Build yourself a Trezor

in #trezor8 years ago

The recent rise of crypto valuations has spawned a new generation of millionaires. Consequently, this has also created many opportunities for hackers to steal the new found wealth.

In this post I will outline 2 methods you can use to secure your coins.

Get yourself a Trezor

Trezor is a fantastic piece of technology that will make your life much easier. Trezor is a hardware wallet, and all transactions are signed on it, which means that if someone hacks your computer, they can't steal your coins.

By far the best feature on Trezor is the way it generates private keys, by combining 2 seeds.

There is one seed key generated by Trezor on setup, and this key is securely enclaved on Trezors chipset.

The second seed is a password - any password. Every password combination will thus generate a new unique private key(s), which means that you could have unlimited number of wallets. This is especially good for traveling. For example, if you're asked to unlock your trezor at US customs, you could use a password that unlocks your wallet with 5 BTC. But you could also have a wallet with 100,000 BTC, and nobody could find it, or prove that such wallet exists.

Unfortunately, Trezor only supports a few coins (Bitcoin, Dash, ETH, Monero). To deal with other coins, we need to build our own, general purpose trezor-like computer.

Build your own Trezor

First, we need some hardware. I am a big fan of old Thinkpad laptops, and you can probably get a used T61 for less than 50 EUR.

The next step is air-gapping. We want to perform some surgery on it, to ensure that this computer will not be able to connect to the internet ever again.

Additionally, I think its a good idea to remove the hard drive and any other storage medium that could enable non intentional data persistence.

IMG_0439.JPG

I have recently performed this for a friend on a T61, and it is fairly easy. The dial-up modem / ethernet card, and the wifi card are located under the keyboard. I have also removed the hard drive.

IMG_0440.JPG

My OS of choice is Tails. The reason for this is that Tails is n00b friendly - it won't let you shoot yourself in the foot, while being super easy to use. Tails disables persistence by default. The OS filesystem is read-only, and all new userspace files will be lost on reboot.

IMG_0442.JPG

Tails has an option of creating a LUKS encrypted partition to enable persistence. It also ships with KeePassX, Bitcoin Electrum wallet and some other nifty tools. This allows us to stack encrypted layers, with different encryption algorithms and keys.

Encrypted FS (Persistent Volume) + Encrypted Bitcoin Wallet

or

Encrypted FS (Persistent Volume) + Encrypted KeePassX DB storing our private keys

.
The important thing to remember is that we should only ever mount our encrypted persistent storage from the air-gapped machine. To be safe, just don't plug the Tails USB key into any other device - ever.

Generating new wallets

Each coin has its own wallet software and tools. We need to get these tools on our air-gapped machine. We can do this trough an additional USB stick, mounted in read-only mode (don't forget to wipe it before plugging into networked pc), or a DVD rom (read-only medium) for the super paranoid.

Once the keys are generated, we store them in our Encrypted Persistent Volume.

Here is an example Steem (Python) script to generate Steem Keys. You can use the public keys from the newly generated keypairs to create a new Steem account, or replace keys on an existing account.

from steembase.account import PasswordKey

account_name = 'furion'
password = 'super secret and reasonably complex password'

posting_key = PasswordKey(account_name, password, role="posting")
active_key = PasswordKey(account_name, password, role="active")
owner_key = PasswordKey(account_name, password, role="owner")
memo_key = PasswordKey(account_name, password, role="memo")

Signing Transactions

We can also use the wallet software to sign the transactions on our air-gapped machine, and then broadcast these transactions on our regular machine - thus never exposing our private keys.

For Steem (Python), see steempy sign and steempy broadcast commands.

References

Trezor - https://trezor.io/
Thinkpad T61 - http://www.notebookreview.com/notebookreview/lenovo-thinkpad-t61-review/
KeePassX - https://www.keepassx.org/screenshots
Tails - https://tails.boum.org/
Steem (Python) - http://steem.readthedocs.io/en/latest/

Sort:  

"Build our own, general purpose trezor-like computer." would have been a better title
Will correct my flag if this is improved.
(and take down my comment vote)

Very good post BTW, Big fan of the Ledger nano S lately, One good reason to build your own air-gapped wallet is that off the shelf hardware are not aimed at storing cryptocurrencies so are not targetted as much - if at all.
I like the Nano S because tampering is apparently cryptogrphically detectable.

Why do you think you have the right to interfere with other people's payouts just because they didn't tickle your balls just right?

Yes, you think this post isn't making enough? then buy more SP and vote on it.

Is the Tails OS stored on USB key? Make sure You do a backup of it, especially of Encrypted Bitcoin Wallet or KeePass DB file. The USB drives can crash at the least expected moment :\

Backup onto encrypted USB keys, and give them to friends and family perhaps.

You should consider multi-sig perhaps glacier protocol to mitigate trust issues. BTC is gonna be worth betraying friends and family for some people.

Thanks, I actually have a ThinkPad and the necessary hardware laying around and a lot of dvds for backup (soon it will probably be like having a 5. 25 floppy tho). Great post sir.

buy a tresor check
build one wow!
sent this post to hubby
thank you

A nice looking alternative for Keepass would be "Keeweb". It is available for any OS, open source, 100% compatible with the .kdbx file format, can additionally sync with many cloud storages and has a really good UI. https://keeweb.info

I will use it

I will check on that one.

Thank you for this knowledge. I literally had no idea until you said this so thank you

Do you know of a good way to use the Trezor to unlock the USB on the air-gap computer?

I am not aware of any practical solutions at this time.

Afaik, with LUKS, you can have multiple keyphrases. So you could have your regular password, as well as a password that is deterministically generated by the Trezor.

Unfortunately I am not familiar with implementation details, or available API's on the Trezor, but the existence of projects like TPM make it seem doable.

Perhaps @xeroc would know better, as he has done some work with integrating Steem and Trezor already.

I have some FUSE same code but it did not work nicely .. lol .. Edit utilities go crazy with temp files, renames, and even links. They really work hard to not overwrite your file until they know they can write to disk (understandable). But this complicates the fuse bindings, then have to work just right. I have gotten partly there with example code but that still needs work.

I just finished a command-line utility you might find useful.

https://www.npmjs.com/package/trez

  • Create cold-storage backups
  • Use trez files to copy data to and from cold storage (keeping the USB clean).
  • Keep encrypted partitions locked more often by extract commonly use data into Trez files.

It will work, I think it is just a matter of finding or making a script that does this.

The API allows for a confirmed or unconfirmed encrypt and decrypt of any data. Software could encrypt a strong but relatively small decryption key and ask you to decrypt it when unlocking a drive etc..

It would work nicely with the FUSE file system where private keys could go into different files that could be confirmed on the Trezor separately when you try to open them and re-encrypt when they are saved.

Will this work for coins on exchanges that have not got wallets?

Even if you are using an exchange with wallet, you should always store a majority of your coins in a hard wallet for ultimate safety.

Keep your money safe my friends

I did something similar with an old Dell netbook years ago, but now I just use Trezor and Ledger wallets. Lazy in my advancing age... awesome write up, thank you!

Wouldn't it be better to use a Raspberry Pi. It would then be more portable and if you get a Pi 2 instead of a 3 you don't have to worry about internet since it had no wireless card. Also you could easily add an OLED display to it and program it to make it able to show transactions and wallet addresses

I don't think so. rPI2 + oled display + all the peripherals required would cost more than an old thinkpad. Also its a lot slower and less convenient to use. Also, you might not be able to compile certain wallets for ARM.

Great guide friend.. Thank you for sharing your efforts here with us..
But honestly wouldn't it be better to invest a bit of money to get a pre built one?
Although its a great idea if you are feeling crafty 💡 :)
Much love and happy steeming
-Goldie