Utilities to manage Bitcoin and Litecoin core clients in an air gapped TAILS session.
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bitcoin-0.15.1
bitcoin-0.16.0
lib
litecoin-0.15.0
.gitignore
LICENSE
check-passphrase
dumpprivkeys
dumpwallet
load-coldwallet-qt
load-fresh-core-qt
readme.md

readme.md

Offline Bitcoin/Litecoin Core Utilties

Manage Bitcoin Core/Litecoin Core wallets in an offline Tails session

Running Tails as an offline live session is a safe way to manage secure assets - including Bitcoin/Litecoin core cold wallets. However, because Tails is amnesiac, you need to set up the core binaries every time you boot into the live session.

This collection of BASH scripts helps connect things up so that you can easily access and manage cold wallets in Bitcoin/Litecoin Core during a Tails offline live session. They include helper scripts that act as a wrapper for the Bitcoin CLI. The script also adjusts the Tails iptables rules as necessary to allow bitcoin-cli to interact with bitcoind.

If you need to open a Bitcoin Core cold wallet in an offline Tails session - maybe you need to add an additional receiving address or maybe you need to check/audit cold wallet passphrases - these scripts should help.

The scripts run a zenity GUI which prompts the user to select required files (e.g. the cold wallet file, the list of public addresses for private key backup etc).

A lot of the same functionality is required by the various scripts, so I've added this in a lib type structure, sourcing files as appropriate. This is pushing the limits of BASH a bit (for me anyway). The whole suite would probably be better in Python. I started it in BASH as I had quite a few scripts as wrappers for online bitcoin-cli management.

Usage

  • Clone this directory
  • Copy downloaded Bitcoin/Litecoin binary directories to the root directory of this project
  • Copy this directory to the encrypted persistent drive of a Tails USB drive
  • Boot into Tails, navigate to ~/Persistent/airgap-core-utilities
  • Run commands (e.g. cd ~/Persistent/airgap-core-utilities followed by ./check-passphrase)

Available Commands

All commands provide an option to set up binaries - either Bitcoin or Litecoin. You will generally only need to do this step once per Tails session.

Dump Private Keys: dumpprivkeys

Loads a cold wallet, loops through a list of public addresses and builds a collection of GnuPG encrypted output files that contain the associated private keys.

Before running, create a text file that consists of the public addresses for the keys you want to back up, each on a separate line.

The script uses the bitcoin-cli dumpprivkey command to output private keys for specified public addresses. The private key for each address is encrypted into a file whose filename corresponds to the public address. These can be used as a paper backup, or as a convenient way of accessing funds held in individual addresses without breaking the "cold" status of the wallet.

GnuPG is used to symmetrically encrypt the dumped private key files. The intermediate (unencrypted) dumped private key files are securely deleted using the shred utility.

Check Passphrase: check-passphrase

Loads a cold wallet and allows the user to check the passphrase.

Load a Fresh Core Client: load-fresh-core-qt

Run a clean instance of either Bitcoin or Litecoin core. Useful when creating a new cold wallet.

IMPORTANT: Remember to double check that you have stored a copy of the right wallet.

By default, the new wallet will be located in the default data directory - which will cease to exist when the Tails session ends. Make sure that you securely backup the encrypted wallet to a persistent drive.

Double (triple) check this by re-loading the cold wallet BEFORE sending funds to addresses generated by the wallet. If you mistakenly send funds to an address for which you do not control the private key, you will lose funds.

Suggested workflow:

  • Load a fresh wallet: ./load-fresh-core-qt - this will start up the bitcoin-qt GUI client
  • Encrypt the wallet with a secure passphrase
  • Securely store the passphrase
  • Back the wallet up to an appropriate persistent drive (NOT the Tails home directory) with an appropriate name
  • Quit the core client
  • Run ./load-coldwallet-qt from ~/Persistent/airgap-core-utilities
  • When prompted, select the wallet you just saved (you don't need to install binaries again)
  • In the bitcoin-qt GUI, generate labelled receiving addresses
  • Export receiving adresses in CSV format, saving these to a persistent drive
  • Close the core client again
  • Reload the cold wallet again
  • Check that the receiving addresses managed by this wallet correspond to those that you saved earlier
  • If necessary, check the passphrase by running ./check-passphrase
  • Save the wallet and passphrase (in an encrpted database like KeePassX) in at least two locations before sending funds

Load Cold Wallet: load-coldwallet-qt

Launch a specified cold wallet in the Core QT client.

Useful for checking receiving addresses, or adding extra receiving addresses.

Update

As of v0.15.0, the Bitcoin Core client will not allow symlinked wallets. As such, the script will copy your specified cold wallet into the default Bitcoin data directory: (~/.bitcoin/cold-wallet.dat).

This script is designed to run in a TAILS session in which the ~/.bitcoin directory won't be persisted after shutting down. Because of this, the script does not remove the copied cold wallet file. This may be important if you run the script in a live environment.