Skip to content
Secure Monero cold wallets for the truly paranoid ❄❄❄
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
build
raspberry
readme_imgs
.gitignore
LICENSE
README.md
build.py
download_raspbian.sh
qemulate_malvarma.py
test_entropy.py
verify_rng-tools.md

README.md

Malvarma: Secure Monero cold wallets for the truly paranoid

Malvarma is a Raspberry Pi Zero image which lets you generate a Monero cold wallet securely and easily.

Malvarma is currently in an alpha release stage and has not been vetted for security. Use at your own risk.

Do not run Malvarma on a Raspberry Pi Zero W because it has wireless connectivity and is therefore not an airgapped device.

Do not run Malvarma on an Internet-enabled TV or any display device connected to a network for the same reason.

Here is Malvarma running on a Raspberry Pi Zero connected to a HDMI television set (click for a video):

It has been tested on a non-wireless Pi Zero v1.3 and Pi 3 Model B v1.2, but should ideally only be run on the non-wireless Pi Zero as it is airgapped by default.

Running Malvarma

This guide is for Linux users, but savvy Windows or macOS users should be able to perform equivalent steps on their machines.

1. Download the Malvarma image

Use any of these links to download the Malvarma image (300+ MB):

2. Unpack and verify the image

tar xf malvarma-0.1.1-alpha.tar.bz2 && \
cd malvarma-0.1.1-alpha && \
gpg --keyserver pgp.mit.edu --recv-keys 0x90DB43617CCC1632 && \
gpg --verify malvarma-0.1.1-alpha.img.sig malvarma-0.1.1-alpha.img && \
sha256sum -c malvarma-0.1.1-alpha.img.sha256

Do not continue if the SHA256 or GPG verification fails.

The following command burn the image to a microSD card assumes that the microSD device is at /dev/mmcblk0:

sudo dd bs=4M if=malvarma-0.1.1-alpha.img of=/dev/mmcblk0 conv=fsync

Alternatively, use Etcher to burn the image.

3. Boot the Raspberry Pi Zero

Insert the card into a non-wireless Raspberry Pi Zero, plug it into a HDMI screen, and then plug it into a USB power source. You should plug in the HDMI cable before the micro USB cable because doing the reverse could prevent the Raspberry Pi from correctly detecting your screen resolution and thereby hide characters at the edges of the screen.

Note: this is a screenshot from QEMU, and does not precisely reflect the output of an actual Raspberry Pi running Malvarma.

After a few minutes, a mnemonic seed, private spend/view keys, and public address should automatically show up on the screen. Write down multiple copies of this information and store them safely.

Do not take a picture of the screen with a camera or store the private keys on any electronic device.

4. Optional: destroy the Raspberry Pi Zero and microSD card

Following this visual guide, destroy particular components of the Raspberry Pi Zero using sharp hand tools. Specifically, destroy the microSD card and the Raspberry Pi's BCM2835 processor. According to Adafruit, the Pi Zero's RAM sits on top of its processor, so be sure to destroy both. Wear eye protection and use a hammer and screwdriver or nail to break through their plastic coatings and pulverise their silicon innards.

For inspiration, refer to this article from The Guardian: Footage released of Guardian editors destroying Snowden hard drives

While this is a little extreme, the device is inexpensive and small, and some users may wish to maximise their peace of mind. If you don't want to destroy the device, at least store it in a safe place and do not use it until you you empty your cold wallet of all funds and no longer use that address.

Want to buy me a coffee?

Please send XMR to 4B4CBHf9qu8e67JWRYASFKTLT42fQCLHsDNDxzW71CjqRNtw8ZBN5rU1pPiVZEDPgv9rHfs23VpE9jpSrLpkWqmEQsbfj6i to support the author - thank you!

What is a cold wallet?

If you wish to store moneroj [1] for a long period of time without spending them, it is a good idea to put them in a cold wallet, also known as cold storage. Cold wallets are created and stored in a such a way that the only way to spend the funds in them is to have physical access. As such, they should only be kept offline, and should be generated by devices which have never and will never be connected to the Internet.

Why not use some other tool?

There is nothing intrinsically wrong with existing solutions, such as moneromooo's offline wallet generator. It is absolutely possible to use such tools securely. Malvarma only seeks to go one step further to provide a solution which accounts for both hardware and software security, while making the entire process as foolproof as possible.

Why use Malvarma?

Unfortunately, it is not easy to create a cold wallet securely. Several problems stand in the way, so Malvarma seeks to mitigate them.

Network interfaces

Problem: A cold wallet should be generated using processes and devices which have as few attack surfaces as possible. Network connectivity is one such attack surface though which an attacker may (hypothetically) leverage to extract private keys.

Solution: A cold wallet should be generated in an air-gapped device. While it is possible to disable wireless adapters on most PCs or laptops, the non-wireless version of the Raspberry Pi Zero is always air-gapped, so it avoids this entire class of vulnerabilities.

Note that this only matters if you don't want to have to trust that your device can indeed turn its wireless adapter off. Again, this is a guide for the highly security-conscious, and assumes an extremely low risk appitite.

Malware

Problem: A device may be infected with malware without the user knowing. Even if a cold wallet is generated offline, sufficiently sophisticated malware may transmit it to an adversary if the device gets online.

Solution: A legitimate copy of Malvarma will not contain malware, and it will be possible to ensure that this is so. Each Malvarma image will be cryptographically signed and users should verify it before use. More advanced users will be able to inspect, reproduce, and verify that the published Malvarma image is exactly as advertised.

Data destruction

Problem: Traces of private keys may remain on one's device even if they are deleted or after it is shut down. [2] [3] The only way to be absolutely sure is device to generate your keys and physically destroy the device after use. Although this is prudent, it is wasteful to destroy electronics, and disposing electronic waste can harm the environment.

Solution: A Raspberry Pi Zero only costs USD$5 and is very small. It is therefore more economical and relatively less harmful to the environment to destroy after use.

Ease of use

Problem: It is not trivial to set up a secure computing environment. Rather than go through the hassle of setting up a USB-bootable Linux distribution on an airgapped device just to create a cold wallet, a less-determined user may opt to do so on the system they regularly use, and thereby defeat the purpose of the entire exercise.

Solution: Each Raspberry Pi Zero is the same as the next. By encapsulating a wallet generator into a microSD image, Malvarma eliminates the problem of installing software on an airgapped device. The goal is to make it plug-and-play.

What about hardware wallets?

Some users find hardware wallets an acceptable alternative to cold wallets as they strike a balance between usability and security. [4] Yet at the time of writing (early January 2018), there are no commercially available hardware wallets for Monero, although Ledger support is reportedly in the works.

Note: Malvarma is neither a hardware wallet, nor will it store any generated wallets. You must write down the private keys and mnemonic seed before sending any funds to your cold wallet.

Development roadmap

Completed:

  • 11 January 2018: 0.1.1-alpha relased for testing

Future plans:

  • End-January 2018
    • Release a version which provides 2-of-3 split keys using Shamir's Secret Sharing
    • Release Malvarma for other cryptocurrencies.

Building Malvarma

If you want to make a copy of Malvarma yourself, follow these instructions. They have been tested on Ubuntu 17.10.

1. Install dependencies:

sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe" && \
sudo apt update && \
sudo apt -y install libguestfs-tools git python3 coreutils wget axel

2. Download and verify required files:

git clone https://github.com/weijiekoh/malvarma.git && \
cd malvarma && \
git clone https://github.com/weijiekoh/py2-monero-wallet-generator.git && \
sh download_raspbian.sh

If the download_raspbian.sh command fails, do not continue as the Raspbian image may have been tampered with, and should be considered unsafe.

3. Build a Malvarma image

sudo python3 build.py

Note: build.py requires root permissions through sudo because guestmount does not work for non-root users.

What build.py does

build.py configures the Raspberry Pi image as follows:

  • Disables WiFi and Bluetooth (in case it's run on a wireless-enabled Raspberry Pi)
  • Removes some unnecessary system services (to make Raspbian boot faster)
  • Configures /etc/rc.local to perform these tasks upon boot:
    • Install rng-tools and check for sufficiently high entropy using rngtest
    • If rngtest passes with a maximum of 5 out of 1000 FIPS-140-2 failures, run py2-monero-wallet-generator to generate and display the keys to a cold wallet

Note that build.py is not deterministic. The output file (raspberry/malvarma-<version>.img) is likely to differ over multiple runs, even if it uses the same original Raspbian image and Malvarma code. This is probably because libguestfs is also non-deterministic. If anyone has suggestions on how to deterministically modify raw disk images, please contact the author. In the meantime, please audit the code yourself if you want to fully trust it.

Malvarma uses the rng-tools package: raspberry/rng-tools_2-unofficial-mt.14-1_armhf.deb. To verify the authenticity of this file, refer to verify_rng-tools.md.

4. Output .img file

The built .img file will be in the build/ directory, and is ready to be burned to a microSD card.

You may choose to emulate the image using QEMU, but since QEMU will modify the image, remember to delete and rebuild it when you are done.

sudo apt -y install qemu-system-arm

python3 qemulate_malvarma.py build/malvarma-<version>.img

rm -rf build/malvarma-<version>.img

What does malvarma mean?

Malvarma is Espernanto for cold.

Notes

[1] In Espernanto, moneroj is the plural of monero, or coin.

[2] A cold boot attack, for instance, may retrieve data computer memory even if it has been rebooted, albeit within a timeframe of seconds to minutes.

[3] Some operating systems use on-disk swap files as temporary working memory storage. Sensitive data, including private keys, may find their way into swap files, and a determined adversary may be able to extract them.

[4] The Ledger, for instance, uses a secure element to store private keys, which makes it easy to spend coins without exposing any private keys.

You can’t perform that action at this time.