Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
using electrum safely on gentoo.....
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mikefot
l33t
l33t


Joined: 19 Nov 2014
Posts: 667

PostPosted: Thu Oct 10, 2019 4:22 pm    Post subject: using electrum safely on gentoo..... Reply with quote

Dear All,

Has anyone tried using electrum to store small quantities of bitcoin in a regular gentoo install on the site here?

Also has anyone tried using it together with Trezor?

Suggestions on secure handling of the bitcoin would be appreciated.

Comments appreciated.

Regards

Michael Fothergill
Back to top
View user's profile Send private message
fturco
Veteran
Veteran


Joined: 08 Dec 2010
Posts: 1184
Location: Italy

PostPosted: Fri Oct 11, 2019 9:50 am    Post subject: Reply with quote

I store my bitcoins using Electrum on a Gentoo Linux machine. No problems so far. I haven't bought a TREZOR hardware wallet yet, but it's on my todo list.
Back to top
View user's profile Send private message
mikefot
l33t
l33t


Joined: 19 Nov 2014
Posts: 667

PostPosted: Fri Oct 11, 2019 10:52 am    Post subject: Reply with quote

Many thanks indeed for your response.

I went on the bitcointalk site and asked a few questions about safely storing bitcoin:

https://bitcointalk.org/index.php?topic=5189756.0

I had discussed the notion of using an old PC I had that was permanently disconnected from the internet
to do cold storage of bitcoin using electrum and passphrases and seeds etc and also make use of a TREZOR
stick in order to learn how to be ultra secure etc.

But then it occurred to me that in an ordinary gentoo install it is easy to turn the internet connection on and off at will.

I thought to myself, why can't you move some bitcoin you bought e.g. on coinbase using the hash codes etc or whatever one is
supposed to do and then switch off the internet connection in the standard gentoo install and then generate passphrases
and seeds etc using electrum plus any extra useful software and then copy them to external usb sticks or print them or
even handwritten copies of them etc (and use the TREZOR stick if you bought one) and then wipe everything of importance from hard drive on the gentoo install.

Then if you would turn on the internet connection again in the standard gentoo install and carry on as normal there would be no security
problem. No malicious code could sniff out any private keys or copy any seeds etc in some sneaky way.

Does that sound reasonable?

Regards

MF
Back to top
View user's profile Send private message
fturco
Veteran
Veteran


Joined: 08 Dec 2010
Posts: 1184
Location: Italy

PostPosted: Fri Oct 11, 2019 11:12 am    Post subject: Reply with quote

I don't think an Internet connection is needed to receive bitcoins. It's only required in order to send them. So you can generate a seed with Electrum on an always disconnected machine, until you need to spend them. I think it's called "cold storage".

But the other machine you use in order to connect to Coinbase or any other bitcoin exchange obviously still needs an Internet connection.

Please note I'm not a bitcoin expert.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Sat Oct 12, 2019 12:09 am    Post subject: Reply with quote

mikefot wrote:
then wipe everything of importance from hard drive on the gentoo install.

Then if you would turn on the internet connection again in the standard gentoo install and carry on as normal there would be no security
problem. No malicious code could sniff out any private keys or copy any seeds etc in some sneaky way.

Does that sound reasonable?
It sounds plausible, but you need to consider your threat model carefully. Is the malicious code assumed not to run until after you have had a chance to wipe the secret data? If it runs concurrently, then even if you are offline at the time, it could make a copy of the secret for later exfiltration when the network connection comes back. As a related point, how do you ensure that you found and wiped all innocuously created copies of the secret data (paged out swap pages, temporary files, etc.)?
Back to top
View user's profile Send private message
mikefot
l33t
l33t


Joined: 19 Nov 2014
Posts: 667

PostPosted: Sat Oct 12, 2019 12:24 pm    Post subject: Reply with quote

Many thanks for the comments and help here.

I think I am beginning to understand this a bit more clearly.

Being online is a dangerous thing it would seem when generating seeds etc. Sneaky things can
be happening while you are doing it that you are not aware of.

If you always do it offline then even though it makes you feel like Fred Flinstone it's actually smarter than it looks.

You are protecting yourself from more worries than you might imagine.

This makes me think that I should do the following things:

1. Always use my old PC for the cold seed storage generation using electrum.

2. Never connect the old PC to the internet again.

3. Don't connect a hard drive to the old PC - just run e.g. a live distribution (using DVD or usb boot) of gentoo or e.g. bitkey or tails OS and install electrum and run it
and generate the seeds etc and store them on paper (e.g. print them (the printer must be offline)) or copy them to a dedicated usb stick etc.

4. Eventually get TREZOR device and most likely use it with the old PC too.

Or something like that.

Comments appreciated.

Regards

MF
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Sat Oct 12, 2019 4:01 pm    Post subject: Reply with quote

That should work, but again, think about your threat model. The scenario I described (a lurking program that copies the secrets while offline, then exfiltrates them later) is a possible threat, and your proposed modifications probably avoid it. However, you should also ask: how likely is it that this possible threat will actually happen? Do you have reason to believe that an adversary will (1) get code execution on your machine, (2) install a threat like I described, and (3) remain undetected long enough to matter? Would you be better off instead trying to harden the system so that the adversary never achieves (1), rendering (2) and (3) irrelevant?
Back to top
View user's profile Send private message
mikefot
l33t
l33t


Joined: 19 Nov 2014
Posts: 667

PostPosted: Sat Oct 12, 2019 4:06 pm    Post subject: Reply with quote

Many thanks for your comments and suggestions.

I seem to recall there is a version of gentoo that is hardened.

Would that be a help here?

Regards

MF
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum