-
Run directly from a DVD or USB stick securely without internet connection.
-
Includes relevant tools for cryptocurrencies.
-
Inspired by BitKey.
-
Based on the amazing NixOS. CryptOS is just NixOS with a specific configuration.
-
Runs XFCE by default.
The following sketched steps explain one way to use CryptOS:
-
Use public keys on an online computer to create the transactions. Store them on a USB stick with encrypted private keys.
-
Open an offline computer running CryptOS from another USB stick.
-
Read and sign the transactions on CryptOS.
-
Copy the signed transaction to some online device by using the USB stick or by scanning the QR code.
-
Check the transaction data (so you don't need to trust CryptOS) and broadcast it.
NOTE: The private keys can be stored encrypted on the online computer and multiple places for backup, but never decrypt them on an online computer. Only decrypt on the offline computer.
Available cryptocurrency applications:
It is recommended to build the ISO image yourself. You can easily even modify
iso.nix
to suit your needs. But if you want, you can download a pre-built ISO
image from Releases section.
Requirement: nix installed.
Clone this repo:
git clone https://github.com/jluttine/CryptOS.git
cd CryptOS
Build the ISO image:
nix-build
By default, a pinned version of nixpkgs is used. If you don't want to use the
pinned version of NixOS and nixpkgs, modify nixpkgs
in default.nix
. For
instance, if you want to use the nixpkgs of your own system, set:
nixpkgs ? <nixpkgs>
Also, it is possible to to just provide path to your locally checked out nixpkgs:
nixpkgs ? "/path/to/nixpkgs"
To build 32-bit ISO image, modify system
to i686-linux
.
The ISO image can be found in result/iso/
. You can test the built ISO file in
a virtual machine. For instance:
nix-shell -p qemu_kvm
qemu-img create -f qcow2 foo.img 20G
qemu-kvm -m 1024 -drive file=foo.img -drive file=result/iso/<ISO-FILE-NAME>,format=raw,media=cdrom
Unmount the device you want to flash the image into. Flash the image to a USB stick:
sudo dd bs=4M if=result/iso/<ISO-FILE-NAME> of=/dev/<USB-DEVICE-ID>
-
Add relevant packages. If something is missing from nixpkgs, contribute to upstream.
-
How to force building all packages from sources? Would it improve security in some way?
No guarantees about the security of the software is given. Use it at your own risk.
Contributions are most welcome! Just open issues or make pull requests.
NOTE: On old computers, one may need to use 32-bit version and also enter
forcepae
kernel option during boot time. If you need to add forcepae
option,
press Tab when distro options are listed after boot and then append forcepae
to the string.
In general, keep view keys in an online computer and spend keys (encrypted) in some USB stick so the offline live CryptOS can read the spend keys and sign transactions.
TODO
TODO
-
Start Electrum.
-
Create the transaction in "Send" tab and press "Pay". Note that Electrum uses mBTC (milli-bitcoin) units.
-
Fee dialog opens, choose the transaction fee and click "Send".
-
A window showing the transaction pops up. Choose "Export" -> "Export to file". Choose ".txn" file type, not ".psbt", and save the file to the USB stick (or save elsewhere and then copy to a USB stick). Safely remove the USB stick.
-
Start Electrum ("Applications" -> "Internet" -> "Electrum Bitcoin Wallet"). For the start-up wizard choose auto-connecting to a server and browse your spend wallet file from a USB stick (this might be a different USB stick than the one with the transaction file).
-
Load the transaction by selecting "Tools" -> "Load transaction" -> "From file" from menu and choosing the unsigned transaction file from the USB stick (or copy the file from the USB stick elsewhere and load that file).
-
Check that the transaction is correct and then sign it by pressing "Sign" and entering the wallet password.
-
Save the signed transaction to the USB stick by choosing "Save" and remove the USB stick.
-
Load the signed transaction by choosing "Tools" -> "Load transaction" -> "From file" from Electrum menu and choosing the signed transaction file from the USB stick (or, again, first copy the file from the USB elsewhere and then load that file).
-
Check that the signed transaction file is still correct.
-
Broadcast the transaction by choosing "Broadcast".
TODO
TODO
-
Start
monero-wallet-cli --daemon-address opennode.xmr-tw.org:18089 --trusted-daemon
from the command line. -
Enter file path to the view wallet, for instance,
path/to/view-wallet
. -
Export all outputs to a file:
export_outputs all monero_outputs
-
Create a transaction, for instance,
transfer ADDRESS_HERE AMOUNT_HERE PAYMENT_ID
. To move all funds, usesweep_all ADDRESS_HERE PAYMENT_ID
. Note that the payment ID might not be required. -
Copy the outputs file
monero_outputs
and the unsigned transaction fileunsigned_monero_tx
to a USB stick. The files are located under the directory you are running the Monero wallet.
-
Plug-in the USB stick(s) that contain the wallet file and the files created on the online computer.
-
Start
monero-wallet-cli
from the command line in the same directory where you have the files from the online computer. Monero asks for the path to the wallet file, so enter the path to the spend wallet, for instance,path/to/spend-wallet
. -
Import the outputs file:
import_outputs monero_outputs
-
Sign the transaction file:
sign_transfer
-
Export the key images to a file:
export_key_images all monero_key_images
-
Copy the signed transaction file
signed_monero_tx
and the key images filemonero_key_images
to the USB stick. -
Exit Monero wallet with
q
and shut down CryptOS. (Or shut down CryptOS only after successfull broadcasting in case you need to make some fixes on CryptOS.)
-
Copy the signed transaction file from the USB stick to the same directory you are running the Monero wallet.
-
Import the key images file:
import_key_images monero_key_images
-
Broadcast the transaction:
submit_transfer
-
Exit Monero wallet with
q
. Optionally, delete the signed and unsigned transaction files from your computer and the USB stick.