Securing Bitcoin in Cold Storage with Armory and Linux Mint

As Bitcoin increases in price, stories of unfortunate users being hacked becomes more common. This article will show you how to protect your Bitcoin from vulnerabilities by utilizing “Cold Storage”.

Disclaimer: This article is meant only as a guide to help you setup “Cold Storage”. Do your own due diligence to determine if this setup
accurately meets the level of security you require.


Remember: Always backup your private key(s). If you lose your private key(s) you lose your Bitcoins, this cannot be stressed enough.



This article will show you how to:

  1. Install Linux on a Netbook.
  2. Install an Armory wallet on your net book as a “Cold Storage” offline wallet.
  3. Install Armory on your online computer and show you how to safely monitor your “Cold Storage” (offline wallet) from your online computer.
  4. Show you how to send BTC to your “Cold Storage” offline wallet.
  5. Show you how to send BTC from your “Cold Storage” wallet to your online “Hot Wallet” (or another address)



Before we begin let’s define what “Cold Storage” actually is. Cold Storage is a Bitcoin wallet who’s private keys have never resided on a computer that was connected to the internet (at the time the keys were created), and it assumes if it did touch the network prior, the system was virus / malware free.

Let’s be honest, there has to be some level of trust.. I mean, unless you’re going to write your own OS, or your own kernel and then audit every piece of software that came with your base OS install (which is impossible) you have to have at least some level of trust for the OS you are installing.

I typically do an initial install, update the initial OS base packages, download and install Armory, and then once Armory is downloaded (and before the wallet is created), disable WIFI and Bluetooth for good.


What should I use to hold my Cold Storage?
Many people like to use cold storage by installing Linux on a USB drive and then use their online computer to boot between Operating Systems.

To me if you want true “Cold Storage”, then that’s a mistake waiting to happen. For “Cold Storage” I recommend using a separate dedicated computer like an old laptop or netbook. Netbooks are very cheap and it doesn’t have to be powerful.

Since for this article we will be installing Linux on a computer that isn’t very powerful (netbook) we should try to use a ‘light’ version.

For my cold storage I went with an XFCE version of Linux Mint. Linux Mint is an Ubuntu derivative, so if you’re familiar with Ubuntu / Debian then you should have no trouble with Linux Mint.


So with that out of the way..  Let’s begin! 😀
 




Step One: Install Linux on a Netbook


First download the XFCE version of Linux Mint in either 32-bit or 64-bit according to the type of netbook you have.

Next, if you’re using a netbook you’ve probably realized there’s no DVD drive. Since you probably don’t have an external DVD drive to plugin via USB, we need another solution.

Get a blank USB drive and download Unetbootin. Run Unetbootin and select the .ISO and select to save it to your USB drive.
unetbootin_f

When it’s done, go to your netbook, insert the USB drive and enter your netbook’s BIOS.

Depending on the computer and version of BIOS you have, the key to press on boot can be different. Some computers you press the DEL key and others its F2. Just google for how to enter BIOS for the version of your netbook.

After you’re in BIOS, look for the menu location to change your “boot sequence”. You want to be booting off the USB drive you just inserted, so make sure your USB drive is the first option in the computer’s “boot sequence”.

Now boot off your USB drive and choose the Default for Linux Mint. It should boot you up to the desktop where you should see an icon for an install script. Click the icon to run the Linux Mint install script, and follow the directions on installing Linux Mint to your Netbook’s hard drive.

**Note: I strongly recommend encrypting your netbook, so choose that option when asked and DO NOT lose your password.

After Linux Mint is installed, you can reboot and go back into BIOS and put your Netbook’s hard drive as the first option in the boot sequence, but this isn’t really necessary as long as there are no USB drives plugged in.

I usually leave the USB drive as the first option so I don’t have to change the sequence later for something else. Do whichever you prefer, this is strictly preference.
 


Update all Base Packages
Next we want to update all packages on the base Linux Mint install.

Linux Mint has an easy to use Network Manager in your task bar, so make sure you’re connected to the internet so we can update your OS packages.

To update and upgrade your packages, click on the bottom left “LM” icon in the desktop taskbar and bring up an XFCE Terminal Window (shell).

Update Linux Mint Base Packages


  $ sudo apt-get update
  $ sudo apt-get upgrade

Now wait until the system is done updating… Then reboot.

You should now have a fresh install of Linux Mint! 😀




Step Two: Install our Cold Storage Armory Wallet


Before we install Armory, we need to download and install some dependencies Armory needs in order to run. These are the dependencies that didn’t come with our initial Linux Mint install.
 

Install Armory Dependencies


 # sudo apt-get install python-qt4 python-twisted python-psutil


Now that the dependencies are installed and everything is ready to rock, it’s time to download Armory.

Change directories to your “Downloads” directory (inside your home directory) and download either the 32-bit or 64-bit version of Armory wallet.

The Armory version to download depends on what version of Linux Mint you installed. If there’s a newer version out, download the newest version instead.

Download Armory Wallet


  $ cd /home/YourUserNameHere/Downloads
  
  // For the 32-bit version
  $ wget https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.91.99.8-beta_ubuntu-32bit.deb

  // If you're running 64-bit Linux Mint here's the 64-bit version
  $ wget https://s3.amazonaws.com/bitcoinarmory-releases/armory_0.91.99.8-beta_ubuntu-64bit.deb


From your Downloads directory install the Armory wallet.


Install Armory Wallet


  $ cd /home/[YourUserNameHere]/Downloads
  $ sudo dpkg -i armory_0.91.99.8-beta_ubuntu-32bit.deb

Congratulations! You’ve just installed Armory on Linux Mint.

Now……. Listen closely.
 



**Attention: From here on out your net book is to NEVER touch the internet!

Let me repeat that again.. From here on out your net book is to NEVER touch the internet!

If it does (and your wallet was created), by definition, you no longer have “Cold Storage”.
 



So with that out of the way, let’s go ahead and disable networking. While we’re at it, just because being paranoid with Bitcoin is a good thing 😀 we’re going to also disable Bluetooth.

Now we could start blacklisting drivers (and this is something you should do), but for this article we’re just going to shutdown Linux Mint’s Network Manager and put it into manual mode so it doesn’t start on boot and accidentally connect us online automatically.
 

Stop and Disable the Network Manager


  $ sudo bash
  # stop network-manager
  # echo "manual" | tee /etc/init/network-manager.override


Now we want to edit the Network Manager configuration file.

Edit the Network Manager Configuration


  # cd /etc/NetworkManager
  # vi NetworkManager.conf

  // Add the lines or edit the lines to:
  [ifupdown]
  managed=false

Verify that Network Manager is off


  # nmcli dev status

You should see the message


Error: Network Manager is not running.


Now to disable Bluetooth.

Disable Bluetooth


  # vi /etc/rc.local
  
  // add to the bottom
  rckill block bluetooth


OK…. Finally.. Let’s play with Armory! 😀

Click on the “LM” icon on the bottom left of your task bar and then click on “All”. You should see three shortcuts to Armory.

Click on Armory (offline) and then create your first wallet! 😀


Be sure to encrypt your wallet and DO NOT lose your encryption password!


Backups:
Next, you need to backup your wallet. Plug your printer into your net book and let’s make a “Paper Backup”.

From the Main Screen of Armory choose “Wallet Properties” -> “Backup this Wallet” and choose the option to “Make a Paper Backup”.

Follow the directions and print out your backup with your “Root Key”. This is needed to restore your wallet should something happen.


Now that you’ve made your paper backup, let’s also now create a Digital Backup.

Get a NEW USB drive and go back to “Wallet Properties” -> “Backup This Wallet”
and choose the option to “Make a Digital Backup”.

Be sure to save this to your NEW USB drive and NOT your net book’s hard drive.


Next, although it’s not necessary, you can also export your keys to your USB drive just to be safe.

Go back to “Wallet Properties” -> “Backup This Wallet” and choose the option to “See Other Backup Options”. Choose to “Export Key Lists” and save them next to your wallet’s digital backup on your new removable USB drive.


Create a Watch-Only Copy of your Cold Storage
Now it’s time to create a “Watch-Only Copy” of your Cold Storage wallet. This will allow you to watch the balance of your Cold Storage wallet on your online computer without any risk of your BTC being compromised.

From the main screen of Armory wallet click “Wallet Properties” and choose the option “Create Watch-Only Copy”.

Save this to ANOTHER removable USB drive. Anything is fine, as long as it is NOT the USB drive with your digital backup on it.

Note: That USB drive should be already put away in a safe place, and it (just like your Netbook) is to NEVER touch any computer with online access. I mean it..


If it’s not put away, do it now! 😛  Put it, your paper backup, your Cold Storage wallet’s encryption password, and your Net book’s encryption password away in a safe location.


OK, so now you should have your “Create Watch-Only Copy” file saved to another USB drive. This USB drive is fine to be plugged into your online computer since there are no private keys on it to compromise. So plug it into your online computer and lets get to work. 😀




Step Three: Install Armory on your Online Computer


Now we want to download and install Armory again, except this time we’re downloading it to our online computer. However, unlike on our Net book this version of Armory won’t be running in “Offline Mode”. This version of Armory will be online and download the full blockchain.

Download Armory for your online computer’s Operating System and then install it.

When it’s done installing, run Armory, but do not create a wallet yet. Choose the option to skip.


Next, follow the directions to install Bitcoin-qt THROUGH Armory.

After that is done, it’s time to import our “Watch-Only Copy” of our “Cold Storage” wallet.


On the Armory main screen and under the “Wallets” drop-down menu, choose the option to “Import or Restore Wallet”.

Import your “Watching-Only Copy” of your Cold Storage wallet that you saved on your USB drive.


Now wait, wait, and wait some more. Depending on your internet connection speed this will take a LONG time…

Once it’s done your Armory Dashboard will go from “Armory is Offline” to “Armory is Online!”

Your balance will change from “…” to “0.00000000” and you should be able to see “Connected” with the number of blocks.
online-watching-only-blank_f


Note: If you have a Solid State Hard drive for your main drive and it’s small, and you would like to have your wallet and data directory on a different drive, you can change the directory path under “File” -> “Settings”.
online-watching-only-change-directory_f


Note: If you’re like me and already had bitcoin-qt installed, you may have realized that Armory is trying to download the blockchain again.

If you stop Armory from downloading the blockchain and instead just point Armory to the location that your old bitcoin-qt already downloaded the blockchain to, you may have a problem.

What I mean by may is, it mostly works and it may work for you as well; however, I found that when I pointed Armory to the old blockchain and didn’t let Armory download the entire blockchain itself, I ran into the infamous bug of the progress bar infinitely freezing at 98% with 1.5 minutes left.

Although, fortunately when I started over and just let Armory download the entire blockchain, I never ran into that problem again.


OK! Now it’s time…

It’s now time to test out your “Cold Storage” by actually sending some BTC to your “Cold Storage” wallet’s receiving address.

Fill out the address for your “Cold Storage” wallet, the amount, the fee and send your BTC just like you would send a normal BTC transaction. I recommend first sending a small amount of BTC just to be sure everything is working properly.

Once you receive the BTC, you will see the balance of your “Cold Storage” wallet from your “Watch-Only Copy” on your online computer’s Armory. You can only watch (hence the name “Watch-Only” :P) and monitor the BTC transactions on your “Cold Storage” wallet from your online computer’s Armory.
online-watching-only-transactions-to-cold-storage_f


Note: Your true “Cold Storage” wallet (on your offline netbook) will not show your BTC balance because it never downloaded the blockchain since it’s “Cold Storage” and never allowed online (duh.. :P).


Now we’re at the last step.. Sending BTC from your “Cold Storage” wallet to another address.




Step Four: Sending Bitcoin from Cold Storage


Sending BTC from your “Cold Storage” wallet to another address can be tedious. It’s a THREE step inconvenient (on purpose!) process.

Remember we want any BTC going out of “Cold Storage” to be difficult, time consuming, and have physical aspects involved. That’s the whole point of “Cold Storage”! 😀



The Three Steps Include:

  1. First, on your online wallet using your “Watch Only Copy” of your Cold Storage wallet you will create an “unsigned transaction” and save it to a USB drive.
  2. Second, you transfer that “unsigned transaction” to your Cold Storage (offline netbook) via your USB drive and sign the transaction with your offline Armory wallet, and save this now “signed transaction” back on your USB drive.
  3. Third, you replug your USB drive back into your online computer and with the now “signed transaction” on your online computer, you broadcast this transaction to the network.



When you’re ready to send BTC from your Cold Storage, go back to the main screen of your Armory Wallet on your ONLINE computer and click “Offline Transactions”.

Next, click “Create New Offline Transaction” and fill out the address you want to send to, the amount, the fee, optional comment, and make sure the check box for “Create Unsigned” is checked and click continue.

Save this “Unsigned Transaction” file to the same USB drive you transferred your “Watching Only Copy” of your Cold Storage Wallet to.


Next, transfer the USB drive to your offline net book.

On your net book’s offline Armory wallet, click “Offline Transactions” again and then click “Sign” and save the signed transaction back to your USB drive.

Next, unplug the USB drive from your netbook and then replug your USB drive to your online computer.

Finally, now on your online computer’s Armory, click “Offline Transactions”, but this time we want to choose “Broadcast”.


And that’s it!! 😀

Congratulations, you’ve just created a Cold Storage solution for BTC!


Have fun! 😀