Running Tails as an offline live session is a safe way to manage secure assets - including Bitcoin/Litecoin core cold wallets. However, because Tails is amnesiac, you need to set up the core binaries every time you boot into the live session.
This collection of BASH scripts helps connect things up so that you can easily access and manage cold wallets in Bitcoin/Litecoin Core during a Tails offline live session. They include helper scripts that act as a wrapper for the Bitcoin CLI. The script also adjusts the Tails iptables rules as necessary to allow bitcoin-cli to interact with bitcoind.
If you need to open a Bitcoin Core cold wallet in an offline Tails session - maybe you need to add an additional receiving address or maybe you need to check/audit cold wallet passphrases - these scripts should help.
The scripts run a zenity GUI which prompts the user to select required files (e.g. the cold wallet file, the list of public addresses for private key backup etc).
A lot of the same functionality is required by the various scripts, so I've added this in a lib type structure, sourcing files as appropriate. This is pushing the limits of BASH a bit (for me anyway). The whole suite would probably be better in Python. I started it in BASH as I had quite a few scripts as wrappers for online bitcoin-cli management.
- Clone this directory
- Copy downloaded Bitcoin/Litecoin binary directories to the root directory of this project
- Copy this directory to the encrypted persistent drive of a Tails USB drive
- Boot into Tails, navigate to
~/Persistent/airgap-core-utilities - Run commands (e.g.
cd ~/Persistent/airgap-core-utilitiesfollowed by./check-passphrase)
All commands provide an option to set up binaries - either Bitcoin or Litecoin. You will generally only need to do this step once per Tails session.
The dumpprivkeys script loads a cold wallet, loops through a list of public addresses and builds a collection of GnuPG encrypted output files that contain the associated private keys.
Before running, create a text file that consists of the public addresses for the keys you want to back up, with each address on a separate line.
The script uses the bitcoin-cli dumpprivkey command to output private keys for specified public addresses. The private key for each address is encrypted into a file whose filename corresponds to the public address. These can be used as a paper backup, or as a convenient way of accessing funds held in individual addresses without breaking the "cold" status of the wallet.
GnuPG is used to symmetrically encrypt the dumped private key files. The intermediate (unencrypted) dumped private key files are securely deleted using the shred utility.
If you choose to generate an encryption passphrase (recommended if you do not have a strong passphrase), a 64 character base 64 random number is generated using the openssl rand command. This is then used as a passphrase for GPG symmetric encryption of the private keys.
Once private keys are encrypted, it should be safe to expose them on an online computer or print them for the purposes of backup. To ensure security however, the encryption passphrase should remain offline - it should never be loaded onto an online or otherwise potentially insecure computer.
In order to make it possible to print the encryption passphrase for backup purposes, the encryption passphrase is itself ecrypted, using the master passphrase of your security system. This allows you to safely lodge backup paper copies of the encryption passphrase without compromising security. Note that your master passphrase should be backed up using Shamir's Secret Sharing Scheme or similar protocol.
Loads a cold wallet and allows the user to check the passphrase.
Run a clean instance of either Bitcoin or Litecoin core. Useful when creating a new cold wallet.
IMPORTANT: Remember to double check that you have stored a copy of the right wallet.
By default, the new wallet will be located in the default data directory - which will cease to exist when the Tails session ends. Make sure that you securely backup the encrypted wallet to a persistent drive.
Double (triple) check this by re-loading the cold wallet BEFORE sending funds to addresses generated by the wallet. If you mistakenly send funds to an address for which you do not control the private key, you will lose funds.
Suggested workflow:
- Load a fresh wallet:
./load-fresh-core-qt- this will start up thebitcoin-qtGUI client - Encrypt the wallet with a secure passphrase
- Securely store the passphrase
- Back the wallet up to an appropriate persistent drive (NOT the Tails home directory) with an appropriate name
- Quit the core client
- Run
./load-coldwallet-qtfrom~/Persistent/airgap-core-utilities - When prompted, select the wallet you just saved (you don't need to install binaries again)
- In the
bitcoin-qtGUI, generate labelled receiving addresses - Export receiving adresses in CSV format, saving these to a persistent drive
- Close the core client again
- Reload the cold wallet again
- Check that the receiving addresses managed by this wallet correspond to those that you saved earlier
- If necessary, check the passphrase by running
./check-passphrase - Save the wallet and passphrase (in an encrpted database like KeePassX) in at least two locations before sending funds
Launch a specified cold wallet in the Core QT client.
Useful for checking receiving addresses, or adding extra receiving addresses.
This script is designed to run in a TAILS session in which the ~/.bitcoin directory won't be persisted after shutting down. Because of this, the script does not remove the copied cold wallet file. This may be important if you run the script in a live environment.