The value of crypto-currency has gone up steeply making wallets increasingly the prime targets for cyber criminals. Now is the time to enhance the security of your crypto assets. This articles shows one way to do that.
Unfortunately, all hardware and software has flaws meaning that any system can be broken and compromised. A time proven way to stay secure is defense in depth and compartmentalization i.e. securing your assets with multiple, independent controls that all need to be overcome by a potential attacker.
This technique is implemented by setting up a single Electrum wallet in such a way that two different hardware devices (Ledger Nano S and digital bitbox) are needed to sign outgoing bitcoin transactions.
The setup presented here
0 or 1 hardware devices:
For additional safety, consider keeping one or both hardware devices in a location that’s physically secured (e.g. a bank safe deposit box).
sudo privilegesuser (otherwise substitute accordingly in the instructions below)The steps are as follows:
We will need a few packages that are not installed by default:
zbar-pygtkpython3-btchippython3-protobufpython3-qt5compat-readline6bzip2-develPlease install these as follows
sudo dnf install -y zbar-pygtk python3-btchip python3-protobuf python3-qt5 compat-readline6 bzip2-devel
Then create a symbolic link that will be needed by the digital bitbox software later.
sudo ln -s `find /usr/lib64/ -type f -name "libbz2.so.1*"` /usr/lib64/libbz2.so.1.0
Please install the chrome web browser from here and Choose the 64 bit .rpm (For Fedora/openSUSE) option. We will use the Chrome browser to run the Ledger Nano apps and test that the it is correctly recognized by our system.
Please set up the device first as described here.
The id command will tell you what your user name and group is, e.g. foo and bar in the example below.
$ id
uid=1000(foo) gid=1000(bar) groups=1000(bar),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Download this file with udev rules (SHA256: f0d007ff0caaecd707f538b11266b8b2ef3436792902c53d394b71f7ed0940f6) and make sure that the GROUP variable is set to your linux user group (edit the file and replace all occurrences of user with your linux group name if/as needed)
Once the file is ready, copy it to the appropriate directory and ask the system to load the new rules.
sudo cp <download path> /etc/udev/rules.d/20-ledger-nano.rules
sudo udevadm trigger
sudo udevadm control --reload-rules
Start the chrome browser and install these apps
Now insert the Ledger Nano, provide the PIN and make sure you can see it in the Ledger Manager app (the latter can be started from chrome://apps/). Also, make sure it has the latest firmware.
Last but not least install the Bitcoin wallet application (by clicking the green circle with the little download arrow to the right of the Bitcoin symbol).
This is what you should see if it all works.
Download the file with the udev rules (SHA256: 78db8717d95b078015cfd67acd94a148539e6ba65140dbcc644d6443e398c143) and make sure the GROUP is set to your linux user group.
Once the file is ready, copy it to the appropriate directory and ask the system to load it.
sudo cp <download path> /etc/udev/rules.d/20-ledger-nano.rules
sudo udevadm trigger
sudo udevadm control --reload-rules
Download the digital bitbox software and run it to set up the device.
This is what you should see if it all works.
4dff75bc5f496f03ad7acbe33f7cec301955ef592b0276f2c518e94e47284f53Insert and unlock the ledger nano and enter the Bitcoin wallet app (the little screen should read: "Use wallet to view accounts"). Also, insert the digital bitbox.
Unpack and run the Electrum wallet
mkdir -p ~/src/ ; cd ~/src/; tar xf ~/Downloads/Electrum-3.0.2.tar.gz; cd Electrum-3.0.2; ./electrum
You should see the Electrum install wizard now. Click next.
Supply a wallet name of your choosing or accept the default and click next.
Select the "Multi-signature wallet" type and click next.
Leave the "number of signatures needed" as is and click next.
Select the "Use a hardware device" option and click next.
On the "Hardware keystore" screen you should now see both devices. Click next.
When prompted, enter your digital bitbox password and click OK.
Use the digital bitbox seed by leaving everything as is and click next.
The public master key (of the digital bitbox) is displayed now. Just click next.
For the cosigner choose the "Cosign with hardware device" option and click next.
Now select the nano ledger and click next.
What you should see now is the following message: "Electrum is generating your addresses, please wait."
And, finally, the electrum wallet!
The wallet screenshot above shows 2 test transactions I made to verify that all works. Yours will be empty.
Make sure that the ledger nano is unlocked and runs the Bitcoin wallet app. It may enter into stand-by mode after a delay (10 minutes by default).
Do not start using the wallet for any serious amounts until and unless you have tested that it can receive and send bitcoin.
