qubes.

This is a more-than-enough secure setup imo, unless a 3-letter agency is on your way. Basically, as soon as you have an offline qube running, the only way it can be attacked is if dom0 is compromised... and dom0 is offline as well, so it's a quite hard job. Here's more info about this:

In addition to qubes and templates, there’s one special domain called dom0, where many system tools and the desktop manager run. This is where you log in to the system. Dom0 is more trusted than any other domain (including templates and black-labeled qubes). If dom0 were ever compromised, it would be “game over.” (The entire system would effectively be compromised.) Due to its overarching importance, dom0 has no network connectivity and is used only for running the window and desktop managers.