Protecting your bitcoin with BitKey
Key to the Bitcoin Safe
Bitcoin is the king of cryptocurrencies, which makes it attractive prey for Internet predators. BitKey is a Live Linux distribution designed to ensure that your Bitcoin wallet stays protected.
Bitcoin [1] is an innovative form of currency that exists only in cyberspace. The Bitcoin monetary system is designed to allow people to pay each other over the Internet, without the need for intermediaries such as banks. An easy way to understand how it works is to imagine that the Bitcoin network is a big, public accounting book that is maintained and closely watched by all of its members. The book contains information about who has how many bitcoin and who transfers bitcoin to whom. Each bitcoin owner has a set of public and private keys that are used to write operations to the book. Thus, somebody who owns bitcoin can send them to another person just by writing that he is doing so in the accounting book and signing the operation with a private key.
This model is an extreme simplification, but it helps to understand that each bitcoin is not a piece of code, or a file, or something with its own entity. In fact, bitcoin only exist as a reference in a public registry that states that a certain user has a certain amount of them. In reality, that user does not have the bitcoin stored anywhere. All the user has is a set of public and private keys that allow changes to the registry in order to spend or receive money.
The Security Problem
Most desktop Bitcoin wallets are programs that manage the user's keys, allowing the user to manage digital money in a user-friendly way. However, most users keep their wallet software running in computers that are connected to the Internet and are not necessarily very secure. If an online computer is infected by a piece of malware that allows an attacker to steal the private keys stored in that computer, the attacker would then gain access to the money.
Most popular Bitcoin wallets offer basic security features, such as password encryption. However, since many wallets are used to store very large amounts of money, those features are often not enough to stop a determined attacker. Security-minded users often keep their private key material in machines that are never connected to the Internet, or print the keys and store them as paper copies in order to protect them from black-hat crackers. The operational security procedures required to receive and spend bitcoin under these circumstances are extremely cumbersome.
Enter BitKey
BitKey [2] is an attempt to make it easier to follow proper operational security procedures when using bitcoin. BitKey is a Live Linux distribution that includes all the basic tools a Bitcoin power-user might need for such a purpose, and nothing more. At least, that is the theory.
As of July of 2017, the latest BitKey version is 14.2.0, and it is offered as a hybrid ISO download. After you burn the ISO to a CD or install it on a USB flash drive, you can boot BitKey as a live system. BitKey loads itself fully into the computer's RAM memory, allowing you to remove the boot media afterwards.
The boot menu prompts you for a boot mode. BitKey supports three modes of operation. The simplest, and also the least secure, is hot-online mode. In hot-online mode, which is not recommended for real-world scenarios, BitKey behaves much as any regular live operating system with a set of Bitcoin tools installed.
The remaining modes are the ones used for proper operational security procedures (Table 1). Cold-offline mode is used for creating and managing private keys in secure, air-gapped computers. Cold-online mode is used for performing operations with public keys using Internet-enabled computers. The recommended scenario for using BitKey is to have two computers; one offline for signing operations, running in cold-offline mode; and one for interfacing with the Bitcoin network, running in cold-online mode without private keys. I will call the first machine Safe and the second machine Unsafe.
Table 1
BitKey Boot Modes
BitKey Boot Mode | Uses | Security Level |
---|---|---|
Hot-online |
Create wallets, watch wallets, perform transactions |
Low |
Cold-offline |
Create wallets, sign transactions |
High |
Cold-online |
Watch wallets, create unsigned transactions |
High |
The user can check the current account balance from the Unsafe machine. The Unsafe machine is also used for generating unsigned transactions. An unsigned transaction is just an instruction for the Bitcoin network to transfer funds belonging to you to somebody else, but such an instruction has not been signed with the masker keys yet or sent to the network. An unsigned transaction must be copied over to the Safe system and signed for it to be valid.
The Safe system is used to sign the unsigned transactions generated from the Unsafe machine. The signed transactions are copied over to the Unsafe system and then sent to the network, making them effective. Since the Safe machine is air-gapped, compromising it is not trivial, and the effects of an actual infection are less dangerous. It would be harder for a malicious program to deliver information to an attacker from a computer that has no working Internet connection.
Setting Everything Up
If what you have read so far sounds too complex, don't worry: It is not just you. It sounds complex because it is. The question is: How does all of this work in practice?
BitKey includes Electrum [3] as its main Bitcoin client. Although the reference Bitcoin client requires the user to download the whole blockchain, which is actually all the data existing in the accounting book and takes up lots of gigabytes, Electrum delegates to third-party servers in order to avoid downloading so much information. The Electrum client only downloads the parts of the blockchain that are needed, which allows the user to get started more quickly than the reference Bitcoin program. Electrum has many other interesting features, such as its integrated cold storage support [4].
The first step to get started with BitKey and Electrum is to boot your Safe machine in cold-offline mode (Figure 1) and create a wallet, which will be stored in a safe flash drive. I will call this flash drive Blue from now on. The Blue storage will contain the private keys. Therefore, it must never be attached to a system connected to the Internet – or to any untrusted system. Putting the flash drive on a network would expose the wallet to the threat of malware. When not in use, the best place for it is in a safe.
In order to create the wallet, attach your empty Blue storage and run Electrum. Electrum will ask you for an encryption passphrase that will be used to protect the data contained in Blue. You will also be asked whether you want to import an existing wallet or create a new one. Hit Create a new wallet and move forward. You will be provided with a key generation seed, which is no more than a very long passphrase that can be used to recreate your whole wallet from scratch if you ever lose it. Either learn it by heart, or write it down. When you click on Next, Electrum will ask you for that very same passphrase (Figure 2). You will also be prompted for an encryption passphrase for your wallet, which is a bit strange because you just provided a passphrase for Blue a few clicks ago. Still, it can only help if your valuable money is protected with double encryption.
The second step is to get your Unsafe computer working. Your Safe machine is now up and ready, but since it is not intended to connect to the dangerous den of evil that we call the Internet, you cannot do much with it yet. To perform Internet tasks such as monitoring your account balance, you need to create an online wallet that will contain only your public key material. Such a wallet is called a watch-only wallet.
Attach another flash drive to your Safe machine. This drive will eventually contain your watch-only wallet, and I will call it Black from now on. In Electrum's toolbar, hit Wallet | Master Public Keys. You will see a string that you can save in plain text in the Black storage.
Extract the Black storage from the Safe computer and boot the Unsafe one in cold-online mode. Run Electrum just as you did before. This time, hit Import wallet or import keys, and then paste your master public key (which you saved in plain text in Black) in the Import box. Hit Next and then let Electrum auto-connect to the network. Congratulations, your BitKey configuration is now complete.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.