Bitcoin Safe Usage v03

Version 0.
3 (July 2011)
by Michael_S (forum.bitcoin.org)
OpenPGP KeyID=0xCC7E7C99
A Practical (and Paranoid) Guide:
Setting up a Secure System for the Bitcoin Client

- keep your private keys (wallet.dat) secure and do not loose them Keeping them secure means: (1) Secure against theft (by Trojans, key loggers, or physical theft) (2) Secure against loss (by loss of the wallet.dat or by forgetting the password protecting it) Concerning (1): After the download of the Bitcoin client software binary file from http://bitcoin.org/ or http://sourceforge.net/projects/bitcoin/files/Bitcoin/, check the integrity of the file by the SHA1 checksum. Note that on the Bitcoin download site, SHA1 checksums are not provided for Bitcoin versions before 0.3.23. Therefore Annex 2 has a list of checksums for older versions. When using your Bitcoin Client or when opening an encrypted container file containing your private keys (wallet.dat), only do so in an environment of 100% trusted open source software. Good Examples: A 100% GNU Linux trusted distribution, e.g. GNU Linux Ubuntu GNU Linux Knoppix GNU Linux Slax Bad Examples: Microsoft Windows Apple MacOS Linux with one of the following software installed: Adobe Flash plugins Web brower with Java Script (and using the Web browser) Skype Opera Browser VMware Virtual Machine/VMware Player ...or any other proprietary or non-trusted piece of software When typing the password for opening an encrypted container file that contains your private keys (wallet.dat): Never do this from within another operating system (OS) than the 100% trusted one mentioned above. After closing your Bitcoin Client session: Make sure your private keys (wallet.dat) will be saved only in encrypted form. Make sure your 100% open source trusted Operating System cannot be corrupted: Do NOT install your 100% trusted GNU Linux OS on an unencrypted hard drive partition that could be accessed (and possibly corrupted) when you boot your PC with a less trusted operating system! DO use a bootable Live CD/DVD for your 100% trusted GNU Linux System, if possible (using a Non-Re-Writable CD/DVD disc). Otherwise:
Bitcoin donations welcome:
14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR
[1 of 24]
Version 0.3 (July 2011)
DO use a bootable USB stick or flash memory card that is not used for any other purpose. Preferably encrypt this USB stick completely (at least the persistent data part for your user settings and installed programs, but if possible also the system section) Despite encryption, make sure nobody else can have physical access to this bootable flash memory and modify it (note that at least the boot section can never be protected by encryption and therefore is never 100% secure against modification, in contrast to a Live CD/DVD). Do not use your Bitcoin-Operating-System for any other purposes than simply running the Bitcoin client. Because other applications might containing errors that make them vulnerable e.g. to buffer overflows, that might corrupt your system. Examples: Do NOT surf the internet with any web browser (some web pages may contain malicious code that could affect your system even without Java/JavaScript or Flash. For example, certain malicious *.jpg files can cause buffer overflows and thereby attack your system. Do not use an email client (same reason malicious emails could provoke buffer overflows) Do not run your 100% secure GNU Linux System inside a Virtual Machine using VMware. Since VMware itself is proprietary closed source software, it may contain backdoors and could possibly access any data inside your guest system! Finally, for all kinds of encryptions (container files, system partitions, etc.): Use SAFE passwords respecting the Password Guidelines that can be found at the end of this document in the chapter Summary and Recommendations. This is particularly important for the encrypted private keys (wallet.dat) that you are going to upload to external internet servers (to the cloud) to protect yourself against loss of these keys in case of hardware failures or physical theft or damage. Use only 100% open source software, no proprietary software. This is also true for the encryption software itself! Use encryption software that employs keys with no less than 256 bits, which is today's state of the art (e.g. 256 bit AES). Concerning (2): Make multiple copies of your private keys (wallet.dat) after(!) you have encrypted them(!), and upload them to various external internet servers (the cloud). Do this after every session with the Bitcoin client when you do any outgoing payments, because this may cause the Bitcoin client to generate new private keys that are not yet part of your last backup of the wallet.dat. And again: Make sure you do not forget the password(s)!
The following pages give three best practice examples on how to setup such a secure system (certain basic experience with Linux is recommended, but deep expert knowledge is not required):
Example 1: Knoppix 5.3.1/5.1.1 with Live DVD/Live CD and Truecrypt: Most secure solution, but Bitcoin clients 0.3.22 and 0.3.23 do not run (0.3.21 does run). Example 2: Ubuntu 10.04.2 with bootable USB stick and Truecrypt: Full Bitcoin client compatibility and nicest user interface. However, all Linux system data [but not Bitcoin data] is saved to the USB stick in unencrypted form. Example 3: Knoppic 6.4.4 with bootable USB stick and Truecrypt: Full Bitcoin client compatibility and good user interface. Moreover, persistent user data is stored to the USB stick with 256 bit AES encryption. However, the Linux system data itself (=original files from the CD) is saved to the USB stick in unencrypted form.
Bitcoin donations welcome: 14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR [2 of 24]
Best Practice Example 1: Linux Knoppix 5.3.1 Live DVD (or Knoppix 5.1.1 Live CD)
[Download: http://www.kernel.org/pub/dist/knoppix] [Restrictions: Bitcoin version 0.3.21 for Linux works, but versions 0.3.22 and 0.3.23 do not work on Knoppix 5.3.1] [Note: I checked all this with Knoppix 5.3.1 DVD but should be the same with Knoppix 5.1.1 CD] Note ahead: Unfortunately, the solution of this Example 1 (i.e. using a Live DVD/CD in combination with an encrypted image file that saves persistently all user data and system modifications) does not work with the latest Knoppix releases 6.x (up to 6.4.4). Therefore, this Example 1 is explained for the older Knoppix release 5.3.1/5.1.1. Your secure system will consist of: Knoppix Live DVD (or Live CD) - burn the downloaded ISO image to DVD/CD (but do not use a Re-Writable medium!) Truecrypt software (version 7.0a) will be installed on top of Knoppix (the Truecrypt software License is similar to the GNU license and also 100% open source) Ca. 4 GByte of memory space on a hard disk OR external flash memory medium (e.g. USB stick). This memory will later contain: The file knoppix.img of 200 MB: It contains all the persistent user settings and system modifications (e.g. installed software) done on top of the Knoppix Live DVD/Live CD. A Truecrypt container file of ca. 4 GB (this size includes some margin, currently only ca. 600 MB are needed to save the Bitcoin block chain for one's own wallet). This container will include the Bitcoin executable file bitcoin as well as the Bitcoin client's data directory which contains the wallet.dat and the blockchain. A Truecrypt container file of 1 MB. It simply contains a copy of the file wallet.dat which includes all your private keys. Copies of this very strongly encrypted container file should be uploaded to the internet cloud (i.e. to various internet servers like web spaces, dropbox, internet email inboxes, etc.) For your convenience: An UNencrypted plain text file myBitcoinAddresses.txt where you copy your own Bitcoin addresses (looking like the one in the footnote of this paper). You can later access this text file from your normal daily-use operating system where you might run a second, less secured, instance of the Bicoin client (with a different wallet.dat of course!). This second client shall contain only a relatively small amount of Bitcoins (BTCs). If the BTCs on this account grow too big, you can simply transfer some BTCs to your safe address by using one of the addresses in myBitcoinAddresses.txt! System Setup: Setup is quite straight forward. After having burned the downloaded *.iso image to DVD/CD (for security reasons, do NOT use a re-writable medium) and having booted from Knoppix Live DVD/CD the first time, you will create a so-called persistent image file (knoppix.img) [the word image has nothing to do here with picture!] that will contain all your user settings. In that way you will have the feeling of a normal system, even when using a Live DVD/CD. The screenshot below shows how to create such a permanent KNOPPIX-image file via the Knoppix penguin menu.
[3 of 24]
The rest of the procedure is interactive, just select the desired hard drive and choose to create an encrypted image file when you are asked about this (encryption method will be the very secure 256 bit AES). Concerning the size of this image file, the minimum of 200 MB should be sufficient (note you shall not do anything with this system other than using the Bitcoin client, so no big memory space for user settings and new software is required!). Use a SAFE password, of course, even though this will later just protect your personal settings and Linux system modifications, not directly your Bitcoin keys. Next time you boot from the Live DVD/CD, you may want to enter the cheatcode knoppix home=scan a the boot prompt to have Knoppix use the image file. If you don't do this, Knoppix will still search for knoppix.img and then ask you whether to use it. However, if you do not react to this query within 20 seconds, it will start without using it, and you would have to re-boot again for another try. The following steps are the same for Examples 1, 2 and 3 in this guide: Next you download the truecrypt-7.0a-setup-x86.tar.gz file (in case of 32 bit Linux), from here http://www.truecrypt.org/downloads, unpack it and start the executable. This will install Truecrypt on your system. Afterwards, perhaps you want to customize your Linux desktop by creating an appropriate icon that links to /usr/bin/truecrypt etc. Now you can start creating the appropriate container files with Truecrypt: One 4 GB file (e.g. myBitcoinOperationalSpace.tc) and one 1 MB file (e.g. myBitcoinWalletSafeStorage.tc). For Example 1 (Knoppix 5.3.1/5.1.1) the proposal is to locate these files at the same point as knoppix.img. Use a VERY safe password (i.e. passphrase) here, but be sure not to forget it!!! Now you mount the large (4 GB) container file in the Truecrypt GUI window, the proposal is to mount it always in Truecrypt's 1st slot, so the mounting point will be /media/truecrypt1/. Of course you also have to get the Bitcoin client itself from http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.21/bitcoin-0.3.21-linux.tar.gz/ download. From this file Bitcoin-0.3.21-linux.tar.gz you need to extract only the executable file bitcoin, nothing else (either the bin/32/ or /bin/64/ variant depending on your system). [Note that the newer Bitcoin versions 0.3.22 or 0.3.23 do NOT work on Knoppix 5.3.1/5.1.1] Next you put the following two files to these locations and create a directory as follows: The Bitcoin client executable file. /media/truecrypt1/bitcoin /media/truecrypt1/btc_start Create this file as explained below. /media/truecrypt1/myDataDir/ Create this new directory, using exactly this name myDataDir. Make sure that both bitcoin and btc_start have the executable flag set in the Linux file system. The shell command would be chmod a+x b* to make all files in the current directory executable whose filenames start with b. Or you can set the executable flag in the file manager via right-click on the file Properties ... Finally you can double-click btc_start (or make a link at the desktop to it and double-click that desktop icon) to start the Bitcoin client.
[4 of 24]
NOTE: The file btc_start is a very simple Linux shell script that starts the Bitcoin client with an appropriate command line parameter, such that it will use the data directory myDataDir inside the location of your Truecrypt container, and not the default location ~/.bitcoin. This is essential, because it makes sure that at no point in time your privat keys (wallet.dat) will ever be written to any unencrypted storage space of your system. You can create the file btc_start with a simple text editor, just copy-paste the following text exactly like this:
#!/bin/bash # Get the absolute path of THIS script file: ThisPathAbs="$(dirname "$(readlink -f ${BASH_SOURCE[0]})")" # Get the relative path of THIS script file: ThisPathRel=`dirname $0` # Call the Bitcoin client and put the data in the subdirectory "myDataDir": `$ThisPathRel/Bitcoin -datadir="$ThisPathAbs/myDataDir"` &
Once you have started the Bitcoin client, it will immediately create various files in the directory /media/truecrypt1/myDataDir/. One of these files is wallet.dat. Now you should manually create addresses in the Bitcoin client - I propose about 10 addresses or so for now. Then you may want to copy-paste them to a new text file (e.g. myBitcoinAddresses.txt) that I propose to locate at the same location where the two *.tc Truecrypt container files and the knoppix.img file are located. At some point in time you close the Bitcoin client. Then you mount the other, smaller 1 MB Truecrypt container file to slot 2, such that you get a directory /media/truecrypt2/. You copy the file wallet.dat from /media/truecrypt1/myDataDir/wallet.dat to /media/truecrypt2/wallet.dat. Now you can dismount both container files in the Truecrypt GUI window, and you can (and should) make multiple copies of your 1 MB container file myBitcoinWalletSafeStorage.tc and upload it to many different locations in the internet cloud. The following illustration summarizes the final system setup with Knoppix 5.3.1/5.1.1 at a glance:
[5 of 24]
Final System Setup: Knoppix 5.3.1/5.1.1 with Live DVD/CD:
PC with Knoppix 5.3.1 Live DVD (or 5.1.1 Live CD) (using a "Write-Once" DVD/CD, but NOT a Re-Writable DVD/CD)
has access to
Hard Drive or USB Stick or other NON-Encrypted Storage Medium * knoppix.img [200 MB] (256 bit AES encrypted by Knoppix) * myBitcoinOperationalSpace.tc [4 GB] (strongly encrypted by Truecrypt)
Contains all "persistent" user settings/modifications of the Knoppix 5.3.1/5.1.1 Live system
/media/truecrypt1/... .../bitcoin (ver. 0.3.22 & 23 do NOT work) .../btc_start .../myDataDir/wallet.dat .../myDataDir/<other files> copy manually /media/truecrypt2/wallet.dat
* myBitcoinWalletSafeStorage.tc [1 MB] (strongly encrypted by Truecrypt) * myBitcoinAddresses.txt (UNencrypted, intentionally)
... 14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR ... etc.
Read access (for making backups of container file)
Read access (for sending BTCs to these addresses)
Insecure Operating System e.g. MS Windows/MacOS/insecure Linux * Virus X ad libitum * Trojan Y ad libitum * Malware Z ad libitum
[6 of 24]
Best Practice Example 2: Ubuntu 10.04.2 LTS Bootable USB Stick

(1 GB possible, 4 GB recommended)
[Download: http://releases.ubuntu.com/lucid/ubuntu-10.04.2-desktop-i386.iso, or more generally http://releases.ubuntu.com/lucid/] [Restrictions: None. Both Bitcoin versions 0.3.21 and 0.3.23 for Linux have been verified to work. The system setup is similar to Example 1: Your secure system will consist of: Bootable USB stick containing the Ubuntu 10.04 LTS system Software Truecrypt 7.0a (like in Example 1) is installed on top (also on this USB stick) Additionally ca. 3 to 4 GB of hard disk/flash memory space, or some extra space on the same USB stick, for a Truecrypt container file of ca. 3-4 GB size. Some small (ca. 1 MB) hard disk or flash memory space outside this USB stick, to store another 1 MB Truecrypt container file and an UNencrypted plain text file myBitcoinAddresses.txt. PROs and CONs relative to Example 1: PROs: Compatible with both older and newer versions of the Linux Bitcoin client. Also works on systems without CD/DVD drive, e.g. netbooks. CONs: Contents of the USB stick are not encrypted, including... ...system files (boot section, kernel, all original DVD/CD files) ...persistent user data (e.g. installed software like Truecrypt) This means that theoretically somebody (or another infected system) having access to the USB stick could compromise its contents, e.g. by installing a Trojan by modifying some files without your knowledge. Then, next time you boot from the USB stick and open a Truecrypt container file, your private keys (wallet.dat) can be read by this Trojan. Note that in Example 1 this cannot happen, because the contents of the Live DVD/CD cannot be modified physically (unless the optical disc is re-writable), and also the knoppix.img image file is strongly encrypted and therefore cannot be changed without the owner noticing this (that image file would not function any more if it was manipulated). System Setup: Setup is quite straight forward. Download ISO image suitable to your computer hardware (e.g. see link above). Burn ISO image to a CD Boot from this CD Create a bootable USB stick with the USB-creator tool that comes along with the Ubuntu Live CD. In the menu select System Administration Startup Disk Creator, see screenshot below. In this process, just make sure that you select the right device and do not delete your hard disk.
[7 of 24]
Inside this USB creator tool, first delete the complete USB stick, to have a clean basis. For the amount of persistent space to allocate, select 200 MB, this should be enough, for the same reason as for Knoppix 5.3.1 in Example 1: Only few changes are supposed to be done on this system, because it shall only be used for running the Bitcoin client. Shut down PC, remove CD, boot from USB stick (make sure that booting from USB is activated in the BIOS of your computer). The rest of the system setup is the same as what is described for Example 1, i.e. installing Truecrypt, creating the two *.tc container files and populating them with the appropriate files like bitcoin executable, btc_start shell script and myDataDir subdirectory. Note: The USB stick is now formated in FAT32 and it contains one partition only. There are various files and directories on the stick, amongst others a ca. 200 MB file called casper-rw which serves the same purpose as knoppix.img in Example 1, namely to store persistently all user settings and system modifications relative to the original Live CD. Note however that this file is not encrypted. All these files take up ca. 900 MB of space on the USB stick. The rest is still free and could optionally be used to store these files, that in Example 1 have been stored to an extra medium: myBitcoinOperationalSpace.tc ca. 3-4 GB Truecrypt container file myBitcoinWalletSafeStorage.tc 1 MB Truecrypt container file myBitcoinAddresses.txt UNencrypted plain text file However, for security reasons it is advised to store the last two of these files not (or at least not exclusively) on this USB stick but on a separate storage medium (hard disk or a second flash memory device)! The reason for this is that you will probably later access these files from another, more insecure system (like your daily working PC) in order to read the Bitcoin addresses or to backup/upload the 1 MB container file to the internet cloud. But you should not expose your unencrypted USB stick's system and persistent user data files to that insecure system to avoid any potential corruption. Hence, these two files shall be stored outside this USB stick. If your bootable USB stick has only 2 GB (or 1 GB), you may prefer to (or you have to) store also the 4 GB file to an external place, just like in Example 1. The following illustration summarizes the final system setup with Ubuntu 10.04.2 LTS at a glance:
[8 of 24]
Final System Setup: Ubuntu 10.04.2 LTS on USB Stick:
PC with bootable USB Stick with Ubuntu 10.04.2 LTS * System Files from CD [700 MB] (not encrypted, unfortunately) * casper-rw [200 MB] (not encrypted, unfortunately)
STOP! No access to the USB stick! Contains all "persistent" user settings/modifications of the Ubuntu 10.04.2 LTS Live system has access to
Same USB Stick [or below's other Non-Encrypted Storage Medium] * myBitcoinOperationalSpace.tc [3-4 GB] (strongly encrypted by Truecrypt)
/media/truecrypt1/... .../bitcoin .../btc_start .../myDataDir/wallet.dat .../myDataDir/<other files>
Other Non-Encrypted Storage Medium (Hard Disk or Flash Medium) * myBitcoinWalletSafeStorage.tc [1 MB] (strongly encrypted by Truecrypt) * myBitcoinAddresses.txt (UNencrypted, intentionally)
copy manually /media/truecrypt2/wallet.dat
[9 of 24]
Best Practice Example 3: Knoppix 6.4.4 Bootable USB Stick

(1 GB possible, 4 GB recommended)
[Download: http://www.kernel.org/pub/dist/knoppix] [Restrictions: None. Both Bitcoin versions 0.3.21 and 0.3.23 for Linux have been verified to work. Note ahead: An even further improvement that renders this system almost as secure as Example 1 (i.e. secure against manipulation of the USB stick's system files from another operating system or from somebody who has physical access to the stick) is given in Annex 3 as Example 3+. The system setup is similar to Example 1, the system architecture is the same as in Example 2: Your secure system will consist of: Bootable USB stick containing the Knoppix 6.4.4 system Software Truecrypt 7.0a (like in Example 1 or 2) is installed on top (also on this USB stick) Additionally ca. 3 to 4 GB of hard disk/flash memory space, or some extra space on the same USB stick, for a Truecrypt container file of ca. 3-4 GB size. Some small (ca. 1 MB) hard disk or flash memory space outside this USB stick, to store another 1 MB Truecrypt container file and an UNencrypted plain text file myBitcoinAddresses.txt. PROs and CONs relative to Examples 1 or 2: PROs: Compatible with both older and newer versions of the Linux Bitcoin client (like Example 2). Also works on systems without CD/DVD drive, e.g. netbooks (like Example 2). The persistent image file is encrypted like in Example 1, and not unencrypted like in Example 2. CONs: System files (boot section, kernel, i.e. all original CD files) are unencrypted like in Example 2, and as opposed to Example 1, where they are inherently safe against manipulation because they are physically burned on a DVD/CD. System Setup: Setup is quite straight forward. Download ISO image suitable to your computer hardware (e.g. see link above) and language preference (English or German). Burn ISO image to a CD Boot from this CD Execute the program flash-knoppix either from the console or by starting it via the menu: Settings KNOPPIX install to Flash Disk (see screenshot below). This will initiate a short interactive dialog to create a bootable USB stick. In this process, just make sure you select the right device and do not delete your hard disk!
[10 of 24]
At one point of the dialog you have the choice between either completely deleting the whole USB stick (=yes), or just copying the Knoppix Live CD files to your USB stick (=no). Select yes. Shut down PC, remove CD and boot from USB stick (make sure that booting from USB is activated in the BIOS of your computer). If booting fails: See Annex 1 for failure handling/workaround to fix this. Then go on: During this first boot process from USB stick you will be asked about the amount of persistent space to allocate on the USB stick. The minimum of 200 MB shall be enough, for the same reason as in Examples 1 and 2: Only few changes are supposed to be done on this system, because it shall only be used for running the Bitcoin client. Afterwards you will be asked if you want to encrypt this file that contains the persistent settings. Select yes for encryption and choose a safe password. A strong 256 bit AES key will be used for encryption. The rest of the system setup is the same as what is described for Example 1, i.e. installing Truecrypt, creating the two *.tc container files and populating them with the appropriate files like bitcoin executable, btc_start shell script and myDataDir subdirectory. Note: The USB stick is now formated in FAT32 and it contains one partition only (like in Example 2). There is one file ./ldlinux.sys and two directories (./boot/ and ./KNOPPIX/) containing various further files, amongst others the 200 MB strongly encrypted file ./KNOPPIX/knoppix-data.aes which serves the same purpose as casper-rw or knoppix.img in Examples 1 and 2 respectively, namely to store persistently all user settings and system modifications relative to the original Live CD for a seemless user experience. All these files take up ca. 900 MB of space on the USB stick. The rest is still free and could optionally be used to store these files, that in Example 1 have been stored to an extra medium: myBitcoinOperationalSpace.tc ca. 3-4 GB Truecrypt container file myBitcoinWalletSafeStorage.tc 1 MB Truecrypt container file myBitcoinAddresses.txt UNencrypted plain text file However, just like explained in Example 2, for security reasons it is advised to store the last two of these files not (or at least not exclusively) on this USB stick but on a separate storage medium (hard disk or a second flash memory device)! The reason for this is that you will probably later access these files from another, more insecure system (like your daily working PC) in order to read the Bitcoin addresses or to backup/upload the 1 MB container file to the internet cloud. But you should not expose your unencrypted USB stick's system and persistent user data files to that insecure system to avoid any potential corruption. Hence, these two files shall be stored outside this USB stick. If your bootable USB stick has only 2 GB (or 1 GB), you may prefer to (or you have to) store also the 4 GB file to an external place, just like in Example 1. The following illustration summarizes the final system setup with Knoppix 6.4.4 at a glance:
Final System Setup: Knoppix 6.4.4 on USB Stick:
PC with bootable USB Stick with Knoppix 6.4.4 * System Files from CD [700 MB] (not encrypted, unfortunately) * ./KNOPPIX/knoppix-data.aes [200 MB] (256 bit AES encrypted by Knoppix)
STOP! No access to the USB stick! Contains all "persistent" user settings/modifications of the Knoppix 6.4.4 Live system has access to
Same USB Stick [or below's other Non-Encrypted Storage Medium] * myBitcoinOperationalSpace.tc [3-4 GB] (strongly encrypted by Truecrypt)
[12 of 24]
Summary and Recommendations

Some best practice examples have been given. Now the question is: Which is the best way to go in my case? The answer: If you want ultimate security such that you are safe even if another person has physical access to your system medium (Live DVD/CD or bootable USB stick), go after Example 1 (Knoppix 5.3.1/5.1.1 Live DVD/CD). Disadvantage: The most recent Bitcoin client version (0.3.22 and 0.3.23) will not work, but you should also be able to work with Bitcoin client version 0.3.21 for all future, because the Bitcoin protcol can never change by design. If you are really sure that your system medium (bootable USB stick) is safe against physical access by another skilled person, you can go for a bootable USB stick according to Example 2 (Ubuntu 10.04.2 LTS) or Example 3 (Knoppix 6.4.4). Advantages: Compatibility, Versatility, Comfort: All currently known Bitcoin client versions up to 0.3.23 work well (for future Bitcoin versions' compatibility Knoppix 6.4.4 might be of advantage over Ubuntu 10.04.2 LTS as being the later release with the newer kernel 2.6.36 as opposed to 2.6.32). It also works for computers without DVD/CD drive, e.g. netbooks. The boot process is faster than with a Live DVD/CD (but even with Example 1's Live DVD the boot and system speed is well acceptable). Disadvantages: Security: Both Ubuntu 10.04.2 LTS and Knoppix 6.4.4 solutions have the system data (i.e. the original data from the Live CD) stored on the USB stick in UNencrypted form. This means that, theoretically, somebody who has physical access to this USB stick could modify this system data by implanting a Trojan without your knowledge and put the USB stick back to where it was. Then next time you take this stick, boot from it and start your Bitcoin client session, the Trojan could read your private keys (wallet.dat) and send them to the attacker without you realizing this. In this respect, Knoppix 6.4.4 is slightly more secure than Ubuntu 10.04.2, because Knoppix stores at least the persistent user data in encrypted form, such that this part cannot be altered systematically without knowledge of the password. In contrast, Ubuntu also stores the persistent user data in UNencrypted form on the stick, such that the attacker could also modify this data for implanting a Trojan (e.g. by modifying the truecrypt binary file). So at least the chances that somebody with physical access to the bootable USB stick implants a Trojan into the system behind your back are a bit lower with the Knoppix 6.4.4 system than with the Ubuntu 10.04.2 LTS system. And: The Knoppix 6.4.4 USB system can be made even more secure, meeting almost the security level of the Live DVD/CD solution (Example 1), by employing the enhancements of Annex 3, where a solution referred to as Example 3+ is proposed! Finally remember the PASSWORD GUIDELINES: All the above is in vain if you do not use secure and safe passwords!!! This means, the password (actually a better name is passphrase) should be... Not Crackable, i.e. sufficiently long and complex (including special characters and numbers), minimum 25 characters recommended, but also safe against dictionary attacks (for example Antidisestablishmentarian123 or Disestablishment_Orthographically are weak passwords despite their length) Not Guessable by any other person who knows you well. A bad example is this password containing commonly known private data: Maximilian 3.11.2006 Laura 5.7.2009. Not FORGETTABLE by yourself this is at least equally important!
Annex 1: Workaround if Knoppix 6.4.4 USB Stick does not boot

In my case, the PC did not boot from the USB stick after I had created the (allegedly) bootable USB stick with flash-knoppix from Knoppix 6.4.4 as described in Example 3. Apparently, the master boot record (MBR) was written to the USB stick by flash-knoppix in a way unsuitable for my PC. However, all the Knoppix files (./ldlinux.sys, ./KNOPPIX/<various_files> and ./boot/<various_files>) have been copied to the USB stick correctly. However, the corresponding procedure with Ubuntu 10.04.2 LTS (acc. to Example 2) was successful and the same USB stick became bootable very well. This proves that in general my system (PC and USB stick hardware) was able to boot from a USB stick. If this combination also applies to you, you will probably succeed in creating a bootable Knoppix 6.4.4 USB stick by following the steps below. I found out that the following workaround yields a Knoppix 6.4.4 bootable USB stick, after having tried to create a bootable Knoppix 6.4.4 USB stick unsuccessfully acc. to Example 3: Boot the PC with the Ubuntu 10.04.2 LTS Live CD from Example 2. Plug in the USB stick. Save all Knoppix 6.4.4 files from the USB stick (i.e. (./ldlinux.sys, ./KNOPPIX/<various_files> and ./boot/<various_files>) to another place, e.g. to the hard disk, while keeping the directory structure intact. Most easily, you may want to use Ubuntu's default file manger (nautilus) for this. Create a Ubuntu bootable USB stick in the way as described in Example 2, but do not create persistent user memory this time (can be deselected by a radio button at the bottom of the GUI window). Shut down the PC. Unplug the USB stick. Now boot the PC from the Knoppix 6.4.4 Live CD. This is important! This step appears overly complicated, but the following copy-operation did not yield the desired result [=bootable Knoppix USB stick] when doing it within the Ubuntu 10.04.2 LTS system! Plug in the USB stick. Open a window of Knoppix' default file manger (pcmanfm) and locate the USB stick. Delete all data from the USB stick via the file manager. Also select Menu View Show hidden files and delete also the hidden files on the USB stick. (Note: Of course the MBR that has been written by Ubuntu just before cannot be deleted by this operation, and this is exactly what we want, to have a really bootable USB stick at the end.) Open a second window of the file manger and find the location where you had copied all the Knoppix data in bullet #3 above. Copy all this content from this directory back to the USB stick by drag&drop or by copy&paste. Do this in the following order: First the file ldlinux.sys, Second the directory boot/ with all its contents, Third the directory KNOPPIX/ with all its contents (the third step may take a few minutes to complete because of the amount of data). Close all file manager windows. Unmount the USB stick (e.g. via right-click context menu of the USB stick's desktop icon). Shut down the PC. Done. Now it should be possible to boot Knoppix 6.4.4 with this USB stick, and you can continue with the rest of the descriptions of Example 3.
Annex 2: SHA1 Checksums for Linux Bitcoin Client Files

Originally downloaded files:
6b3e3edb3cc0a167166ace9f18e20f191415d560 5c73031ee872884e741a3cd77d50732b7168f127 54254cba039b02a2f49fdc98b8fe820d0fd4e410 19a53c245f2a96de4f12264b8c2980adf85a814e d7a34e1151dedfba5af1bf7496ed041f5b4955e5 *bitcoin-0.3.19-linux.tar.gz *bitcoin-0.3.20.2-linux.tar.gz *bitcoin-0.3.21-linux.tar.gz *bitcoin-0.3.22-linux.tar.gz *bitcoin-0.3.23-linux.tar.gz
Binary executable files bitcoin (here manually renamed to include version number and target hardware):
c408a6fd08acde909c762bf63ac50f07bbd79a99 1692bc6ac635ad4a27e690ee5d9320b9273e9ceb 314456baba43ca0ab5aee1e5131d9087378650c3 9eb4834cbc12072c565e6b9a125321607b1141e9 6bfc4fedd369df2b6185c7e35a5ba24cff98c234 6d91de0410f1c6574db6f0e404e6effa62201874 7ffc121f4a190ee34676e30562bdd9224e6d5306 f30e6dd8771effef27355e2588dcfbce5d03cdd0 0a33f90785f6d7b1aaf79bee82fb321adbec5c31 9cae07b9e2117ec18c82f4bef14d7e0356301701 *bitcoin_0-3-19_32bit *bitcoin_0-3-19_64bit *bitcoin_0-3-20-2_32bit *bitcoin_0-3-20-2_64bit *bitcoin_0-3-21_32bit *bitcoin_0-3-21_64bit *bitcoin_0-3-22_32bit *bitcoin_0-3-22_64bit *bitcoin_0-3-23_32bit *bitcoin_0-3-23_64bit
Binary executable files bitcoind:

(-- not provided here due to lack of time --)
[15 of 24]
Annex 3: Enhanced Best Practice Example 3+: Knoppix 6.4.4 Bootable USB Stick
almost as secure as with a Live DVD/CD
The improvement to the solution of Example 3 consist of the following enhancement: You create another small 500 kB Truecrypt container file on the same storage medium as the file myBitcoinOperationalSpace.tc, and you name it ChecksumVerification.tc. After mounting this container to /media/truecrypt3/, you populate it with the following files:
/media/truecrypt3/sha1sum_owncopy /media/truecrypt3/sha1sums_knoppix644usb_critical.txt /media/truecrypt3/sha1sums_knoppix644usb_uncritical.txt /media/truecrypt3/sha1sums_dummy.txt /media/truecrypt3/sha1sum_check_knoppix644usb.sh /media/truecrypt3/file_existence_check.sh
These files are characterized as follows (and are fully specified on the following pages): sha1sum_owncopy: This is simply a copy of the file /usr/bin/sha1sum on your system. So you just copy it to the indicated location inside the Truecrypt container and rename it. sha1sums_knoppix644usb_critical.txt: This text file contains a list of SHA1 checksums for all critical Knoppix 6.4.4 system files that reside on the USB stick. These are files that have been copied from the Knoppix Live CD when the USB stick was created and are crucial for the functioning of the operating system (or the boot process). sha1sums_knoppix644usb_uncritical.txt: Similarly, this list corresponds to files that have also been copied from the Live CD, but these are not critical, i.e. it is impossible to implant a Trojan (stealing your Bitcoin private keys) into the system by only modifying these files. sha1sums_dummy.txt: This very short text file is also defined below. sha1sum_check_knoppix644usb.sh: This is an executable shell script file also to be created with a text editor. Its contents are given below. Make sure it has the executable flag set in the Linux file system (e.g. with the file manager via right-click on the file Properties ...). file_existence_check.sh: Another shell script specified below. Moreover, you create a Desktop icon by creating the text file knoppix_sha1_check.desktop (with contents as specified below) like this: In the File Manager On the left window side select Desktop On the right window side rightclick the empty space context menu New Blank File ...
/home/knoppix/Desktop/knoppix_sha1_check.desktop
After having created all these files, a simple double click on the Desktop icon reading Knoppix SHA1 Check will open a terminal window and inform you if the system is corrupted or clean. This check should always be performed directly after booting, BEFORE one of the Bitcoin-related Truecrypt container files is mounted. Remember to always mount ChecksumVerification.tc on truecrypt slot #3. Concerning the password for ChecksumVerification.tc, it shall be different from the passwords of the two Bitcoin related Truecrypt container files!!! In this way, any corruption of system data would now become visible by the SHA1 checksums, such that you can (and should) decide not to type the password for opening your Bitcoin related Truecrypt container files in a now potentially insecure environment (e.g. keylogger, Trojan, ...).
Annex 3.1: Desktop Files

File://home/knoppix/Desktop/knoppix_sha1_check.desktop
[Desktop Entry] Name=Knoppix SHA1 Check Exec=/media/truecrypt3/sha1sum_check_knoppix644usb.sh Icon=lxterminal Type=Application
Annex 3.2: Lists of SHA1 Checksums

File://media/truecrypt3/sha1sums_dummy.txt
1234567890abcdef1234567890abcdef12345678 *file_existence_check.sh
File://media/truecrypt3/sha1sums_knoppix644usb_critical.txt
08a66971bc07d94083d4adef6f2bb5ad486a8625 a27858f5178462afd11d5c8ae9bff1106658d07c b21c7034c3e80dbecd14bf210fe0af872a547138 b5ff7af6b4bc9104c349acf99940a0353c4b94c4 8090e0e2ca937d062782bdce1234c6ecbf862979 f08e1a0b0f907cb2556e4391f64ba6dca9f6250b 6782abfa3ecf899028bd01e14e53f0760a08d40b 53017a3189cd6fd566eee1e78612a64ec6c6b85b b3235556ffe7da2735e4c6a1e0245557925d2f09 */mnt-system/ldlinux.sys */mnt-system/boot/syslinux/balder.img */mnt-system/boot/syslinux/linux */mnt-system/boot/syslinux/linux64 */mnt-system/boot/syslinux/logo.16 */mnt-system/boot/syslinux/memdisk */mnt-system/boot/syslinux/memtest */mnt-system/boot/syslinux/minirt.gz */mnt-system/KNOPPIX/KNOPPIX
File://media/truecrypt3/sha1sums_knoppix644usb_uncritical.txt (German version of the Knoppix 6.4.4 CD)

59b6526a7b1fd5d2e8fb4a047dd5ad3785f1b58d 16c983dd8ff10a57c4cd734eabeb073f702ed7d5 f188a356f1f242dc1ecfa2478145499c22f7aa07 3a6979d9af4ea8c21af2e406baad7854b316b5df 3d4c255518be7d6ddc5bb340b41c1eed5b5ab071 6b5960039d0407a3b3c77fddc2efc85c31befb52 1dd5c3ea70a32db0a3593a9ce05a23a81c441864 0794431f9dbfb5908ebb39ffab9fc6c64db167ec 1277b725e0ebca59af4f2a1532fdff18850b90d9 8ef8c849eca5a570395b0dc587a94d998acf1125 031b7bb6488bf86123a0ace8dd37ab7c9249317d 952916a373c399d16b9f536f6e8c7a067aeba917 45a173f224be7fad9afd213c0143c032bcea274f e79418fa56c0199da83db4b5b902323b6d40d9c1 9f8659b5321990f9f592754156e13bfdeb16ed50 4917ef8981a9062f1a64d81bf2f29aad6c0a6804 7edea2650a3dc9b8218107cf4c55dcd74b76e15a 466a91c5fd5d345bb19d1c9419d9bd0734583151 */mnt-system/boot/syslinux/boot.msg */mnt-system/boot/syslinux/f2 */mnt-system/boot/syslinux/f3 */mnt-system/boot/syslinux/german.kbd */mnt-system/boot/syslinux/syslinux.cfg */mnt-system/KNOPPIX/background.png */mnt-system/KNOPPIX/background.README.txt */mnt-system/KNOPPIX/index_de.html */mnt-system/KNOPPIX/index_en.html */mnt-system/KNOPPIX/index_es.html */mnt-system/KNOPPIX/index_fr.html */mnt-system/KNOPPIX/index_it.html */mnt-system/KNOPPIX/knoppix-cheatcodes.txt */mnt-system/KNOPPIX/knoppix-logo-medium.png */mnt-system/KNOPPIX/knoppix-logo-small.png */mnt-system/KNOPPIX/LICENSE.txt */mnt-system/KNOPPIX/README_Security.txt */mnt-system/KNOPPIX/SOURCES.txt
[17 of 24]
File://media/truecrypt3/sha1sums_knoppix644usb_uncritical.txt (English version of the Knoppix 6.4.4 CD)

59b6526a7b1fd5d2e8fb4a047dd5ad3785f1b58d eff1e6009cde3cdc445b25cc0b69e8c3f249a8cd 4c07e66ed05fbb4011a76a2ef0ca7c50eb8c1f3f 3a6979d9af4ea8c21af2e406baad7854b316b5df 573431af090e175231509b80bb4953a49a5a8d24 6b5960039d0407a3b3c77fddc2efc85c31befb52 1dd5c3ea70a32db0a3593a9ce05a23a81c441864 0794431f9dbfb5908ebb39ffab9fc6c64db167ec 1277b725e0ebca59af4f2a1532fdff18850b90d9 8ef8c849eca5a570395b0dc587a94d998acf1125 031b7bb6488bf86123a0ace8dd37ab7c9249317d 952916a373c399d16b9f536f6e8c7a067aeba917 45a173f224be7fad9afd213c0143c032bcea274f e79418fa56c0199da83db4b5b902323b6d40d9c1 9f8659b5321990f9f592754156e13bfdeb16ed50 4917ef8981a9062f1a64d81bf2f29aad6c0a6804 7edea2650a3dc9b8218107cf4c55dcd74b76e15a 466a91c5fd5d345bb19d1c9419d9bd0734583151 */mnt-system/boot/syslinux/boot.msg */mnt-system/boot/syslinux/f2 */mnt-system/boot/syslinux/f3 */mnt-system/boot/syslinux/german.kbd */mnt-system/boot/syslinux/syslinux.cfg */mnt-system/KNOPPIX/background.png */mnt-system/KNOPPIX/background.README.txt */mnt-system/KNOPPIX/index_de.html */mnt-system/KNOPPIX/index_en.html */mnt-system/KNOPPIX/index_es.html */mnt-system/KNOPPIX/index_fr.html */mnt-system/KNOPPIX/index_it.html */mnt-system/KNOPPIX/knoppix-cheatcodes.txt */mnt-system/KNOPPIX/knoppix-logo-medium.png */mnt-system/KNOPPIX/knoppix-logo-small.png */mnt-system/KNOPPIX/LICENSE.txt */mnt-system/KNOPPIX/README_Security.txt */mnt-system/KNOPPIX/SOURCES.txt
Annex 3.3: Shell Scripts

File://media/truecrypt3/file_existence_check.sh
#!/bin/bash if ! [ -f $1 ]; then echo "--> ERROR: File \"$1\" does NOT exists!" exit 1 fi exit 0
[18 of 24]
File://media/truecrypt3/sha1sum_check_knoppix644usb.sh
#!/bin/bash tty -s if (($? != 0)); then # Default size of the terminal window: #lxterminal -e "$0" # larger terminal window - recommended: lxterminal --geometry=80x35 -e "$0" # Even larger terminal window: #lxterminal --geometry=120x49 -e "$0" exit fi # The code above checks if the script is already running in a terminal window. # If not, it opens a terminal window and executes the script there. cd /media/truecrypt3 # ------------------------------------------------------------------------# First of all, we make some file existence checks. # If the files do not exist, an sha1sum check is not possible anyway. echo "Part 1: Checking existence of important files" echo "---------------------------------------------" root_path_of_usb_stick=/mnt-system cnt=0 ./file_existence_check.sh $root_path_of_usb_stick/ldlinux.sys a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/balder.img a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/linux a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/linux64 a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/logo.16 a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/memdisk a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/memtest a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/boot/syslinux/minirt.gz a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ] ./file_existence_check.sh $root_path_of_usb_stick/KNOPPIX/KNOPPIX a=$? ; cnt=$[ $cnt + $(( $a != 0 )) ]
if (( $cnt > 0 )); then echo "*****************************************************************" echo "ERROR: $cnt essential file(s) could not be found." echo . . . .Therefore, the SHA1 checksum test is not possible. echo . . . .The script is aborted at this point. echo echo . . . .Consider modifying the variable \"root_path_of_usb_stick\"
[19 of 24]

echo echo echo echo echo echo echo echo echo echo echo echo echo read exit
. . . .inside the file \"sha1sum_check_knoppix644usb.sh\". . . . .Then also adapt the paths correspondingly in the files . . . .\"sha1sums_knoppix644usb_critical.txt\" and . . . .\"sha1sums_knoppix644usb_uncritical.txt\". "*****************************************************************" ' _____ _ _ ' ' | ___|_ _(_) |_ _ _ __ ___ ' ' | |_ / _` | | | | | |' "'"'__/ _ \ ' ' | _| (_| | | | |_| | | | __/ ' ' |_| \__,_|_|_|\__,_|_| \___| ' "------- Press <ENTER> key to quit -------"
$cnt fi # ------------------------------------------------------------------------echo Done. echo # Specify the ASCII files containing the lists of SHA1 checksums: #sha1sum_List_all=`sha1sums_knoppix644usb_all.txt` sha1sum_List_uncritical=sha1sums_knoppix644usb_uncritical.txt sha1sum_List_critical=sha1sums_knoppix644usb_critical.txt # Check system files on the USB stick for integrity # (those files created at creation of the bootable USB stick): # Checking all files: #`./sha1sum_owncopy -c --status $sha1sum_List_all` #ErrorCode_0=$? # Checking the non-critical files: echo "Part 2: Checking the uncritical KNOPPIX system files..." echo "-------------------------------------------------------" `./sha1sum_owncopy -c --status $sha1sum_List_uncritical` ErrorCode_1=$? echo Done. echo # Checking the critical files: echo "Part 3: Checking the critical KNOPPIX system files (takes a bit longer...)" echo "--------------------------------------------------------------------------" `./sha1sum_owncopy -c --status $sha1sum_List_critical` ErrorCode_2=$? echo Done. echo
if (($ErrorCode_2 == 0)); then # No critical errors: if(($ErrorCode_1 == 0)); then echo "-------------------------------------------------------------" echo "Check passed! All system files are the original system files."
[20 of 24]
echo "Everything is OK." echo "-------------------------------------------------------------" else echo "++++++++++++++++++++++++++++++++++++++++++" echo Warning: Some files have been changed, but echo . . . . .these are uncritical files. echo . . . . .No serious reason to worry about. echo "++++++++++++++++++++++++++++++++++++++++++" echo Here are the details: ./sha1sum_owncopy -w -c $sha1sum_List_uncritical echo "++++++++++++++++++++++++++++++++++++++++++" echo ' __ __ _ ' echo ' / / /\ \ \__ _ _ __ _ __ (_)_ __ __ _ ' echo ' \ \/ \/ / _` | '"'"'__| '"'"'_ \| | '"'"'_ \ / _` | ' echo ' \ /\ / (_| | | | | | | | | | | (_| | ' echo ' \/ \/ \__,_|_| |_| |_|_|_| |_|\__, | ' echo ' |___/ ' fi else # Critical errors have occurred: echo "******************************************" echo "***** ALERT! VERY SERIOUS WARNING!!! *****" echo "******************************************" echo Important system files have been modified! echo Your system might be corrupted! echo Use it at your own risk! echo "******************************************" echo Here are the details: ./sha1sum_owncopy -w -c $sha1sum_List_critical echo "******************************************" echo ' _____ _ _ ' echo ' | ___|_ _(_) |_ _ _ __ ___ ' echo ' | |_ / _` | | | | | |' "'"'__/ _ \ ' echo ' | _| (_| | | | |_| | | | __/ ' echo ' |_| \__,_|_|_|\__,_|_| \___| ' if(($ErrorCode_1 != 0)); then echo "++++++++++++++++++++++++++++++++++++++++++" echo Moreover, also some of the echo \"uncritical files\" differ from their echo original versions. echo "++++++++++++++++++++++++++++++++++++++++++" echo Here are the details: echo "++++++++++++++++++++++++++++++++++++++++++" ./sha1sum_owncopy -w -c $sha1sum_List_uncritical echo "++++++++++++++++++++++++++++++++++++++++++" fi fi if (($ErrorCode_1 == 0)); then if (($ErrorCode_2 == 0)); then # Check if the file is able to generate bad checksums in the first place: `./sha1sum_owncopy -w -c --status sha1sums_dummy.txt` ErrorCode_Dummy=$?
[21 of 24]
if (($ErrorCode_Dummy == 0)); then echo echo "*************************************************" echo "***** ALERT! SHA1 Checksum Malfunctioning! ******" echo "*************************************************" echo The checksum function produces good results echo even when the checksum is actually bad. echo This might mean that the system is corrupted! echo Use it at your own risk! echo "*************************************************" echo Here are the details echo "(the following SHOULD give a BAD checksum):" ./sha1sum_owncopy -w -c sha1sums_dummy.txt echo "*************************************************" echo ' _____ _ _ ' echo ' | ___|_ _(_) |_ _ _ __ ___ ' echo ' | |_ / _` | | | | | |' "'"'__/ _ \ ' echo ' | _| (_| | | | |_| | | | __/ ' echo ' |_| \__,_|_|_|\__,_|_| \___| ' else echo ' ____ ' echo ' / ___| _ _ ___ ___ ___ ___ ___ ' echo ' \___ \| | | |/ __/ __/ _ \/ __/ __|' echo ' ___) | |_| | (_| (_| __/\__ \__ \' echo ' |____/ \__,_|\___\___\___||___/___/' fi fi fi
echo echo "------- Press <ENTER> key to quit -------" read
The following illustration summarizes the final system setup with Knoppix 6.4.4 on a bootable USB stick, when including the mechanisms introduced in this annex to allow discovering a corruption of the USB stick's system files:
[22 of 24]
PC with bootable USB Stick with Knoppix 6.4.4 * System Files from CD [700 MB] (not encrypted, unfortunately) * ./KNOPPIX/knoppix-data.aes [200 MB] (256 bit AES encrypted by Knoppix)
verify integrity by SHA1 checksums
Contains all "persistent" user settings/modifications of the Knoppix 6.4.4 Live system has access to
Same USB Stick [or below's other Non-Encrypted Storage Medium] * ChecksumVerification.tc [500 kB] (strongly encrypted by Truecrypt)
password = same as for knoppix-data.aes, but different from the 1MB and 4GB file
/media/truecrypt3/... .../sha1sum_owncopy .../file_existence_check.sh .../sha1sum_check_knoppix644usb.sh .../sha1sums_dummy.txt .../sha1sums_knoppix644usb_critical.txt .../sha1sums_knoppix644usb_uncritical.txt
* myBitcoinOperationalSpace.tc [3-4 GB] (strongly encrypted by Truecrypt)
All these files could actually be loacated on the USB stick in this variant. Because, if the insecure Operating System (bottom of figure) corrupted the system files, this would be discovered before it can do any harm to your Bitcoin private keys.
[23 of 24]
Version History of this Document

0.1 0.2 0.3 First version Clarified for Example 3+ (Annex 3) that there is no strict need any more to keep the bootable USB stick away from a potentially insecure & infected operating system. After cross-reading the complete document: Removal of some remaining inconsistencies, minor re-phrasings to improve readability, addition of this version history.
[24 of 24]

Bitcoin Safe Usage v03

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Bitcoin Safe Usage v03

Transféré par

Droits d'auteur :

Formats disponibles

Version 0.

A Practical (and Paranoid) Guide:

Setting up a Secure System for the Bitcoin Client

Bitcoin donations welcome:

Version 0.3 (July 2011)

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Final System Setup: Knoppix 5.3.1/5.1.1 with Live DVD/CD:

* myBitcoinWalletSafeStorage.tc [1 MB] (strongly encrypted by Truecrypt) * myBitcoinAddresses.txt (UNencrypted, intentionally)

... 14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR ... etc.

Read access (for making backups of container file)

Read access (for sending BTCs to these addresses)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Best Practice Example 2: Ubuntu 10.04.2 LTS Bootable USB Stick

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Final System Setup: Ubuntu 10.04.2 LTS on USB Stick:

... 14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR ... etc.

Read access (for making backups of container file)

Read access (for sending BTCs to these addresses)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Best Practice Example 3: Knoppix 6.4.4 Bootable USB Stick

Bitcoin donations welcome:

Version 0.3 (July 2011)

Version 0.3 (July 2011)

Final System Setup: Knoppix 6.4.4 on USB Stick:

... 14ajM1BHY7E8GJ4DGGvtFFGmE15hSSSRJR ... etc.

Read access (for making backups of container file)

Read access (for sending BTCs to these addresses)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Summary and Recommendations

Version 0.3 (July 2011)

Annex 1: Workaround if Knoppix 6.4.4 USB Stick does not boot

Version 0.3 (July 2011)

Annex 2: SHA1 Checksums for Linux Bitcoin Client Files

Binary executable files bitcoind:

Bitcoin donations welcome:

Version 0.3 (July 2011)

Version 0.3 (July 2011)

Annex 3.1: Desktop Files

Annex 3.2: Lists of SHA1 Checksums

File://media/truecrypt3/sha1sums_knoppix644usb_uncritical.txt (German version of the Knoppix 6.4.4 CD)

Bitcoin donations welcome:

Version 0.3 (July 2011)

File://media/truecrypt3/sha1sums_knoppix644usb_uncritical.txt (English version of the Knoppix 6.4.4 CD)

Annex 3.3: Shell Scripts

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)

Bitcoin donations welcome:

Version 0.3 (July 2011)