Objective

The objective is to create an offline digital and paper bitcoin wallet using Linux operating system, VirtualBox and Electrum Bitcoin wallet. The outcome of this tutorial will be a paper with written keywords which can be used to access your bitcoins. We will also create an encrypted version of virtual machine as a digital backup to be stored digitally on a secure medium which will provide a convenient access to your bitcoins if necessary.

Operating System and Software Versions

  • Operating System: - Debian 9 GNU/Linux
  • Software: - Electrum 3.0.3 or higher, VirtualBox Version 5.2.2 r119230

Requirements

Privileged access to your host operating system will be required to install Virtual Box virtualization software.

Difficulty

MEDIUM

Conventions

  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - requires given linux commands to be executed as a regular non-privileged user

Introduction

There is a lot of confusion and misunderstanding within cryptocurrency community especially within newcomers on how to securely store bitcoins. The reason for this is mainly because of the lack of a basic understanding of how the actual blockchain technology, which is underlying every bitcoin transaction, works. When we combine the above with multiple options of software/hardware wallet choices, and the sheer amount of naive users with an absolute disregard for their online privacy and security while browsing the internet or using their smart phones nowadays, the incredible amount of hacked bitcoin wallets every day should not come as a surprise. The bitcoin wallet security starts with user mentality.

Get Paranoid

Word of advice, if you are serious about investing in bitcoin, the first thing you will need to do is to get extremely paranoid about everything you do with your computer, mobile phone or any device attached to your network online or otherwise. As only then you will have the proper motivation to create a secure environment for your investment.

hacking bitcoin exchange

Do not trust any website, in this case, cryptocurrency exchange, online wallet or cryptocurrency portfolio tracker without prior research about it. Do not trust software or operating system delivered to you by corporations or from untrusted sources. People still tend to believe that corporations could be trusted to provide secure software or operating system. If you are one of them, then you could not be further from the truth. Your TV could be used to hack your computer while you are watching your favourite TV show, your Internet connected vacuum robot cleaner is most likely feeding its manufacturer with private information about your home network, location or live video stream while cleaning your bedroom. Do you think that I am too paranoid? Well, then let me tell you that the chances are higher that you are too ignorant than I am too paranoid. That is why community projects like GNU are increasingly important in our society today. It is not possible to be too paranoid when it comes to Bitcoin! You have been warned!

What is off-line bitcoin wallet

bitcoin offline walletWhy creating an offline bitcoin wallet and what is the offline wallet anyway? To answer this question, we first need to understand the basics of how blockchain and bitcoin for that matter works. I will now attempt to explain it most simplistically without much technical mambo jumbo.

People tend to compare a regular wallet with bitcoin wallet thinking that bitcoins are in some way stored locally on their computer similarly like regular coins or notes are stored in a real tangible wallet. No, this is not how it works, and the sooner you stop thinking that way, the better! Bitcoins are not stored anywhere as there is only a publicly available ledger about how many bitcoins belong to which bitcoin address. Hence bitcoin is nothing less than just a record located in this public ledger. This public ledger is called blockchain and is cloned among thousands of computers a.k.a bitcoin miners around the globe.

The question which you should be now asking is: "How do I claim my bitcoins and how do I manipulate bitcoin's blockchain?" Well, you do that with bitcoin wallet. Bitcoin wallet allows you to see how many bitcoins belong to you, thus check your balance; it also allows you to transfer bitcoins to some other bitcoin address, hence change/update the blockchain record. This means that you never store anything locally, you are only reading blockchain's records to see what is your balance and similarly, you are updating blockchain records when making transactions.

Now it is time to discuss what is a bitcoin address. The bitcoin address is used to receive funds. In many cases, it is generated by your wallet based on your secret passphrase. It is essential to understand that the same secret passphrase will always generate the same set of bitcoin addresses. Meaning, that if a user has a passphrase written on paper and decides to reinstall the current wallet or install it on another computer, this passphrase will generate precisely the same set of bitcoin addresses. For this reason, it is paramount to keep your passphrase safe as anyone with your passphrase can generate your public bitcoin addresses and claim your bitcoins.

Since we now understand that the same secret passphrase always generates corresponding hash or bitcoin addresses every time it is used, it is also equally important to realize that to create bitcoin addresses using bitcoin wallet, and secret passphrase does not require the user to be on-line hence to have an Internet access. Thus, offline bitcoin wallet is a bitcoin wallet initiated and used offline, never used to perform any bitcoin transactions and never connected to the Internet. Once the bitcoin addresses were generated and recorded offline using the secret passphrase, the passphrase is securely written on a piece of paper, and the entire wallet is then purged from the system, so the user is only left with a bunch of bitcoin addresses and passphrase written on a piece of paper. Consequently, the offline wallet is now the paper bitcoin wallet.

Motivation

Why would I need to create an offline-wallet? Offline or paper bitcoin wallet, if done correctly, is most likely the most secure way for investors to store their bitcoins, given that you keep your passphrase safe. Offline bitcoin wallet does not rely on third-party websites, hardware, exchanges, banks or software. As long as the integrity of the entire bitcoin blockchain is not compromised your bitcoins are secure. If the bitcoin blockchain is compromised, then this will be "game over" for everybody.

If you are a cryptocurrency trader, the offline wallet does not make much sense for you unless you do not keep all your cash in one nest which is highly recommended.

Scenario

Fictional character Natalie has invested in bitcoin. She bought ฿0.25 using a cryptocurrency XYZ Exchange. Her ฿0.25 now sits available on-line to anyone with a correct username and password to XYZ Exchange as part of her XYZ Exchange balance. However, Natalie realized that having ฿0.25 online poses a significant risk to her investment. First, the XYZ exchange can be hacked, or simply one-day disappears without a trace. Equally likely, her computer can be hacked and login credentials for XYZ exchange stolen. If any of the above-mentioned scenarios are to happen, her ฿0.25 will be gone forever.

For this reason, Natalie decides to take the whole situation into her own hands. She creates an offline wallet using a passphrase. Once ready, she utilizes one of the generated bitcoin addresses to transfer her ฿0.25 from XYZ exchange to her bitcoin address. After that, she removes the digital bitcoin wallet from her computer and securely stores her passphrase written on a piece of paper. From that moment she does not have to rely on the integrity of the XYZ exchange or her laptop.

Procedure

  1. Create a secure base Operating System and Install VirtualBox
  2. Download and verify Debian/GNU Linux ISO
  3. Install Debian/GNU Linux as virtual machine
  4. Download, verify and Install Electrum Bitcoin Wallet
  5. Disable network & Internet access
  6. Start Electrum Bitcoin wallet
  7. Store secret passphrase and bitcoin addresses
  8. Perform Electrum wallet recovery test
  9. Disable Virtual Machine network at the boot time
  10. Export Electrum virtual machine
  11. Encrypt and store Electrum virtual machine
  12. Remove all traces
  13. Enable Network and Internet Access
  14. Transfer Bitcoins
  15. Create a secure base Operating System and Install VirtualBox

    This step is your homework. At the end of this stage, you are expected to have VirtualBox installed on your Operating system of choice. It is entirely possible to use this guide with VirtualBox installed on top of MS Windows operating system. However, a wise man does not build a house on sand so get some old laptop or PC, wipe it out and install fresh GNU/Linux; any GNU/Linux distribution will do whether it is Ubuntu, Debian or CentOS. Linux runs on any hardware with minimal requirements, however, since we will be running a virtual machine on top of our host operating system it would be nice to have at least 4GB RAM available. Furthermore, this guide is written for VirtualBox, free and open-source hypervisor, however, feel free to use any other hypervisor of your preference like VMWare, KVM or XEN.

    Download and verify Debian/GNU Linux ISO

    Now that you have VirtualBox installed it is time to download Debian GNU/Linux which will be used to create a virtual machine for our Electrum bitcoin offline wallet. Check for the latest Debian GNU/Linux at https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/ and update the below steps to reflect your downloaded version.

    The below commands will download Debian's ISO image along with MD5SUM verification file and signature:
    $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.3.0-amd64-netinst.iso
    $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/MD5SUMS
    $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/MD5SUMS.sign
    
    Unless you have a relevant key which was used to sign all previously downloaded files:
    $ gpg --verify MD5SUMS.sign
    gpg: keybox '/home/lubos/.gnupg/pubring.kbx' created
    gpg: assuming signed data in 'MD5SUMS'
    gpg: Signature made Sun 10 Dec 2017 13:58:22 AEDT
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Can't check signature: No public key
    
    If the above is your case, import the '"Debian CD signing key" with the below command:
    $ gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: /home/lubos/.gnupg/trustdb.gpg: trustdb created
    gpg: key DA87E80D6294BE9B: public key "Debian CD signing key " imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1
    
    Once ready, confirm the validity of MD5SUMS file itself:
    $ gpg --verify MD5SUMS.sign MD5SUMS
    gpg: Signature made Sun 10 Dec 2017 13:58:22 AEDT
    gpg:                using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
    gpg: Good signature from "Debian CD signing key " [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
    
    Lastly, verify the integrity of the previously downloaded debian-9.3.0-amd64-netinst.iso. Make sure that you alter the below command with your downloaded version:
    $ md5sum -c MD5SUMS 2> /dev/null | grep debian-9.3.0-amd64-netinst.iso
    debian-9.3.0-amd64-netinst.iso: OK
    
    All seems to be in order.

    Install Debian/GNU Linux as virtual machine

    In the next step we will be installing Debian GNU/Linux virtual machine using VirtualBox hyper-visor. The following screenshots will guide you through the entire process:

    Choose name for Electrum Bitcoin wallet
    Use virtual box and create new virtual machine. Choose a custom name. Any name will do.
    RAM
    Depending on your host system select an appropriate amount of RAM. Feel free to go as low as 512MB.
    New harddrive
    select HDD type
    Any type will do. However, for better compatibility with other hyper-visors choose VMDK.
    dynamic HDD
    Select HDD size
    There is no need to get extravagant. 4.75GB will be plenty.
    Insert Debian GNU/Linux iso imageOnce the Virtual Machine is created attach the previously downloaded Debian GNU/Linux ISO image to its CDROM IDE interface.
    Start new Electrum bitcoin virtual machine
    Now we are ready to start the installation. The installation wizard is rather self-explanatory however few key steps are shown below.
    install on a single partition
    No need to have a multi-partition system. Install all files on a single partition.
    parition table
    After choosing the "Guided partitioning" you will end up with the following partition table. If you know how, you can reduce the swap partition to something like 200MB as there is no need to waste 1GB on swap. However, the default will work as well.
    Select GUI
    To conserve some disk space, unselect all items and select only LXDE. Hit Continue to start the installation.
    install grub
    Make sure to install Grub. Say YES.
    last partition install grub
    At the end of the installation install Grub on an /dev/sda block device.
    Installation complete
    All done. Time to reboot!
    Login to new system
    Login with your previously entered user credentials.
    debian is now ready to install Electrum bitcoin wallet
    All ready. This question is irrelevant. Say NO and your are done.

    Download, verify and install Electrum Bitcoin Wallet

    This section describes how to install Electrum Bitcoin Wallet. However, If you wish to create Bitcoin Cash or Litecoin offline wallet instead, rather than following the instructions below use our guides on how to install Bitcoin Cash and Litecoin wallet on Linux. Make sure you do not start your wallet before you read next section on how to disable network.

    Using the new installed Debian GNU/Linux virtual machine it is time to download, verify and install Electrum Bitcoin Wallet. First, install prerequisites:
    # apt install dirmng
    
    Download the latest Electrum version and signature. At the time of writing, Electrum 3.0.3 is the latest available version:
    $ wget https://download.electrum.org/3.0.3/Electrum-3.0.3.tar.gz 
    $ wget https://download.electrum.org/3.0.3/Electrum-3.0.3.tar.gz.asc
    
    Verify your download:
    $ gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
    gpg: keybox '/home/btc/.gnupg/pubring.kbx' created
    gpg: Signature made Tue 12 Dec 2017 17:06:09 AEDT
    gpg:                using RSA key 2BD5824B7F9470E6
    gpg: Can't check signature: No public key
    
    If you get the above message about missing public key, import it:
    $ gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6
    gpg: /home/btc/.gnupg/trustdb.gpg: trustdb created
    gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported
    gpg: no ultimately trusted keys found
    gpg: Total number processed: 1
    gpg:               imported: 1
    
    Make sure that the key you have imported belongs to Thomas Voegtlin (https://electrum.org) ". Try again to verify your download:
       
    $ gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz
    gpg: Signature made Tue 12 Dec 2017 17:06:09 AEDT
    gpg:                using RSA key 2BD5824B7F9470E6
    gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown]
    gpg:                 aka "ThomasV " [unknown]
    gpg:                 aka "Thomas Voegtlin " [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6
    
    Once the verification process is done it is time to install Electrum Bitcoin Wallet. The below commands need to be executed with root privileges. Use su command to change to root prompt and execute the below commands from the directory you have downloaded the Electrum bitcoin wallet source code:
    $ su
    Password: 
    #  apt-get install python3-setuptools python3-pyqt5 python3-pip
    #  pip3 install Electrum-3.0.3.tar.gz
    
    The Electrum bitcoin wallet is now installed. In is important to make sure not to start it before you disable network in the next step as failing to do so will render the whole tutorial invalid.

    Disable network & Internet access

    At this stage we do not need the Internet access anymore. Turn the wireless switch on your laptop OFF, unplug the cable from your PC and disconnect network on your virtual machine:
    disconnect network on virtual box
    Right click and disconnect network interface on the virtual machine itself.
    disconnected
    Attempt to ping the Google's DNS server should be a sufficient test that your virtual machine is disconnected.

    Start Electrum Bitcoin wallet

    All right! Now we are ready to generate our new bitcoin addresses. Start the Electrum bitcoin wallet from terminal using electrum command and follow the steps shown below:
    $ electrum
    
    Important! Do not use the seed passphrase used in this guide! The below shown keywords are here only as an example and must not be used. Start electrum bitcoin wallet
    Choose wallet name
    Any name will do just fine.
    Select standard wallet
    New seed
    select seed type


    Write your seed down on a piece of paper. Never store your words digitally on some other computer. Use pen and paper! If you need a backup write it on two pieces of paper. Do not disclose your keywords to anybody. Your eyes only!
    Confirm seed keywords
    In this step confirm your keywords. Read them from the paper notes you have created previously.

    Feel free to encrypt your Electrum bitcoin wallet. This step is optional. As long as you do not loose your seed keywords generated in the previous steps loosing the encryption password in this step is not a disaster as it is only a complication.
    Show addresses on Electrum bitcoin wallet
    Check the left bottom corner on the Electrum bitcoin wallet application window. Not Connected is exactly what we want. Hit VIEW->SHOW ADDRESSES. This will show all bitcoin addresses generated with your passphrase. Depending on how many addresses you need copy one or all addresses externally.
    Do NOT rewrite the addresses manually using pen or another computer's keyboard as chances are that you will make mistakes which will be costly. Here you will be tempted to connect to the Internet and copy/paste them to your email. Do NOT do that! Instead generate QR code for each address you wish to copy and use your smart phone to scan them from the screen and then simply send them to your email.
    all addressesElectrum bitcoin QR code

    Perform Electrum wallet recovery test

    This step is optional but highly recommended as it will once again confirm your seed keywords, your bitcoin addresses and will teach you how to recover your wallet if the need comes to access your bitcoin investment. Still disconnected from the Internet, turn off your Electrum bitcoin wallet and from the command line remove its configuration directory:
    $ rm -fr ~/.electrum/
    
    Next, start the Electrum Bitcoin wallet again:
    $ electrum
    
    The whole process of setting up the Electrum bitcoin wallet after reset. Follow the wizard:
    Reset electrum bitcoin wallet

    We already have a seed. Continue with the wizard. At the end you should be presented with the same set of bitcoin addresses you have already stored externally during the previous steps.
    Take your time here! All needs to check!

    Disable Virtual Machine network at the boot time

    We are done. Turn off the Electrum bitcoin wallet application and turn off your virtual machine.
    disable network
    Just as precaution navigate to virtual machine settings and disable network interface. This will ensure that you do not expose your Electrum bitcoin to the Internet by accident the next time your import and start your virtual machine.

    Export Electrum virtual machine

    For a quick access to our bitcoin wallet we can export our virtual machine for the later use. Make sure you check for a new Electrum version before using your wallet. Simply update it by following the installation section of this guide and you should be back in business in no time.

    Using a VirtualBox navigate to FILE->Export Appliance and export the entire virtual machine:
    export bitcoin wallet
    Choose Open Virtualization Format to end up with a single *.ova file.

    Encrypt and store Electrum virtual machine

    Store the exported virtual machine on any medium you deem worthy. Do not keep it on your computer if your intention is to connect this computer to the Internet. Use some external medium such as USB stick or even better store it on M-disk. If you are using Linux as your main operating system, it is also possible to encrypt the entire file with ccrypt as shown below just in case it falls in the wrong hands. Make sure you do not forget your encryption password:
    $ ls -lh BTC_Wallet.ova 
    -rw------- 1 lubos lubos 1.6G Dec 21 14:29 BTC_Wallet.ova
    
    Install ccrypt package:
    # apt install ccrypt
    
    use ccrypt to encrypt your exported virtual machine:
    $ ccrypt BTC_Wallet.ova 
    Enter encryption key: 
    Enter encryption key: (repeat) 
    lubos@extreme:~/Documents$ ls -lh
    total 1.6G
    -rw------- 1 lubos lubos 1.6G Dec 21 14:29 BTC_Wallet.ova.cpt
    

    Remove all traces

    Before you connect your PC/Laptop to the Internet it is time to remove all traces of your virtual machine. First, remove your exported virtual machine:
    $ rm BTC_Wallet.ova.cpt 
    
    Next, remove the entire virtual machine with Delete All Files from the VirtualBox hyper-visor.
    remove bitcoin wallet

    Enable Network and internet Access

    Now, that all files are removed feel free to connect to the Internet.

    Transfer Bitcoins

    At this stage you should have the following:
    • paper on your table with your seed passphrase which your are going to store at some save location
    • addresses to your bitcoin wallet which you can disclose publicly
    • exported VirtualBox virtual machine with your bitcoin wallet stored on some external medium such as USB or M-Disk. If the need arrives, this file can be imported to VirtualBox anytime to provide you with a quick access to your bitcoin wallet


    Finally, you are ready to transfer your bitcoins from the bitcoin exchange to any of your new bitcoin addresses generated with this guide.

    Make sure you send you bitcoins to the correct address. Once you make the transfer do not use your bitcoin wallet to check for a balance as this will render your offline bitcoin wallet useless and you will need to start the entire process of bitcoin offline wallet creation from the beginning. It is enough to confirm your balance by navigating your browser to https://blockchain.info/ and searching for your bitcoin address.
    That is all folks! While you are at the transfers and you feel that this guide was useful and saved you some time, your are more than welcome to buy me a coffee using the below addresses.
    Bitcoin: 1PyYJEVtxkokkYtLkRw9BA7Fr4xEAXJn3U
    Litecoin: LXvDNUcdKuh3Svge358rNanXfXMKcPkxCo
    
    Any suggestions or ideas regarding this tutorial are welcome. Thank you
ARE YOU LOOKING FOR A LINUX JOB?
Submit your RESUME or create a JOB ALERT on LinuxCareers.com job portal.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.

You may also be interested in: