Make an Air-Gapped Raspberry Pi Zero Bespoke Hardware Wallet

Can’t be bothered option – buy one from me with the hard work done.

Running a Bitcoin Electrum Wallet on a Raspberry Pi Zero has a number of advantages. First, it doesn’t connect to the internet, has no WiFi access, or Bluetooth access, so you can safely type your seeds into the device. It’s also good for generating seeds, or calculating checksums if you generate seeds with a dice. Keep your wallet files encrypted and the operating system secured with a strong password. Another use for this device is to create sensitive documents, and then encrypt them with GPG encryption.

Never store enough keys on this device to allow anyone to spend from it. For example, if you run a 3 of 5 multi-signature wallet, and only keep two keys on the device, even if you mess up and have 2 keys compromised, your funds will still be safe

This simulates having a hardware wallet, without the associated problems with them. Hardware wallets are extremely fiddly to use (especially multisig), sometimes don’t connect properly by USB (especially Ledger), and the firmware changes are a real pain. With a hardware wallet, you are generally trusting it to generate a seed for you – Don’t. Make the seeds yourself. You’ll need this device to do it safely – never use an internet connected device.

Compared to a HWW, using a Raspberry Pi Zero is cheaper, more flexible, but it is fiddly to set up. This article should make it easier (benefit from the pain I suffered). Once it is set up though, it is a joy to use.

This article will guide you with some command line. I promise, it will be easy if you follow the instructions, but I do expect you to know how to navigate around the file system in Linux. If you don’t, then watch this 11 minute video to learn some SSS (super simple stuff) Link. If it’s mildly interesting, watch this one as well, it’s a bit longer Link

IF YOU CAN’T BE BOTHERED, YOU CAN BUY A FULLY FUNCTIONAL PI ZERO WITH ATTACHMENTS AND ELECTRUM INSTALLED. I HAVE LIMITED QUANTITIES.

Get the equipment:

  • The Raspberry Pi Zero (not the Pi Zero W — we don’t want wireless access) Link
  • A Raspberry Pi 4 (The one that you use to run your node is fine, we only need it temporarily. Or any Raspberry Pi with internet access really, even a second Pi Zero with a usb/ethernet adaptor so you can go online.)
  • Power supply with microUSB connection. A phone charger with the right cable will do.
  • A case (optional but better to get it) Link
  • HDMI adaptor Link
  • A Micro USB OTG Hub Adapter (the Pi Zero has only one micro-USB slot) Link
  • Get a few micro SD cards (they come with SD slot adaptors) — You need 2, but spare ones are good to have. Especially if you will run your own node. Link
  • Non-Bluetooth USB keyboard and mouse (you probably have these lying around).
  • USB Pen drive Link
  • A USB webcam such as this one Link (optional for QR PSBTs)

Setup: Internet connected Raspberry Pi OS

Overview of the steps:

  • On a separate computer connected to the internet (Raspberry Pi 3 or 4 with Raspbian OS), install Electrum first. (You cannot use a Windows or Mac, even with virtualisation software.)
  • Transfer the necessary installation files from that computer to a USB drive, and then to the air-gapped Pi Zero.
  • Manually install the files via the command line on that device (explained later).

Prepare two SD cards (two operating systems)

Create two SD card images using any internet connected computer (eg a Mac or Windows computer). One card for the internet connected Raspberry Pi and one card for the Air-gapped Raspberry Pi.

Go to https://www.raspberrypi.org/downloads/raspberry-pi-os/ and download Raspberry Pi OS (32-bit) with desktop. The 64 bit version won’t work on the Pi Zero, make sure you use the 32 bit version.

Next, verify the digital signature. (This makes sure the software you have downloaded has not been tampered with). See my article on SHA256 and gpg for background information.

The digital signature I copied from the website looks like this:

SHA-256:9d658abe6d97f86320e5a0288df17e6fcdd8776311cc320899719aa805106c52

It will be different when there is a new version.

This is different (and slightly less secure than gpg signatures).

Open the terminal, and navigate to the directory containing the downloaded file.

Type shasum -a 256 NameOfTheFile (there should be a digital signature output. Compare it is the same as the published signature)

Next, download and install Balena Etcher. Link

I was unable to find the digital signature for this. If you know how, please let me know and I’ll update this article.

Etcher is self explanatory to use. Insert your micro SD card and flash the Raspberry Pi software (.img file) onto the SD card. Do the same for the second micro SD card.

Image for post

The internet connected Raspberry Pi

If you are using you Pi 4 that you normally run your node on, shut it down, disconnect the external hard drive, and remove the micro SD card from it. Then insert the new micro SD card you just made. Connect a mouse, keyboard, and monitor. Switch on the Pi to run Raspbian OS. It is important to update the software. There is an auto-update wizard, but this regularly fails. If this happens use the command line:

sudo apt-get update

then

sudo apt-get upgrade

then navigate to the where the install files are located:

cd /var/cache/apt/archives

then create a directory

sudo mkdir AnyName

then move the new deb files here.

sudo mv *.deb ./AnyName/

Next, open the browser, and navigate to www.Electrum.org and click the “Download” page:

Image for post

The Linux Appimage would have been a nice way to download and install Electrum for the Raspberry Pi (it’s just a double click away from installation with no command line) — but the Raspberry Pi chip architecture is ARM, and Appimages don’t work on ARM machines. So we have to use Python and command line (explained in bottom half of the Electrum picture).

Install dependencies

Install the dependencies by copying the command provided on the Electrum website next to the heading “Install dependencies” — do not copy what is shown in this screenshot above; use the current command from the Electrum website because as the software is upgraded, the dependencies might change, and this article might be out of date.

Once you do this there will be new files in

/var/cache/apt/archives/

We will deal with them later.

Then Download the package with the wget command as shown on the website, or click the Python Electrum-4.0.3.tar.gz link to download.

Check the signature. This is SUPER important.

Checking gpg signatures is a good skill to have, especially if you are a Bitcoiner. If you have an extra half and hour, watch this video, I find it is a good explanation. Perhaps watch it at 1.5x speed. You can skip this if you like, I’ll be explaining the steps anyway, but not as comprehensively as this video.

On the Electrum Download page, there is a quick blurb about verifying gpg signatures:

Click on the link, ThomasV’s public key, and save the file.

In the command line, navigate to where you downloaded the file. Type

gpg --import ThomasV.asc

To check the fingerprint, type:

gpg --fingerprint

I got this result for Thomas V's key:
 
6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6 

In the command line, options longer than one letter are specified with a two “-”s, and options specified with a single letter are with a single “-”.

Make sure the file name matches to what you typed in the command line. If it is still not working, try making sure the file is saved as a .asc file and not .txt file. That requirement may be operating system dependent, I haven’t checked.

Next, download the signature. It is a link located to the right of the software file download link. The software filename ends in tar.gz The signature is exactly the same filename with a .asc on the end. Make sure the signature file does not end in .txt. Macs like to do that when you download .asc files, so remove the .txt.

Download both the signature file and the software file to same directory, then in the terminal, navigate to that directory.

Type

gpg --verify FileNameOfSignature

Enter the signature file name, not the software file name. This command works if the file name and signature file differ only by a .asc If they don’t, you ned to chance the file name, OR, modify the command like this:

gpg --verify FileNameOfSignature FileNameOfSoftware

You should get a long output which contains the words Good signature from “Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>

You’ll also see WARNING: This key is not certified with a trusted signature!

Don’t worry about that…

Image for post

Seriously, it’s normal.

Move the files

In terminal, navigate to where Electrum .tar.gz file is downloaded. Type this to unzip it: tar -xvf ElectrumFileName.tar.gz

We are not going to “install” Electrum. We simply can run it from the command line. Test it now to see it works. First navigate to the newly unzipped Electrum directory. You should see a collection of files including the file run_electrum. Next, you can type ./run_electrum or python3 run_electrum. As long as you are in the correct directory, it should work. Shut down the program.

Get a new, unbesmirched, USB stick and format it. (I’ve always wanted to use the word “unbesmirched”!). For assistance in formatting an external drive on Linux, go to this guide and scroll to the heading “Preparing the external hard drive”.

Next, in the directory /var/cache/apt/archives/, copy all the files with the .deb extension to new directory on a USB drive.

The USB drive will be located usually at /media/pi/SomeReallyLongStringForTheDrive

Move the files like this:

cd /var/cache/apt/archives/

sudo mv *.deb /media/pi/SomeReallyLongStringForTheDrive

Next, copy the Electrum tar.gz file to the USB drive.

Shut down the Pi OS, you’re done with it.

Setup: Air-gapped Pi

Next, boot up the Raspberry Pi Zero with the other flashed SD card.

Copy the contents of the USB’s deb directory to any new directory of your choice.

In the terminal, navigate to that directory and type sudo dpkg -i *.deb to install the dependencies.

You can then keep or delete the directory with the *.deb files.

Next, copy the Electrum tar.gz on the USB to the Raspbian OS Desktop. Extract the file to a directory of your choice.

Finally, you can run Electrum. Navigate to the Electrum directory.

Type ./run_electrum and, hopefully, it should be working. Phew.

Last word

This air-gapped computer will come in very handy.

Learn how to spend using PSBTs here

Learn how to generate seeds safely with this device here (easy way), or the purist way with dice.

With your internet connected Electrum Desktop wallet, learn to connect it to your own node here

In case you are feeling generous:

Donate Page

%d bloggers like this: