offline air-gapped electrum

[adaseb]

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

[Aikidoka]

Regarding the scanning of the QR code. What I do is this. I don’t use a usb drive back and forth due to the slightest risk of infecting the cold computer.

I have an old digital camera and an old laptop. The laptop has a slot to read flash cards like the old style ones that digital cameras used. So I just use an old digital camera from like the year 2000. Take a photo, and take out the flash card and put it into the offline computer. This way it never touches the online computer.

Then use a program like QR decoder and copy that code to electrum and it will read the unsigned transaction.

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

After reading your post, I remembered that I have an old camera with an SD card port which I rarely use and my air-gapped laptop has an SD card slot, so it would be great to use it. I think I could also connect my camera to the laptop using a USB cable and transfer the picture. Later, I can use a QR decoder to broadcast the transaction via Electrum.

I recently watched a YouTube video where a person shared credentials using an air-gapped computer without any networking or USB connection. He did that by utilizing two laptops with cameras, which is also a highly secure method. You can watch the video here

[o_e_l_e_o]

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

[new19980]

if im using a laptop as an offline air-gapped electrum wallet how to scan the QR code to sign the transaction should i link a camera to the laptop ?

You are going to be unable to scan a QR code without a camera, so yes, you'll need to buy a USB webcam or similar if your laptop does not have a built in webcam.

Your other option is to transfer your transactions back and forth via a USB drive, although this carries a slightly higher risk of transmitting malware or leaking your keys than via QR code.

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

[o_e_l_e_o]

what about this singing methode is it better then QR code ?
https://electrum.readthedocs.io/en/latest/coldstorage.html

This is the exact same method as using QR codes to transfer transactions between online and airgapped wallets. This method simply says "transfer the transaction file to your offline machine (e.g. with a usb stick)."

Transferring with QR codes or USB sticks are both equally possible. I prefer using QR codes for two reasons. First of all, it's a bit quicker to simply point a camera at a QR code than it is to save a file, transfer to a USB stick, and move that USB stick between devices. Secondly, and more importantly, is it is harder to transfer malware or leak private keys via a QR code than it is via a USB stick. Even the smallest USB stick will have hundreds of megabytes of empty space in which malware could copy itself to, whereas this is largely not possible (or at least far more difficult and noticeable) with QR codes.

So yes, you can use USB sticks if you like, and it is still very safe, but QR codes are safer (provided you are double checking everything as I explained two posts up).

[adaseb]

This is actually perfect and carries 0 risk of being infected by a USB when you use it every time back and forth between your airgapped device and your online PC.

There is no such thing as zero risk.

You are right in saying it is a very secure method, but risk is never zero. Assuming your set up is perfectly safe is a bad idea, because it leads to you cutting corners and taking shortcuts thinking that nothing can go wrong. QR codes are only as good as the device which generates them. It is entirely possible for malware on your watch only device to generate a QR code which encodes a transaction which sends your coins to the wrong place. You scan that in to your airgapped device thinking nothing can go wrong, and you end up signing a malicious transaction.

QR codes are good, but you should always double check what the QR code is encoding/decoding.

Just read that you replied to my earlier post.

Yes I agree that it’s possible the watch only online wallet can have a phishing QR code which if signed and broadcasted could lead to sending the funds to the wrong address.

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

[o_e_l_e_o]

However with electrum you can see the entire address and amounts you are sending it too. So you should always verify and double check everything.

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

[Yamane_Keto]

That's exactly my point - double check everything. Assuming QR codes are zero risk is a bad idea. They are only as good as the software/device which generates them, and if that device is compromised, then so too is your QR code.

I do not know, but the chances of this succeeding seem slim, because either by changing the receiving address, which I liken to a clipboard virus, or that the software that you downloaded is not official, otherwise I do not think that there is a way to QR phishing here.

Can hackers modify signed message? Or tamper with the content of master public key without downloading an unofficial version?

I know with certain software like Metamask it’s more risky because the extension uses a small portion of desktop space and only shows the first few characters and last few characters. So it’s harder to verify the address you are sending it too is one of your own wallets.

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

[hosseinimr93]

I do not think that there is a way to QR phishing here.

The point here is that you should check the address, whether you copy-paste it or you use a QR code. As mentioned by o_e_l_e_o, the risk is never zero.

Can hackers modify signed message?

No.
If you change the receiving address or any other data, the signature will become invalid and you have to sign the transaction again.

Assuming Metamask shows the first 6 characters and the last 6 characters, 12 characters total, I think that's enough.

I remember Metamask used to display the first 4 and the last 4 characters.
I just pasted an ETH address in Metamask to see if it's still the same. It displayed the first 11 and the last 4 characters.