[TUTORIAL] Cold storage device on a Raspberry Pi

[apogio]

Today we will construct a secure, air-gapped device, where we will be able to generate wallets and keys offline.

Prerequisites
1. A Raspberry Pi 4B (or any other model). If the model doesn't support WiFi it's even better. But for this tutorial I have used a Raspberry Pi 4B.
2. A keyboard.
3. A micro-SD card.
4. An HDMI cable.
5. A monitor.
6. A computer that connects to the internet.
7. A USB thumb drive.

Flashing Raspberry Pi OS Lite on the SD card
1. Download Balena Etcher.
2. Download Raspberry Pi OS Lite from the official website.
3. Use Balena Etcher to flash the OS image on the SD card.

Downloading Sparrow Terminal
1. Download the Linux (ARM64) Standalone version (sparrow-server-2.0.0-aarch64.tar.gz) from the official website.
2. Drag and drop the tar.gz file on a USB drive.

Setting up the Raspberry Pi
1. Insert the SD card into the card reader on the Raspberry Pi.
2. Connect the device to the monitor using the HDMI cable.
3. Plug the power supply to the device.

Once the device is turned on, it will prompt you to create a user and set a password.
After that, you will log in and you will be presented with a terminal.
The terminal will be our dearest friend from now on.

Doing some preconfiguration
Keep in mind, that since we won't plug in an Ethernet cable and we won't connect to a WiFi network, we will never connect to the internet.
But this is not enough!
Since we want to build an air-gapped device, we must disable networking.

Code:

sudo crontab -e

This will open nano editor and there we will add the following lines:

Code:

@reboot sudo ifconfig eth0 down
@reboot sudo ifconfig wlan0 down

Having done that, everytime we reboot the device, networking will be disabled.

Installing Sparrow Terminal
We will now import the USB where Sparrow Terminal is installed.
Then, we need to mount it.

Code:

lsblk

This command will produce an output where we will see the USB and the disk partition (normally something like /dev/sda1 or /dev/sdb1 etc.).
Let's say that the USB is on /dev/sda1.
We need to mount it, using the command:

Code:

cd /media
sudo mkdir usb
sudo mount /dev/sda1 /media/usb

Now we will move into the folder, and we will extract the tar file onto our home path.

Code:

cd /media/usb
mv sparrow-server-2.0.0-aarch64.tar.gz home/<username>

Then we will unmount the usb.

Code:

sudo umount /media/usb

Now we install Sparrow:

Code:

cd /home/<username>
tar -xvf sparrow-server-2.0.0-aarch64.tar.gz
rm -rf sparrow-server-2.0.0-aarch64.tar.gz

Now, we have a Sparrow directory in our home.

Let's run it.

Code:

cd Sparrow/bin
./Sparrow

Once you run it, you will get something like this:


Then, press the "Wallets" button.

You will be presented with 2 options:


Just choose to "Create Wallet"

Notes:

• For simplicity, I haven't written the verification process of the software we have downloaded. But we must always verify the software we install.

EDITS by other members:

User		Idea / Comment
Cricktor		To disable wireless internet, we can edit the config.txt file, as follows: Code: sudo nano /boot/config.txt then add this line at the end: dtoverlay=disable-wifi         #disables wifi subsystem dtoverlay=disable-bt       #disables Bluetooth subsystem After editing this file, you need to restart your system to allow this change to take effect.

[Cricktor]

That looks like a nice tutorial so far, great job! Sorry, I'm pretty low on sMerits atm.

Allow me a few suggestions:

# Instead of Balena Etcher you can use the official Pi Imager where you can easily choose what OS you want to have written to your microSD card or whatever you want to boot your Raspi from (changing boot order may need tweaks with raspi-config, IIRC.

# A maybe safer way to force the Raspi to be offline is to disable the device drivers for the network interfaces in the config.txt file in /boot. Disabled device drivers in config.txt prevent any accidental try to fire up any of the wireless network interfaces. For the ETH port you can insert a dummy plug or leave it open. So far I haven't yet found a way to disable the ethernet port via some dtoverlay magic.

# You can disable WiFi and Bluetooth alltogether (not sure if this is also possible for the ETH port) by adding the following lines in your /boot/config.txt usually somewhere near the end. Make sure the section of the lines applies generally to your Raspi device (see config.txt documentation for this on official Raspi website).

Code:

dtoverlay=disable-wifi   # disable wifi
dtoverlay=disable-bt     # disable Bluetooth

# Without internet connection the Raspi 4B won't have a correct date and time set. You will have to set it to correct values manually after every reboot.

# Maybe add a sentence that the Sparrow wallet file download should be properly checked and verified before you install or execute Sparrow. That's just good common practice in crypto coin space.


Linguistic nitpicking:
change airgaped --> air-gapped or air gapped

[apogio]

That looks like a nice tutorial so far, great job! Sorry, I'm pretty low on sMerits atm.

Thank you!

# A maybe safer way to force the Raspi to be offline is to disable the device drivers for the network interfaces in the config.txt file in /boot. Disabled device drivers in config.txt prevent any accidental try to fire up any of the wireless network interfaces. For the ETH port you can insert a dummy plug or leave it open. So far I haven't yet found a way to disable the ethernet port via some dtoverlay magic.

Suggestion added to the initial post. Very good idea.

# Maybe add a sentence that the Sparrow wallet file download should be properly checked and verified before you install or execute Sparrow. That's just good common practice in crypto coin space.

There was a sentence about software verification:

For simplicity, I haven't written the verification process of the software we have downloaded. But we must always verify the software we install.[/li][/list]

Although verification is a must for me, I didn't want to include it in the tutorial. Every software we install has a detailed verification process on the their website.
If more users think it's good to include it, I will!

Linguistic nitpicking:
change airgaped --> air-gapped or air gapped

Changed!

[BlackHatCoiner]

This is a helpful guide, but isn't a new Raspberry Pi both more expensive and slower than a second-hand laptop? You can find very cheap laptops on e-Bay and manually remove hardware components like Wi-Fi antennas to make them air-gapped. Plus, with a laptop, you get a graphical interface instead of being limited to command-line usage. By using thoroughly reviewed operating systems like Tails, which comes with Electrum pre-installed, you also reduce the risk of making mistakes compared to setting everything up manually, while benefiting from added security features.

Raspberry Pi makes serves better purpose when used to run a Bitcoin node, IMO, because in that case, you'd save in electricity.

[Cricktor]

There was a sentence about software verification:

• For simplicity, I haven't written the verification process of the software we have downloaded. But we must always verify the software we install.
  

Oh sorry, I must've missed that part. Indeed your tutorial must not be bloated with such things that are well enough documented elsewhere.

~~~

You certainly have a point here. Can a used laptop really beat e.g. a Raspi 4B with 4GB RAM which would certainly be enough for a cold storage platform? I see apogio's tutorial as another option. Whatever you choose to use, is up to yourself.

While a laptop has the advantages you enumerate, it is bulkier than a small Raspi. If you boot the Raspi from a quality microSD card, this small microSD card is all you need to hide to securely store your cold wallet.

I wish there were a way for Secure Boot with a Raspi that works with the commonly used Linux OSes AND encrypted partitions. I admit, I haven't extensively searched for solutions to secure partitions on Raspi storage media.

Secure Boot and encrypted filesystems would be another advantage of a laptop if we can't have at least encrypted filesystems for the data on a Raspi.

[apogio]

This is a helpful guide, but isn't a new Raspberry Pi both more expensive and slower than a second-hand laptop? You can find very cheap laptops on e-Bay and manually remove hardware components like Wi-Fi antennas to make them air-gapped. Plus, with a laptop, you get a graphical interface instead of being limited to command-line usage. By using thoroughly reviewed operating systems like Tails, which comes with Electrum pre-installed, you also reduce the risk of making mistakes compared to setting everything up manually, while benefiting from added security features.

Raspberry Pi makes serves better purpose when used to run a Bitcoin node, IMO, because in that case, you'd save in electricity.

Absolutely! The tutorial was made because I had an idle Raspberry Pi, so I wanted to examine this option. It's not that I suggest it as "a better alternative", but rather as an option to have a small device which is easily portable. But obviously, eveyone suggests Tails on old laptops, and I understand why!

Secure Boot and encrypted filesystems would be another advantage of a laptop if we can't have at least encrypted filesystems for the data on a Raspi.

That's indeed a significant advantage. Though I assume that you could encrypt the Sparrow directory and of course the wallets themselves.

[ABCbits]

Secure Boot and encrypted filesystems would be another advantage of a laptop if we can't have at least encrypted filesystems for the data on a Raspi.

Both of them are technically possible. There's official documentation about secure boot[1], while you could create encrypted partition on the SD card and modify boot option to handle encryption using another computer.

[1] https://pip.raspberrypi.com/categories/685-whitepapers-app-notes/documents/RP-003466-WP/Boot-Security-Howto.pdf

[apogio]

Guys, apparently, BlackHatCoiner is correct (at least mostly correct). The tools that he suggested are superior. So please, this tutorial should be treated as an alternative, but not as the best alternative.

The tutorial is good, but should be limited to generating wallets only for long-term storage and not to be used as a hardware wallet for daily spending.

There is a big problem. Sparrow terminal doesn't support signing transactions. This means that you can't enter a PSBT and sign it. Obviously, I wasn't aware before-hand, because I started implementing the tutorial at the time of writing the post.

That said, the tutorial is still useful in order to generate a long-term cold storage, but you can't really sign transactions unless you import the seed phrase on a hot wallet.

There are mainly two options:
1. Use the wallet like you would use a "paper" wallet.
2. Use electrum instead of sparrow terminal.

Lastly, I changed the title because the post will be a single post and not a multi-part tutorial.

[Cricktor]

Hi apogio,

a translation of your tutorial to Naija language has been posted and I commented there to add the detail that after making changes to the /boot/config.txt file usually the Raspi needs a reboot to apply those changes to take effect.

Maybe you could add this detail for Raspi newbies, too?

See here: https://bitcointalk.org/index.php?topic=5399898.msg65346544#msg65346544

[apogio]

Hi apogio,

a translation of your tutorial to Naija language has been posted and I commented there to add the detail that after making changes to the /boot/config.txt file usually the Raspi needs a reboot to apply those changes to take effect.

Maybe you could add this detail for Raspi newbies, too?

See here: https://bitcointalk.org/index.php?topic=5399898.msg65346544#msg65346544

Yes Cricktor, I will add it and thanks for letting me know.

[P3Key]

I found something similar but using raspberry pi 3b > https://steemit.com/bitcoin/@florianghe/diy-bitcoin-and-litecoin-cold-storage-wallet-with-raspberry-pi-and-electrum
Is this also reliable to do???

[ABCbits]

I found something similar but using raspberry pi 3b > https://steemit.com/bitcoin/@florianghe/diy-bitcoin-and-litecoin-cold-storage-wallet-with-raspberry-pi-and-electrum
Is this also reliable to do???

It's outdated guide, although the principle remains same. But i would recommend you to avoid cheap microSD or microSD from unknown brand, since it usually very slow or not durable enough.

[apogio]

It's outdated guide, although the principle remains same. But i would recommend you to avoid cheap microSD or microSD from unknown brand, since it usually very slow or not durable enough.

Sorry you mean my guide is outdated? Or the other one for 3b?
Perhaps I should also revisit my guide when I have the time, regardless of it being truly outdated or not.

[ABCbits]

It's outdated guide, although the principle remains same. But i would recommend you to avoid cheap microSD or microSD from unknown brand, since it usually very slow or not durable enough.

Sorry you mean my guide is outdated? Or the other one for 3b?
Perhaps I should also revisit my guide when I have the time, regardless of it being truly outdated or not.

I mean guide on steemit which use 3B. Although yours could use update as well. For example, you may want to emphasize that Sparrow Server have no build for 32-bit ARM, which means your guide wouldn't work on 32-bit OS and very old version of Raspberry Pi.

[apogio]

I mean guide on steemit which use 3B. Although yours could use update as well. For example, you may want to emphasize that Sparrow Server have no build for 32-bit ARM, which means your guide wouldn't work on 32-bit OS and very old version of Raspberry Pi.

Yes, I probably will do it as soon as possible, thanks for the suggestion.
There is a security aspect as well when using a linux machine without doing proper user management, but I don't have the necessary knowledge (and time) to cover it.
So if you spot this as a possible issue, it's known, but kind of ignored.

[DannyKhalifa]

That's something I was truly looking for. Thank you so much for sharing this, as this method might be the safest one to hold crypto currencies.

[apogio]

That's something I was truly looking for. Thank you so much for sharing this, as this method might be the safest one to hold crypto currencies.

It's not the safest, it's just a way to do it. I still believe that the risk with self-custody is mostly human behaviour. I would suggest, in general, dedicated offline devices and encrypted storage of the key material. You will be significantly better than many other people if you follow some important principles. What I tend to suggest to most people is to use hardware wallets, despite my belief that an offline computer can work even better. I tend to suggest this because they are usually well maintained, properly hardened and easy to use.

But thanks for the kind words, I hope you 'll find it an interesting experiment.

[DannyKhalifa]

That's something I was truly looking for. Thank you so much for sharing this, as this method might be the safest one to hold crypto currencies.

It's not the safest, it's just a way to do it. I still believe that the risk with self-custody is mostly human behaviour. I would suggest, in general, dedicated offline devices and encrypted storage of the key material. You will be significantly better than many other people if you follow some important principles. What I tend to suggest to most people is to use hardware wallets, despite my belief that an offline computer can work even better. I tend to suggest this because they are usually well maintained, properly hardened and easy to use.

But thanks for the kind words, I hope you 'll find it an interesting experiment.

After the ByBit hack happened, I started to study more on how to store it safely and yeah, you might be right, there are always risks but having it offline, decreases the chances of exploiting the wallet imo.
In regards to hardware wallets yes, but still, I honestly do not trust companies like LEDGER or other hardware cold wallets.

Just a couple of days ago, by the way, LEDGER discord server was hacked and the admin himself, tricked people into recovering their seed phrases.. saw that?

[apogio]

Just a couple of days ago, by the way, LEDGER discord server was hacked and the admin himself, tricked people into recovering their seed phrases.. saw that?

No, and I dislike Ledger as well, but let's just focus on the tutorial in this thread and we could discuss it elsewhere in the forum.

To conclude, an offline computer that was, is and will be offline, with the addition of a good wallet software like electrum or sparrow is more than enough for long term storage. Obviously, there must be proper backups.