A Secure Offline PC For Bitcoin

On Reddit a poster with the handle danomaly explains how to set up a secure offline PC for safely signing transactions offline, among other things. These steps need not be taken as gospel, but they address the major issues you need to be concerned with.

Such precautions are not necessary to transact in Bitcoin; this is aimed primarily at protecting long term savings by making your stash inaccessible to hackers.


Here is how I did it:

  1. Take an old computer and first epoxy the ethernet port so it not able to go online. Remove or disconnect any WiFi and/or Bluetooth cards, and any other networking components. Disconnect and/or disable any microphones and speakers.
  2. Install Windows completely formatting the drive in the process. Many users here will tell you to avoid Windows and use Linux but since this computer is completely offline it does not much matter. Use your preferred OS. I additionally uninstalled and/or disabled certain services critical for networking but otherwise unneeded for normal operation. It is also good to disable any other unnecessary services. Be sure to disable autoplay. Set the BIOS to not automatically boot from CD or USB. You can set up BIOS security as well but if you do, be sure document the passwords.
  3. Install TrueCrypt and fully encrypt the system drive. All software installers and other files will need to be transferred via a thumb drive. Use an extremely strong password that you do not use elsewhere. MEMORIZE THIS PASSWORD AND WRITE IT DOWN TEMPORARILY ON A PIECE OF PAPER!!! NEVER ENTER THIS PASSWORD INTO ANY OTHER COMPUTER OR DEVICE. Let the encryption process complete 100% before proceeding. Reboot the system and test to ensure you are able to decrypt the drive and log in to the operating system.
  4. Install Armory, KeePass, Foxit PDF, CutePDF writer, and Eraser. You may wish to install Electrum as well. You will need a printer so it may be necessary to load a driver for it as well. If possible, use a printer without network capabilities or persistent memory.
  5. Create a KeePass file. I always secure KeePass with a key file in addition to a password. Do not use the same password for the KeePass file as you used to encrypt your drive. This password should also be memorized. DO NOT ENTER YOUR TRUECRYPT PASSWORD INTO THE KEEPASS FILE! You can however enter your windows and bios passwords if you like. I also configure KeePass to generate random 30+ character passwords using upper, lower, and numeric.
  6. I generate my wallets in Armory. Since this computer is offline Armory does not require a great deal of resources and will not download the blockchain. Note that you will not be able to check balances from this system. I secure each wallet with a separate KeePass generated password and document these in the KeePass file. I then generate watching only wallets that I store to a folder on the offline computer and also attach them to the associated KeePass entry for ease of access. DO NOT ATTACH YOUR ACTUAL WALLET, OR ANY DIGITAL OR PAPER BACKUPS TO KEEPASS! I also create a paper backup and save this on the offline computer using CutePDF Writer as well as a digital backup of the wallet file. Since Armory creates deterministic wallets, these are the only backups you will ever need. Print the paper backups and place them into a tamper evident envelope. Keep this in a secured location such as a safe deposit box. NOTE: This can also be done using Electrum but Armory has a much better interface and multi-wallet support. The online version of Armory however does require a robust computer and a full download of the blockchain. I will use Electrum only if I expect that the specific wallet I am generating will be the only wallet monitored on an online system with limited resources.
  7. Create a text file on the offline computer documenting the TrueCrypt password and key files, KeePass password and key files, the operating system and BIOS passwords, as well as instructions on how to access the offline computer, TrueCrypt file, KeePass file, paper wallets, key files, and any other critical information they may need. Print this out, place it in a temper evident envelope, and keep it in a second secured location available to whomever might need access to it in case of death or an emergency. Be sure you and they have access to unencrypted copies of your key files. You can now destroy the paper on which you originally wrote your TrueCrypt password.
  8. Create a TrueCrypt file on the offline computer. For simplicity you can use the same encryption password as you did for the HDD earlier but you may also wish to add a key file. Place copies of the KeePass file, digital backups, watch only backups, and anything else you may ever need should the offline computer fail. Optionally, you can also add the paper backups and written instructions (read paragraph in italics for considerations). You can now copy the TrueCrypt file to a thumb drive and from there various other locations from where it may be reliably accessed.

You may wish to choose not to store copies of the paper backups in the TrueCrypt file. The paper backups are enough in themselves to fully restore your wallets and spend funds, therefore, if somebody does manage to open your TrueCrypt file, they would have total control over your Bitcoin. By not storing the paper backups in the TrueCrypt file, you ensure someone would need access to both the digital backups (stored in the TrueCrypt file) and the passwords (stored in KeePass) to move funds. The same holds true for the offline computer. If you do choose not to save the paper backups (or delete them using Eraser), even if somebody manages to decrypt your drive they will still need to open KeePass to spend your Bitcoin. For this to be effective however, you must be sure not to copy the instructions file you created earlier into the TrueCrypt file, or in the case of the offline computer, you should use Eraser to delete it, because it contains your KeePass password. The main disadvantage to not including these files would be if, unbeknownst to you, one of your digital wallet files were corrupt. If this were the case and for some reason you cannot access the paper backup you could lose your coins.

You can test the integrity of an offline wallet without compromising security by signing a message from the offline computer using the private key then, from another computer, validating the signature against the public key.


Even though the KeePass file does contain all of your wallet passwords, since it holds neither any wallet backups nor your TrueCrypt password, even if an attacker gains access to this file your Bitcoin will be secure. Still, if you suspect the KeePass file to have been compromised you should again at the very least create new wallets using different passwords and move your coins (and don’t forget to back them up again!)

That is it. You can now set up a fully operational copy of Armory (or Electrum) on an online system and import your watching only wallets as well as your KeePass file. These can be copied unencrypted from the offline computer to a live system via a thumb drive. (Just be sure that you are not also copying your actual wallets, digital or paper backups, or instructions file.) This way you can track balances and receive Bitcoin. If you ever need to spend any Bitcoin, you can create the transaction from your online computer and sign it with the offline computer using a thumb drive (Armory makes this very easy). For added convenience, you can import a full digital backup of one or more of your wallets to hold smaller amounts of Bitcoin on your live system so you don’t have to sign minor transactions offline. Just remember that whichever wallets you do bring online should never again be considered as secure as those kept completely offline.


Do You Need A Password Makeover?

Chances are you do.

You need passwords to maintain privacy and security in the digital world.  If you’re like most people you’re probably relying on a handful of passwords that you’ve cooked up yourself.  If you think your passwords are adequate to protect all of the personal and financial information you access online, then I think you should take a look at a couple of chilling articles by Dan Goodin.

This article is over a year old and details the revolution that Continue reading Do You Need A Password Makeover?


Peppers for Preppers

growyourgreens John Kohler makes the case. “Peppers are 420!” Along with nine other reasons to consider the benefits of peppers versus tomatoes in your garden.

Reasons to favor peppers:
1 dare to be different, tomatoes are typical
2 you can fit more pepper plants into a smaller area
3 disease resistance
4 pepper plants are more manageable
5 they’re easier to dig up for overwintering, they’re heartier
6 taste complexity, more flavors
7 store fresh longer
8 peppers are easier to dry and preserve
9 they’re more cold tolerant
10 more nutrient dense


Nine Pages To Change The World!

Happy White Paper Day!

Five years ago today, on 31 October 2008, Satoshi Nakamoto released the white paper describing the Bitcoin protocol. Nine pages to change the world!

The project could hardly be more ambitious: To wrest control of money from the state.

Can it possibly  succeed? There are almost 12 million bitcoin in circulation now. The market value of a single bitcoin is now over $200, giving Bitcoin a nominal market cap of over $2.3 billion.

Consider that in 2010 10,000 BTC bought a pizza. Today that much bitcoin is worth over $2 million.

Not a bad start.

Read the remarkable document here.


Halloween Hack: Give Bitcoin!

When I was a kid out trick or treating, what I wanted from each house was one regular sized candy bar, or the moral equivalent. Anything less was a mild disappointment, anything more was a nice bonus.

So I like to give each kid a decent sized candy bar, but this year every kid who comes to the door is getting an additional bonus: Bitcoin!

hallowee_wallet Continue reading Halloween Hack: Give Bitcoin!


Jeff Berwick on Jurisdiction Shopping

Shopping for where one will live is one of the most powerful strategies a liberty hacker can employ. In this talk from Libertopia, Jeff Berwick encourages you to explore options you probably haven’t considered.  .

You may be quite satisfied with where you are now, by that may not always be the case. Know your options in advance.


System D – A Liberty Hack Economy

Robert Neuwirth drew attention to System D in an article at Foreign Policy in 2011:

System D is a slang phrase pirated from French-speaking Africa and the Caribbean. The French have a word that they often use to describe particularly effective and motivated people. They call them débrouillards. Continue reading System D – A Liberty Hack Economy


Wave, Scan, Smile – Bitcoin ATM Debuts in Canada

This week the start up company, Bitcoiniacs, will roll out its long-awaited Bitcoin ATM in the bustling Canadian city of Vancouver, BC.  It’s a milestone event made possible by three high school buddies who pooled $90,000 to acquire bitcoin ATMs.  This effort will likely lead to the expansion and further normalization of the use of Bitcoin. However, there is a caveat here.  It brings with it convenience that will cost users more than just a 3% ATM fee. Continue reading Wave, Scan, Smile – Bitcoin ATM Debuts in Canada


A Liberty Hack Calendar

I’m creating a calendar of important dates in the history of liberty hacks. This will start with some very important events, but eventually cover milestones which are less earth shaking, but still interesting. At some point it would be nice to have a daily historical feature called something like This Day in Liberty Hacking. Continue reading A Liberty Hack Calendar