Build yourself a Trezor

The recent rise of crypto valuations has spawned a new generation of millionaires. Consequently, this has also created many opportunities for hackers to steal the new found wealth.

In this post I will outline 2 methods you can use to secure your coins.

Get yourself a Trezor

Trezor is a fantastic piece of technology that will make your life much easier. Trezor is a hardware wallet, and all transactions are signed on it, which means that if someone hacks your computer, they can't steal your coins.

By far the best feature on Trezor is the way it generates private keys, by combining 2 seeds.

There is one seed key generated by Trezor on setup, and this key is securely enclaved on Trezors chipset.

The second seed is a password - any password. Every password combination will thus generate a new unique private key(s), which means that you could have unlimited number of wallets. This is especially good for traveling. For example, if you're asked to unlock your trezor at US customs, you could use a password that unlocks your wallet with 5 BTC. But you could also have a wallet with 100,000 BTC, and nobody could find it, or prove that such wallet exists.

Unfortunately, Trezor only supports a few coins (Bitcoin, Dash, ETH, Monero). To deal with other coins, we need to build our own, general purpose trezor-like computer.

Build your own Trezor

First, we need some hardware. I am a big fan of old Thinkpad laptops, and you can probably get a used T61 for less than 50 EUR.

The next step is air-gapping. We want to perform some surgery on it, to ensure that this computer will not be able to connect to the internet ever again.

Additionally, I think its a good idea to remove the hard drive and any other storage medium that could enable non intentional data persistence.

IMG_0439.JPG

I have recently performed this for a friend on a T61, and it is fairly easy. The dial-up modem / ethernet card, and the wifi card are located under the keyboard. I have also removed the hard drive.

IMG_0440.JPG

My OS of choice is Tails. The reason for this is that Tails is n00b friendly - it won't let you shoot yourself in the foot, while being super easy to use. Tails disables persistence by default. The OS filesystem is read-only, and all new userspace files will be lost on reboot.

IMG_0442.JPG

Tails has an option of creating a LUKS encrypted partition to enable persistence. It also ships with KeePassX, Bitcoin Electrum wallet and some other nifty tools. This allows us to stack encrypted layers, with different encryption algorithms and keys.

Encrypted FS (Persistent Volume) + Encrypted Bitcoin Wallet

or

Encrypted FS (Persistent Volume) + Encrypted KeePassX DB storing our private keys

.
The important thing to remember is that we should only ever mount our encrypted persistent storage from the air-gapped machine. To be safe, just don't plug the Tails USB key into any other device - ever.

Generating new wallets

Each coin has its own wallet software and tools. We need to get these tools on our air-gapped machine. We can do this trough an additional USB stick, mounted in read-only mode (don't forget to wipe it before plugging into networked pc), or a DVD rom (read-only medium) for the super paranoid.

Once the keys are generated, we store them in our Encrypted Persistent Volume.

Here is an example Steem (Python) script to generate Steem Keys. You can use the public keys from the newly generated keypairs to create a new Steem account, or replace keys on an existing account.

from steembase.account import PasswordKey

account_name = 'furion'
password = 'super secret and reasonably complex password'

posting_key = PasswordKey(account_name, password, role="posting")
active_key = PasswordKey(account_name, password, role="active")
owner_key = PasswordKey(account_name, password, role="owner")
memo_key = PasswordKey(account_name, password, role="memo")

Signing Transactions

We can also use the wallet software to sign the transactions on our air-gapped machine, and then broadcast these transactions on our regular machine - thus never exposing our private keys.

For Steem (Python), see steempy sign and steempy broadcast commands.

References

Trezor - https://trezor.io/
Thinkpad T61 - http://www.notebookreview.com/notebookreview/lenovo-thinkpad-t61-review/
KeePassX - https://www.keepassx.org/screenshots
Tails - https://tails.boum.org/
Steem (Python) - http://steem.readthedocs.io/en/latest/

H2
H3
H4
3 columns
2 columns
1 column
175 Comments