ObjectiveThe objective is to create an offline digital and paper bitcoin wallet using Linux operating system, VirtualBox and Electrum Bitcoin wallet. The outcome of this tutorial will be a paper with written keywords which can be used to access your bitcoins. We will also create an encrypted version of virtual machine as a digital backup to be stored digitally on a secure medium which will provide a convenient access to your bitcoins if necessary.
Operating System and Software Versions
- Operating System: - Debian 9 GNU/Linux
- Software: - Electrum 3.0.3 or higher, VirtualBox Version 5.2.2 r119230
RequirementsPrivileged access to your host operating system will be required to install Virtual Box virtualization software.
- # - requires given command to be executed with root privileges either directly as a root user or by use of
- $ - given command to be executed as a regular non-privileged user
IntroductionThere is a lot of confusion and misunderstanding within cryptocurrency community especially within newcomers on how to securely store bitcoins. The reason for this is mainly because of the lack of a basic understanding of how the actual blockchain technology, which is underlying every bitcoin transaction, works. When we combine the above with multiple options of software/hardware wallet choices, and the sheer amount of naive users with an absolute disregard for their online privacy and security while browsing the internet or using their smart phones nowadays, the incredible amount of hacked bitcoin wallets every day should not come as a surprise. The bitcoin wallet security starts with user mentality.
Get ParanoidWord of advice, if you are serious about investing in bitcoin, the first thing you will need to do is to get extremely paranoid about everything you do with your computer, mobile phone or any device attached to your network online or otherwise. As only then you will have the proper motivation to create a secure environment for your investment.
Do not trust any website, in this case, cryptocurrency exchange, online wallet or cryptocurrency portfolio tracker without prior research about it. Do not trust software or operating system delivered to you by corporations or from untrusted sources. People still tend to believe that corporations could be trusted to provide secure software or operating system. If you are one of them, then you could not be further from the truth. Your TV could be used to hack your computer while you are watching your favourite TV show, your Internet connected vacuum robot cleaner is most likely feeding its manufacturer with private information about your home network, location or live video stream while cleaning your bedroom. Do you think that I am too paranoid? Well, then let me tell you that the chances are higher that you are too ignorant than I am too paranoid. That is why community projects like GNU are increasingly important in our society today. It is not possible to be too paranoid when it comes to Bitcoin! You have been warned!
What is off-line bitcoin walletWhy creating an offline bitcoin wallet and what is the offline wallet anyway? To answer this question, we first need to understand the basics of how blockchain and bitcoin for that matter works. I will now attempt to explain it most simplistically without much technical mambo jumbo.
People tend to compare a regular wallet with bitcoin wallet thinking that bitcoins are in some way stored locally on their computer similarly like regular coins or notes are stored in a real tangible wallet. No, this is not how it works, and the sooner you stop thinking that way, the better! Bitcoins are not stored anywhere as there is only a publicly available ledger about how many bitcoins belong to which bitcoin address. Hence bitcoin is nothing less than just a record located in this public ledger. This public ledger is called blockchain and is cloned among thousands of computers a.k.a bitcoin miners around the globe.
The question which you should be now asking is: "How do I claim my bitcoins and how do I manipulate bitcoin's blockchain?" Well, you do that with bitcoin wallet. Bitcoin wallet allows you to see how many bitcoins belong to you, thus check your balance; it also allows you to transfer bitcoins to some other bitcoin address, hence change/update the blockchain record. This means that you never store anything locally, you are only reading blockchain's records to see what is your balance and similarly, you are updating blockchain records when making transactions.
Now it is time to discuss what is a bitcoin address. The bitcoin address is used to receive funds. In many cases, it is generated by your wallet based on your secret passphrase. It is essential to understand that the same secret passphrase will always generate the same set of bitcoin addresses. Meaning, that if a user has a passphrase written on paper and decides to reinstall the current wallet or install it on another computer, this passphrase will generate precisely the same set of bitcoin addresses. For this reason, it is paramount to keep your passphrase safe as anyone with your passphrase can generate your public bitcoin addresses and claim your bitcoins.
Since we now understand that the same secret passphrase always generates corresponding hash or bitcoin addresses every time it is used, it is also equally important to realize that to create bitcoin addresses using bitcoin wallet, and secret passphrase does not require the user to be on-line hence to have an Internet access. Thus, offline bitcoin wallet is a bitcoin wallet initiated and used offline, never used to perform any bitcoin transactions and never connected to the Internet. Once the bitcoin addresses were generated and recorded offline using the secret passphrase, the passphrase is securely written on a piece of paper, and the entire wallet is then purged from the system, so the user is only left with a bunch of bitcoin addresses and passphrase written on a piece of paper. Consequently, the offline wallet is now the paper bitcoin wallet.
MotivationWhy would I need to create an offline-wallet? Offline or paper bitcoin wallet, if done correctly, is most likely the most secure way for investors to store their bitcoins, given that you keep your passphrase safe. Offline bitcoin wallet does not rely on third-party websites, hardware, exchanges, banks or software. As long as the integrity of the entire bitcoin blockchain is not compromised your bitcoins are secure. If the bitcoin blockchain is compromised, then this will be "game over" for everybody.
If you are a cryptocurrency trader, the offline wallet does not make much sense for you unless you do not keep all your cash in one nest which is highly recommended.
ScenarioFictional character Natalie has invested in bitcoin. She bought ₿0.25 using a cryptocurrency XYZ Exchange. Her ₿0.25 now sits available on-line to anyone with a correct username and password to XYZ Exchange as part of her XYZ Exchange balance. However, Natalie realized that having ₿0.25 online poses a significant risk to her investment. First, the XYZ exchange can be hacked, or simply one-day disappears without a trace. Equally likely, her computer can be hacked and login credentials for XYZ exchange stolen. If any of the above-mentioned scenarios are to happen, her ₿0.25 will be gone forever.
For this reason, Natalie decides to take the whole situation into her own hands. She creates an offline wallet using a passphrase. Once ready, she utilizes one of the generated bitcoin addresses to transfer her ₿0.25 from XYZ exchange to her bitcoin address. After that, she removes the digital bitcoin wallet from her computer and securely stores her passphrase written on a piece of paper. From that moment she does not have to rely on the integrity of the XYZ exchange or her laptop.
- Create a secure base Operating System and Install VirtualBox
- Download and verify Debian/GNU Linux ISO
- Install Debian/GNU Linux as virtual machine
- Download, verify and Install Electrum Bitcoin Wallet
- Disable network & Internet access
- Start Electrum Bitcoin wallet
- Store secret passphrase and bitcoin addresses
- Perform Electrum wallet recovery test
- Disable Virtual Machine network at the boot time
- Export Electrum virtual machine
- Encrypt and store Electrum virtual machine
- Remove all traces
- Enable Network and Internet Access
- Transfer Bitcoins
- paper on your table with your seed passphrase which your are going to store at some save location
- addresses to your bitcoin wallet which you can disclose publicly
- exported VirtualBox virtual machine with your bitcoin wallet stored on some external medium such as USB or M-Disk. If the need arrives, this file can be imported to VirtualBox anytime to provide you with a quick access to your bitcoin wallet
Create a secure base Operating System and Install VirtualBoxThis step is your homework. At the end of this stage, you are expected to have VirtualBox installed on your Operating system of choice. It is entirely possible to use this guide with VirtualBox installed on top of MS Windows operating system. However, a wise man does not build a house on sand so get some old laptop or PC, wipe it out and install fresh GNU/Linux; any GNU/Linux distribution will do whether it is Ubuntu, Debian or CentOS. Linux runs on any hardware with minimal requirements, however, since we will be running a virtual machine on top of our host operating system it would be nice to have at least 4GB RAM available. Furthermore, this guide is written for VirtualBox, free and open-source hypervisor, however, feel free to use any other hypervisor of your preference like VMWare, KVM or XEN.
Download and verify Debian/GNU Linux ISONow that you have VirtualBox installed it is time to download Debian GNU/Linux which will be used to create a virtual machine for our Electrum bitcoin offline wallet. Check for the latest Debian GNU/Linux at https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/ and update the below steps to reflect your downloaded version.
The below commands will download Debian's ISO image along with MD5SUM verification file and signature:
$ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.3.0-amd64-netinst.iso $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/MD5SUMS $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/MD5SUMS.signUnless you have a relevant key which was used to sign all previously downloaded files:
$ gpg --verify MD5SUMS.sign gpg: keybox '/home/lubos/.gnupg/pubring.kbx' created gpg: assuming signed data in 'MD5SUMS' gpg: Signature made Sun 10 Dec 2017 13:58:22 AEDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Can't check signature: No public keyIf the above is your case, import the '"Debian CD signing key" with the below command:
$ gpg --keyserver keyring.debian.org --recv DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: /home/lubos/.gnupg/trustdb.gpg: trustdb created gpg: key DA87E80D6294BE9B: public key "Debian CD signing keyOnce ready, confirm the validity of MD5SUMS file itself:
" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
$ gpg --verify MD5SUMS.sign MD5SUMS gpg: Signature made Sun 10 Dec 2017 13:58:22 AEDT gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B gpg: Good signature from "Debian CD signing keyLastly, verify the integrity of the previously downloaded
" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
debian-9.3.0-amd64-netinst.iso. Make sure that you alter the below command with your downloaded version:
$ md5sum -c MD5SUMS 2> /dev/null | grep debian-9.3.0-amd64-netinst.iso debian-9.3.0-amd64-netinst.iso: OKAll seems to be in order.
Install Debian/GNU Linux as virtual machineIn the next step we will be installing Debian GNU/Linux virtual machine using VirtualBox hyper-visor. The following screenshots will guide you through the entire process:
Use virtual box and create new virtual machine. Choose a custom name. Any name will do.
Depending on your host system select an appropriate amount of RAM. Feel free to go as low as 512MB.
Any type will do. However, for better compatibility with other hyper-visors choose VMDK.
There is no need to get extravagant. 4.75GB will be plenty.
Once the Virtual Machine is created attach the previously downloaded Debian GNU/Linux ISO image to its CDROM IDE interface.
Now we are ready to start the installation. The installation wizard is rather self-explanatory however few key steps are shown below.
No need to have a multi-partition system. Install all files on a single partition.
After choosing the "Guided partitioning" you will end up with the following partition table. If you know how, you can reduce the swap partition to something like 200MB as there is no need to waste 1GB on swap. However, the default will work as well.
To conserve some disk space, unselect all items and select only LXDE. Hit
Continueto start the installation.
Make sure to install Grub. Say
At the end of the installation install Grub on an
All done. Time to reboot!
Login with your previously entered user credentials.
All ready. This question is irrelevant. Say
NOand your are done.
Download, verify and install Electrum Bitcoin WalletThis section describes how to install Electrum Bitcoin Wallet. However, If you wish to create Bitcoin Cash or Litecoin offline wallet instead, rather than following the instructions below use our guides on how to install Bitcoin Cash and Litecoin wallet on Linux. Make sure you do not start your wallet before you read next section on how to disable network.
Using the new installed Debian GNU/Linux virtual machine it is time to download, verify and install Electrum Bitcoin Wallet. First, install prerequisites:
# apt install dirmngDownload the latest Electrum version and signature. At the time of writing, Electrum 3.0.3 is the latest available version:
$ wget https://download.electrum.org/3.0.3/Electrum-3.0.3.tar.gz $ wget https://download.electrum.org/3.0.3/Electrum-3.0.3.tar.gz.ascVerify your download:
$ gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz gpg: keybox '/home/btc/.gnupg/pubring.kbx' created gpg: Signature made Tue 12 Dec 2017 17:06:09 AEDT gpg: using RSA key 2BD5824B7F9470E6 gpg: Can't check signature: No public keyIf you get the above message about missing public key, import it:
$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6 gpg: /home/btc/.gnupg/trustdb.gpg: trustdb created gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org)Make sure that the key you have imported belongs to Thomas Voegtlin (https://electrum.org)
" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1
$ gpg --verify Electrum-3.0.3.tar.gz.asc Electrum-3.0.3.tar.gz gpg: Signature made Tue 12 Dec 2017 17:06:09 AEDT gpg: using RSA key 2BD5824B7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org)Once the verification process is done it is time to install Electrum Bitcoin Wallet. The below commands need to be executed with root privileges. Use
" [unknown] gpg: aka "ThomasV " [unknown] gpg: aka "Thomas Voegtlin " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6
sucommand to change to root prompt and execute the below commands from the directory you have downloaded the Electrum bitcoin wallet source code:
$ su Password: # apt-get install python3-setuptools python3-pyqt5 python3-pip # pip3 install Electrum-3.0.3.tar.gzThe Electrum bitcoin wallet is now installed. In is important to make sure not to start it before you disable network in the next step as failing to do so will render the whole tutorial invalid.
Disable network & Internet accessAt this stage we do not need the Internet access anymore. Turn the wireless switch on your laptop OFF, unplug the cable from your PC and disconnect network on your virtual machine:
Right click and disconnect network interface on the virtual machine itself.
Attempt to ping the Google's DNS server should be a sufficient test that your virtual machine is disconnected.
Start Electrum Bitcoin walletAll right! Now we are ready to generate our new bitcoin addresses. Start the Electrum bitcoin wallet from terminal using
electrumcommand and follow the steps shown below:
Any name will do just fine.
Write your seed down on a piece of paper. Never store your words digitally on some other computer. Use pen and paper! If you need a backup write it on two pieces of paper. Do not disclose your keywords to anybody. Your eyes only!
In this step confirm your keywords. Read them from the paper notes you have created previously.
Feel free to encrypt your Electrum bitcoin wallet. This step is optional. As long as you do not loose your seed keywords generated in the previous steps loosing the encryption password in this step is not a disaster as it is only a complication.
Check the left bottom corner on the Electrum bitcoin wallet application window.
Not Connectedis exactly what we want. Hit
VIEW->SHOW ADDRESSES. This will show all bitcoin addresses generated with your passphrase. Depending on how many addresses you need copy one or all addresses externally.
Do NOT rewrite the addresses manually using pen or another computer's keyboard as chances are that you will make mistakes which will be costly. Here you will be tempted to connect to the Internet and copy/paste them to your email. Do NOT do that! Instead generate QR code for each address you wish to copy and use your smart phone to scan them from the screen and then simply send them to your email.
Perform Electrum wallet recovery testThis step is optional but highly recommended as it will once again confirm your seed keywords, your bitcoin addresses and will teach you how to recover your wallet if the need comes to access your bitcoin investment. Still disconnected from the Internet, turn off your Electrum bitcoin wallet and from the command line remove its configuration directory:
$ rm -fr ~/.electrum/Next, start the Electrum Bitcoin wallet again:
$ electrumThe whole process of setting up the Electrum bitcoin wallet will be reset. Follow the wizard:
We already have a seed. Continue with the wizard. At the end you should be presented with the same set of bitcoin addresses you have already stored externally during the previous steps.
Take your time here! All needs to check!
Disable Virtual Machine network at the boot timeWe are done. Turn off the Electrum bitcoin wallet application and turn off your virtual machine.
Just as precaution navigate to virtual machine settings and disable network interface. This will ensure that you do not expose your Electrum bitcoin to the Internet by accident the next time your import and start your virtual machine.
Export Electrum virtual machineFor a quick access to our bitcoin wallet we can export our virtual machine for the later use. Make sure you check for a new Electrum version before using your wallet. Simply update it by following the installation section of this guide and you should be back in business in no time.
Using a VirtualBox navigate to
FILE->Export Applianceand export the entire virtual machine:
Choose Open Virtualization Format to end up with a single
Encrypt and store Electrum virtual machineStore the exported virtual machine on any medium you deem worthy. Do not keep it on your computer if your intention is to connect this computer to the Internet. Use some external medium such as USB stick or even better store it on M-disk. If you are using Linux as your main operating system, it is also possible to encrypt the entire file with
ccryptas shown below just in case it falls in the wrong hands. Make sure you do not forget your encryption password:
$ ls -lh BTC_Wallet.ova -rw------- 1 lubos lubos 1.6G Dec 21 14:29 BTC_Wallet.ovaInstall
# apt install ccryptuse
ccryptto encrypt your exported virtual machine:
$ ccrypt BTC_Wallet.ova Enter encryption key: Enter encryption key: (repeat) lubos@extreme:~/Documents$ ls -lh total 1.6G -rw------- 1 lubos lubos 1.6G Dec 21 14:29 BTC_Wallet.ova.cpt
Remove all tracesBefore you connect your PC/Laptop to the Internet it is time to remove all traces of your virtual machine. First, remove your exported virtual machine:
$ rm BTC_Wallet.ova.cptNext, remove the entire virtual machine with
Delete All Filesfrom the VirtualBox hyper-visor.
Enable Network and internet AccessNow, that all files are removed feel free to connect to the Internet.
Transfer BitcoinsAt this stage you should have the following:
Finally, you are ready to transfer your bitcoins from the bitcoin exchange to any of your new bitcoin addresses generated with this guide.
Bitcoin: 1PyYJEVtxkokkYtLkRw9BA7Fr4xEAXJn3U Litecoin: LXvDNUcdKuh3Svge358rNanXfXMKcPkxCoAny suggestions or ideas regarding this tutorial are welcome. Thank you