Air-Gapped Raspberry Pi Zero (ZeroTrust Level 5)

Running a Bitcoin Electrum Wallet on a Raspberry Pi Zero has a number of advantages (detailed explanation here on air-gapped computer advantages). First, it doesn’t connect to the internet, has no WiFi access, or Bluetooth access, so you can safely type your seeds into the device. It’s also good for generating seeds, or calculating checksums if you generate seeds with a dice. Keep your wallet files encrypted and the operating system secured with a strong password. Another use for this device is to create sensitive documents, and then encrypt them with GPG encryption. If you are extra paranoid, you may wish to destroy the device and the micro SD card once its purpose is served. You could use it as a signing device, keeping it air-gapped by connecting a webcam, and transmitting data via QR code.

Can’t be bothered option – buy one from me with the hard work done.

There are two options for the Pi Zero Setup. One is much easier but less functional.

Option 1 (Easy) – Summary

This option gives you a Pi Zero computer running Raspbian OS on the microSD card. First using a regular computer, you’ll need to download the Raspbian Linux operating system, then flash it to a microSD card, and then insert that into the Pi Zero.

You can then copy over any simple software you need (I like Ian Coleman’s BIP 39 open source ‘Mnemonic Code Converter‘ webtool). You can download it using a regular computer (select the ‘save webpage complete’ option), copy it to a brand new and clean USB drive, and copy the webpage across to the Pi Zero. Then you can use the tool in an air-gapped environment.

There is no Electrum Desktop Wallet – it is not possible to simply copy this software over; you have to use option 2.

No further explanation of Option 1 will be given as there is a lot of overlap with the Option 2 method which will be detailed.

Option 2 (Hard) – Summary

This involves doing option 1, and some extra work to install Electrum Desktop Wallet.

You can’t simply download Electrum and copy it over like you can with the webtool in option 1.

The Pi runs on Linux. Linux executable files are called AppImages. These only work on Linux computers that run AMD or Intel CPUs, and maybe some others, but not ARM chips. The Pi has an ARM chip, unfortunately, so the easy AppImage files can’t be used.

We have to run python scripts.

For Electrum there are some files that need to be extracted from the Linux repositories using the command line. The file that gets downloaded depends on the computer’s chip – you don’t get to choose the file version received. We want to get the ARM versions, so we have to connect using a computer with an ARM chip, you can’t use your Windows or Mac Computer. You can’t even use a Virtual Machine of a Raspberry Pi running on Windows/Mac, because the host computer’s chip gets detected still, and the wrong files get downloaded, and won’t work on the Pi Zero when they’re transferred across (I’ve wasted my time trying).

The best solution I have come up with is to use a Pi 4 computer which many Bitcoiners have as it’s the ideal computer to run a Bitcoin node. The node can temporarily be shut down, a new Raspbian Operating system can be inserted with the microSD card, connect a monitor and keyboard, and you’ll have a Linux operating system on the Pi 4. Using that, you can download the installation files, copy them to a clean USB, and copy them over to the Pi Zero. Then you run a command to install the files.

It’s not easy, but I will break it down into easy steps in this article.

There actually is an easier way, maybe I should have said it earlier, but you wouldn’t have appreciated the solution! You can download the dependency files from my GitHub page to the clean USB, and copy the files across to the Pi Zero (you won’t need to bother with a Pi 4). You’ll still need to read the article to understand how to set up Electrum.

Shopping List:

Option 2 – Detailed Guide

Prepare two SD cards (two operating systems)

Create two identical micro SD card images using any internet-connected computer (eg a Mac or Windows computer). One card for the Pi 4, and one card for the Pi Zero.

Go to https://www.raspberrypi.org/downloads/raspberry-pi-os/ and download Raspberry Pi OS (32-bit) with desktop. The 64-bit version won’t work on the Pi Zero, make sure you use the 32-bit version. We want the “Raspberry Pi OS with desktop” version. We want as few programs as possible to reduce unknown risks, but just enough for functionality.

NOTE: This guide was created when Raspberry Pi OS was up to the “Buster” edition. It has since been upgraded to the “Bullseye” version which does not support the Pi Zero very well (The browser does not function). You should go to the archive and download the older version. Click on the Archive link as shown below:

Then select the 2021-05-28 version which was the last release of Buster.

Then, download the zip file (green circle, 1.2Gb) and download the hash file (red circle):

Open the hash file with a text editor. The hash of this edition is:

b6c04b34d231f522278fc822d913fed3828d0849e1e7d786db72f52c28036c62

We need to hash the downloaded file (do wait for it to complete downloading or you’ll get incorrect results).

See my article on SHA256 and gpg for background information.

Open the terminal, and navigate to the directory containing the downloaded file. (usually, the command is cd Downloads. If this is foreign to you, take a moment to watch this video. Then come back.

Type shasum -a 256 xxxxxxxxx (Replace xxxxxxxxx with the name of the downloaded file.) There should be a hash output. Compare it is the same as the published hash.

Next, download and install Balena Etcher.

I was unable to find the hash or the digital signature for this.

Etcher is self-explanatory to use. Insert your micro SD card and flash the Raspberry Pi software (.img file) onto the SD card. Do the same for the second micro SD card.

Image for post

The Pi 4 (Internet-connected Pi)

If you are using you Pi 4 that you normally run your node on, shut it down using the software commands (don’t just pull the plug), then disconnect the external hard drive, and remove the micro SD card from it. Then insert the new micro SD card you just made.

Connect a mouse, keyboard, and monitor.

LASTLY, insert the power cable to switch on the Pi to run Raspbian OS. It is not required to update the software. (If the latest version of Raspbian OS is old, and you are installing a quite new version of Electrum, then I’d update the OS). When the auto-update wizard pops up, cancel it, it’s buggy.

To update the OS

Skip to Electrum instructions if you aren’t updating the OS.

Open terminal

sudo apt-get update

then

sudo apt-get upgrade

then navigate to where the install files are located:

cd /var/cache/apt/archives

then create a directory called temp

sudo mkdir temp

then move the new deb files here.

sudo mv *.deb ./temp/

Electrum:

Next, open the browser, navigate to www.Electrum.org and click the “Download” page:

Image for post

The Linux AppImage would have been a nice way to download and install Electrum for the Raspberry Pi (it’s just a double click away from an installation with no command line) — but the Raspberry Pi chip architecture is ARM, and AppImages don’t work on ARM machines. So we have to use Python and the command line (explained in the bottom half of the Electrum picture).

Install dependencies

Install the dependencies by copying the command provided on the Electrum website next to the heading “Install dependencies” — do not copy what is shown in this screenshot above; use the current command from the Electrum website because as the software is upgraded, the dependencies might change, and this article might be out of date.

Once you do this there will be new files in

/var/cache/apt/archives/

We will deal with them later.

Then download the package with the wget command as shown on the website, or click the Python Electrum-4.0.3.tar.gz link to download.

Check the signature. This is SUPER important.

Checking gpg signatures is a good skill to have, especially if you are a Bitcoiner. Learn more in my article on this.

Then watch this video to see how I do it. (Note I’m downloading the Mac version here, you need to do the python version)

The steps are shown in the video.

  1. Download the program, signature, and public key all to the same directory.
  2. Import the public key (gpg --import filename_of_publickey)
  3. Verify the signature (gpg --verify filename_of_signature filename_of_program)

Note, in the video, there is only one signature to choose from. Since then there are now three different signatures to choose from. you only need to use Thomas’s signature.

Make sure the file name matches what you typed in the command line. I find using the <tab> key to autocomplete filenames helps to reduce typos. If you made a typo the autocomplete function doesn’t work, and you’ll realise you made an error somewhere.

You should get a long output that contains the words Good signature from “Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>

You’ll also see WARNING: This key is not certified with a trusted signature!

Don’t worry about that…

Image for post

Seriously, it’s normal. It just means you haven’t manually checked with the author that this really is his public key, and you haven’t entered into the keyring that you trust the signature.

Move the files

In the terminal, navigate to where Electrum .tar.gz file is downloaded. Type this to unzip it: tar -xvf ElectrumFileName.tar.gz, or use the graphical user interface to unzip.

We are not going to “install” Electrum. We simply can run it from the command line. Test it now to see if it works. First, navigate to the newly unzipped Electrum directory. You should see a collection of files including the file run_electrum. Next, you can type ./run_electrum or python3 run_electrum. As long as you are in the correct directory, it should work. Shut down the program.

Get a new, unbesmirched, USB stick and format it. (I’ve always wanted to use the word “unbesmirched”!) It’s not absolutely necessary to format, especially if you are using a brand new drive. I just prefer to do it, and you’ve got easy instructions to learn from so why not?

For assistance in formatting an external drive on Linux, go to this guide and scroll to the heading “Preparing the external hard drive”.

Next, in the directory /var/cache/apt/archives/, copy all the files with the .deb extension to a new directory on a USB drive.

To copy files use this command (replace xxxxx with the source, and yyyyy with the destination)

sudo cp xxxxx yyyyy

The USB drive will be located usually at /media/pi/SomeReallyLongStringForTheDrive

Move the files like this:

cd /var/cache/apt/archives/

sudo mv *.deb /media/pi/SomeReallyLongStringForTheDrive

Next, copy the Electrum tar.gz file to the USB drive.

Shut down the Pi OS, you’re done with it. If it was your node, you can swap the micro SD card, plug in the hard drive, and start it up.

The Pi Zero (Air-gapped)

Next, connect up the peripherals to the Pi Zero, insert the other new microSD card that has been flashed with Raspbian OS, and then lastly plug in the power cable.

It will boot up, and you can set the region and keyboard etc. You can’t update the software as it’s disconnected from the internet forever.

Password

Do set a new password when given the option. This will lock your device from hackers. If you don’t get a prompt to change your password, do it from the terminal like this…

sudo passwd

You’ll then be given a prompt to enter a new password and confirm it.

Copy the contents of the USB’s deb directory to any new directory of your choice.

In the terminal, navigate to that directory and type sudo dpkg -i *.deb to install the dependencies.

You can then keep or delete the directory with the *.deb files.

Next, copy the Electrum tar.gz file on the USB to the Raspbian OS Desktop. Extract the file to a directory of your choice.

Finally, you can run Electrum. Navigate to the Electrum directory.

Type ./run_electrum and, hopefully, it should be working. Phew.

When running Electrum from the command line, the terminal window needs to remain open while the program is running; just minimise it. Also, you will see some errors in the terminal window – I have not understood why they appear, but the software works fine, so safe to ignore. Everything Electrum is doing we verify anyway, so no need for security concerns.

Last words

This air-gapped computer will come in very handy.

Learn how to spend using PSBTs here

Learn how to generate seeds safely with this device here (the easy way), or the purist way with dice.

With your internet-connected Electrum Desktop wallet, learn to connect it to your own node here

Appendix A – Physically disable WiFi

Raspberry Pi Zeros seem to have been discontinued. If you manage to get your hands on one, lucky you. If you get a W version (wireless chip), you can remove the chip physically. Here is one way to do it:

After (device above)
Before (device below)

Tips:

Static Lightning Address: dandysack84@walletofsatoshi.com


On-chain or Lightning

%d bloggers like this: