The Frankenwallet

An Encrypted Linux USB Drive for Cryptocurrency Security

Learn to build a Linux USB boot drive as a crypto security sandbox: with cardano-cli for offline key signing, or to isolate Daedalus and other wallets from your main system.

Introduction

This "work in progress" set of web site pages describes how to build an Ubuntu environment on a USB connected drive, for use as a crypto security sandbox in one of two possible configurations: "cold" with cardano-cli for offline key signing and safe key file storage, or "cool" with enough Internet dependency & habitual connectivity to install & upgrade Daedalus and other wallet software while keeping it separate from one's usual computer.

I began documenting this standard in the first 4 epochs of Shelley, while creating the stake pool amidst very real fears about placing my entire life savings into a bare payment key without being able to know if the system I was working on was compromised.  I'd been "locked down" in a country without the ability to obtain a spare computer, so came up with the idea of generating the stake pool keys on a persistent instance of Ubuntu Linux on a USB connected drive.  I realised a modified Linux installation procedure would allow any SPO to create a "cold environment" without needing the hardware of a second machine.

In that same period there was a sadly famous case of a stake pool owner losing a million ada via an injection of crypto key harvesting malware via a Docker script, so I also chose to avoid shared images and scripts which users would be expected to use without being able to discriminate against hackers with similar looking tools.  Therefore the evolving Frankenwallet instructions, by contrast, are procedural or educational - outlining a flexible method for everyone to build their own image, rather than downloading a USB-compatible Ubuntu image which would eventually be subverted somehow.

For non-SPOs, the Frankenwallet will also provide a means of installing Daedalus if they have security reservations about keystroke logging, screen capture, virus infection, or any other means of compromising commercial operating systems such as Microsoft Windows.  Even if a primary computer is known to be infected with such software, and even if the hardware has to be shared with others (like an inner-city library with public computers, or a shared computer in a African village schoolhouse), a safe booting environment for Cardano & other cryptocurrencies can be created with only the cost of a (hopefully fast) USB memory stick and a time commitment to follow the web-site based instructions.

The Frankenwallet: Step-by-Step Guide

TO DO for the author, ASAP (this section last updated 2021-01-03)

  1. break this page into smaller pages, editing into smoother narrative.
  2. update & upload screenshots (need to get proper screen grabs, replacing pics from mobile phone)
  3. create Github page so readers can post feedback, issues with ease of use & security, and other suggestions.

What is it?

Two types of inexpensive & reproducible encrypted boot environment, depending on whether Internet access is ever permitted once it's configured:

  • "cold" environment: Key management, transaction signing & address creation only.
  • "cool" or "Daedalus" environment: An extra partition on which to install crypto wallets & keep sensitive data.

False statement: a USB is only for moving keys between 2 separate machines.

  • CoinCashew > How to build a Cardano Stake Pool > Configure the air-gapped offline machine -
    • "In order to remain a true air-gapped environment, you must move files physically between your cold and hot environments with USB keys or other removable media."
  • It's also a "true" air-gapped environment when your operating system is installed on the "USB key or other removable media" which might also be using the host computer's disk as an extra drive.

Motivation

"This is for people who..."

  • (for the "cold key" tutorial)
    • travel a lot and can't travel with an "extra machine" to use for cold key operations
    • people who can't afford or have space for such a machine
    • people concerned about the security risk on the software they'd normally use for a wallet and/or signing transactions, and who (vitally!) are worried about ever leaving those keys on such a machine
    • people who only have one PC at their disposal and don't mind rebooting the machine to switch between "secure" (transaction signing) and "insecure" (information gathering & transaction submission) environments.
    • people who have a second PC in the house, like a backup or guest machine, but don't want to wipe it out to create a specialised, high security environment that they'll use only once in a while.
    • people who live in disadvantaged countries and communities, such as villages in Africa and Asia, where it's more common to have more than one person per computer... rather than the other way around.
  • (for the "daedalus tutorial")
    • people who don't want to install Daedalus on a computer that has all kinds of untrustworthy software on it (browsers plugins, Zoom & other notorious software)
    • people who don't trust Windows for any of these things but don't want to set up a "dual boot" configuration which requires specialised Linux & system knowledge to fix problems with
  • (for both groups)
    • people who may have a second machine lying around, perhaps someone else's... and want to use it for for crypto operations without wiping it out & using it exclusively for that purpose going forward.\
  • (for the future, into Goguen)
    • smart contracts will need payment addresses & keys... depending on how your contract works you may need several private keys Cardano & other blockchains, and will need a place to generate them that's not dependent upon Internet access
    • (Robb Signal 2020-09-20 10PM) e.g. our African brethren may never have the resources to fund their own stake pool, but after Goguen they'll want & need to create smart contract addresses, so will need a "secure environment" to set up those resources... so it won't just be the SPOs that need things like the Frankenwallet & other low budget tools, but those African folks needing to securely set up that infrastructure on practically zero capital ?
  • IT MAY BE TEMPTING to use the same frankenwallet for both Daedalus AND key signing
    • BUT you must remember that Daedalus requires regular Internet access to stay synced and this would create an uncomfortable warm in the "cold" environment that we need to maintain for secure key generation & signing.

benefits

  • to have a safe place (mostly offline cardano-node) to create the wallet keys & build transactions.
    • node doesn’t have to be synced with the CLI to do this.
    • Transactions can be signed with your key in the wallet partition and then uploaded to an active node.
  • but “There is no more secure machine than my block producer!”
    • People from your VPS company might be spying on you. Not likely, but would you bet your life savings on it?
  • some people are OK with the only key for their fortune (in the wallet, or in a pledge address) is on a memory stick in some place.
    • I have seen too many destructions, losses & thefts of personal property in my life to not believe in multi-geographical redundancy for a backup of anything that important.
    • This means the crypto wallet keys and passphrases, and every part of the PKI infrastruture (e.g. Cardano stake & payment signing & verification keys) needed to access them needs to be restorable if I lose everything I have and am reduced to nothing but the clothes on my back plus whatever cloud resources & offsite hard backups I have made.
  • If you are deciding whether to use the frankenwallet or something like it, ask yourself these questions:
    • am I able to reacquire my stake pool pledge payment & rewards account, and recover my Daedalus passphrase or any other vital information, if I lose whatever memory stick it may be stored on?
    • do I have a dedicated machine that can be configured entirely to the purpose of generating and and signing these transactions, and used for no other purpose?
  • Nobody needs to know you have one!

nomenclature - so we don't have to keep redefining our terms

  • "frankenwallet"
    • A protocol and set of security recommendations for installing Linux on a removable drive to support generation and use of Cardano and other cryptocurrency signing keys (in a higher security configuration, without Internet access) OR installation of Daedalus (or other heavyweight wallet) depending on Internet access but without any other software (with lower security rating, because of the need to connect to the Internet regularly).
  • "host computer" - your native computer that you do stuff on: the one that's not secure enough to install your wallet software or use to generate your cardano keys
  • "host folder" - a folder / directory on the main computer where you can read and write files in both your normally booted computer and the frankenwallet.  This includes:
    • unencrypted files, notes, and web pages saved for offline use (like this one)
    • "hot files" - encrypted with any password you normally enter on the host computer - which may also be decrypted on your host computer (e.g., payment addresses)
    • "cold files" or "cold keys" - ONLY encrypted with the frankenwallet password, which should NEVER be entered on the host computer... and should only be put on the computer with the intention of backing them up.
      • It is a near universal recommendation that you find removable media on which to back up these cold keys, even if encrypted, so you can delete them from your host computer as well.
  • "key files" - these are the private keys that would cause a catastrophe if lost, including but not limited to:
    • the "stake key" which can be used to shut down or change the characteristics of your stake pool
    • the "payment key" which can be used to steal all the funds you have pledged to your pool
    • any key generated in the Cardano documentation that ends in the extension *.skey (i.e., a Signing or private key, as opposed to a Verification or public key)
  • "key operations" - anything you must do that CANNOT be observed, like signing transactions with these key files, encrypting them, or decrypting them.

Comparison with alternatives

what can go wrong with a VirtualBox?  Don't make me laugh... it's more of a reason to cry

  • reference to Jun
  • (TG 2020-10-21) you REALLY should buld at least a virtualbox VM in your local machine and use that for transactions (3 months into Shelley...???!!!)

NOTE it probably will occur to you that someone could prepare an ISO with all the settings below pre-set and avoid all the work that thousands of people will have to do in the course of this tutorial.

  • IF THAT IDEA ever appeals to you, please keep in the consequences of using such pre-fabricated images like the infected Docker image that cost one of our Cardano users a great deal.
  • In fact it is thanks to his (Jun ...) bravery in coming forward in a humble, timely, and useful manner than many people were spared the same fate, and in fact he has been the inspiration for this method which is therefore dedicated to him.
    • Jun (...) whose courage, honesty, and quick response to the Cardano community about his experience of intrusion made me realise I had to develop & document a low cost solution that I hope will work universally for safe key generation and storage.
    • In fact because of his reported experience I didn't want to submit my pledge for the COSD stake pool without first creating this environemnt.  Not having a "cold" computer I was forced to create this system on what little equipment I had lying around while living in a technologically unsophisticated place: initially, a spare SATA HD drive and a USB-SATA cable I had in my travelling toolkit.

NOTE these instructions will probably serve you just as well on a “junker” machine that you intend only to use for Daedalus and/or other wallets and/or key signing.

  • In that case if it’s a laptop you might want to open it up & actually remove the WiFi card (it’s not enough to disconnect the antenna leads in some cases). We don’t recommend that here since you might want to use the USB based wallet on any number of machines.

SEE Linux > cryptocurrency wallets (security review)

  • "textbook" example = Daedalus, since it's the most "picky" about software environments (no offence intended to the Cardano community)
  • intended for people who can't, won't, or don't want to provision a second "cold" machine for key storage or to keep their Daedalus away from insecure activities on their "daily driver" machine.
  • by creating an OS compartment for the wallet, this is a trivial case of the ideal Qubes approach.
  • personally I don't have a new enough computer to run Qubes with any kind of performance

though it's beyond the scope of this article, this method is usable by any system that's been:

  • set up to "dual-boot" between Windows & Linux
  • easily added to such environments where people are already used to rebooting to switch between Windows & Linux (or different distros)

how this is better than sandboxing all the “bad” applications that might compromise wallet security:

  • the same method & setup procedure can be used by all members of the same wallet.
    • over time, each community can build up its own procedures for setup & security audit.
  • without virtualisation it's a lot more conservative with the host system resources :)

don't want to rely upon:

  • using memory sticks to save your keys or backups of your keys... these backups (of your wallet passphrases, spending passwords, pledge payment keys & server cold keys) should be free for you to back up over the Net as you do all your other priceless records and data.
    • OK to use memory sticks to boot secure environments (like frankenwallet) or stateless environments (like Tails) to test the password for your encrypted key backups.
    • FUTURE SECTION how to verify your cold key backups on another machine
    • If you can access your network backups, that means you can boot in Tails, download the file, and check your decyption of the cold key files & payment keys there.
      • Why is Tails safe?  It might not be, if tails itself isn't secure... see here and make sure you follow the instructions about correctly installing Tails.
      • Keep in mind this is an additional verification step to verify the integrity of your password encrypted, on a potentially different system with a different keyboard, a different copy of the file, etc... basically doing a "dry run" and making sure you can restore that vital password & payment key at some indefinite time in the future.
  • If you don't want to trust Tails, or think there is any change your installation of Tails could have been contaminated... especially if you have not followed the "Web of Trust" protocol as described here...
    • Your frankenwallet was designed to be portable... so if you have your "hot" key installed on a conventionally
  • a laptop with clipped antennas (since you don't trust what the contaminated OS & downloaded software will divulge)...

remaining risks (for the paranoid), which are no less than the risks of any other system:

  • Your Evil Maid (link) steals your frankenwallet key and installs something in the unencrypted GRUB partition that intercepts your password as you type it.
  • Your Evil Maid sneaks onto the computer where you use frankenwallet and patches in a malicious BIOS that can log the key presses even as they are entered into GRUB.
  • This means for the truly paranoid you should make sure that no super-hacking Evil Maids are ever able to physically get to the frankenwallet OR the computer(s) that you use it on.

2 "tracks" of the instructions (like a flowchart)

  • 1: a place to set up your Daedalus
  • 2: a place to run cardano-cli and sign transactions.
    • for now, anyone that needs to sign & submit keys manually.
    • primarly for stake pool owners & operators now
      • but someday when Cardano provides other Level 2 services, need to provide a secure environment for transaction signing will be increasingly important.

System requirements

specifications - TODO move the “security” generalities to Linux folder

  • just an Internet connection, GUI & Daedalus environment, avoiding anything that could cause:
    • to prevent application leaks, key / screen logs, etc.
  • need to keep funds in Daedalus wallet in order to delegate to stake pool (can’t from “cold” storage)
  • create LUKS encrypted partition to make sure other OSs can’t read the wallet data
    • not a great security risk since this wouldn’t allow wallet funds to be spent.
  • Q: is Fedora or Ubuntu more fundamentally secure? (2020-06-20: only 2 supported distros)
  • (assuming Ubuntu best choice) install security hardened Ubuntu
    • this is the greater risk... habitual wallet access on “desktop” computer has too many opportunities for even temporary security leaks to:
      • log the Daedalus spending password (especially if it’s used anywhere else)
      • read the wallet passphrase either from the screen or the keyboard when verifying it
      • key-log the password used to encrypt the file that stores the wallet passphrase(s)
  • so separate backups must be made of this data on the encrypted partition itself -
    • then the encrypted file can be copied back to the unencrypted drive to include in regular backups
    • that means NEVER read that file on the “dirty” desktop or type its decryption password.
      • the fact that the backup file can’t be verified in multiple places also means I’d probably want to have a paper backup somewhere (unrecognisable).

Will this procedure (ever) work on a Mac?  Maybe someday...

Why Ubuntu, and why not Xubuntu?

  • Ubuntu is the most widely used Linux so there are the greatest amount of people already knowing it AND the greatest number of help articles available for people that need help doing ordinary things with it.
    • e.g. not every question about how you might install/unisntall packages, get around the Window interface, and use other software & devices can't be answered in the course of these tutorials... so you'll have plenty of help if you need it from other sources.
  • Xubuntu is more efficient & will work better when bandwidth to your USB drive is lower, but because it uses the XFCE (sp?) window manager it won't look & work the same, which is an issue for new Linux users.
    • If you want to substitute Xubuntu for the installation & security steps, it should work just as well, and the cardano-node build and Daedalus installation are both certified for Ubuntu regardless of the window manager difference.

does AUTORUN ever happen in Ubuntu?

  • Yes, if you don't untick that box for "automatically run programs from removable media" ... which removable media can easily do here, e.g.:
  • repeated again, on StackOverflow (probably the original... TO CHECK DATE)
    • confirming YES that autorun happens and I have seen YES IT IS THE DEFAULT to leave this box ticked in Ubuntu 20.04 !!!
    • it's been the default since at least Ubuntu 16 (old bug report).
  • This ubuntu doc confirms that "you will always be prompted" before it automatically runs anything.
  • TO TEST to see if I can get a memory stick to do this in Ubuntu 18 OR 20, and what the dialog box looks like.

Preparation - workflow, passwords, and background info

Come up with a distinctive password

  • that you have never used on the Internet or typed on an Internet connected machine
  • has enough entropy that makes you feel comfortable entrusting your life savings to it
    • i.e. enough to make it unbreakable when hashed into an AES 256-bit key (25 random characters; many more characters than that if you’re using a phrase composed of dictionary words & names)
  • that we will be using, to help you remember it easily without referring to written notes or other storage:
    • when you start your encrypted “wallet partition”
    • for your Daedalus spending password
    • to encrypt your “cold keys” (stake keys, payment keys, etc...), either as you prepare them or when you’re backing them up from your stake pool host.

security considerations - left to the advanced reader

  • think of a password you’ve never used or typed over the INternet before. This can be all of the above:
    • decryption password for the whole drive itself
      • If that password can be keylogged from BIOS then the whole issue is moot since it could be keylogged when the OS is running as well.
      • Therefore there’s no advantage in having this be different than either notes or wallet passwords.
    • “notes” password used to encrypt
      • LibreOffice file(s) with wallet-related & confidential data, especially
        • wallet seed phrase(s)
        • any documents to keep backups of.
      • If there’s a bug in LibreOffice that allows that password to be intercepted / logged, then it would be also moot to keep it different than the “wallet” password since the wallet phrase would also be readable and it could be used to construct a new wallet somewhere else.
    • finally, the wallet spending password.
  • install Ubuntu (LUKS password entered at OS installation time).
  • the only foolproof method: encrypt “whole disk” on a removable drive.

The Ubuntu installer Encrypt Disk option also doesn’t encrypt /boot (the second-stage bootloader) (as admitted here in the Ubuntu documentation, but that is not a problem as long as you adhere to this rule:

  • NEVER BOOT ANY OTHER OS WITH THIS DRIVE ATTACHED as you normally would an “external” drive... since a security breach on that system would be able to invade by injecting files into the unencrypted /boot so they’d start up the next time you booted from your wallet drive.
  • It should technically be possible for /boot to be encrypted as well, but even if so it would requires UEFI which has its own security issues. At the time of this writing this issue remains unaddressed, and in the meantime has left the Ubuntu installers without any way of encrypting the entire disk (only the root and user files) including the boot partition.
  • BUT THAT’S OK because ... as long as this disk is only used when it’s the boot drive, no other system have access to your system files & keys (which are encrypted) or the /root environment (which is not).
  • IT MAY OR MAY NOT provide UEFI secure boot, depending on what kind of computer you have & its BIOS settings. For more information see here. (we will check later to see if this limitation applies to the environment that you build).
    • since you’ll be able to use the partition in more than one system, think where you’ll use it the most...
    • if you’ll be using it on a newer kind of system with UEFI installed to boot,
      • drawback: you’ll only be able to boot your wallet drive on computers with UEFI enabled.
    • if you’ll be using it mostly on older systems, set the BIOS settings, if not already with “Legacy mode” so it doesn’t boot the Ubuntu installer with UEFI and then make it a dependency.
      • drawback: without UEFI you’ll have no way to boot from an encrypted /boot partition and you’ll be stuck using it as a boot drive.
        • this won’t matter in most cases since mounting an encrypted drive on another computer (depending on what kind of computer you have) may not be a straightforward process.
    • in either case it’s best to plan for the worst case scenario of only being able to use this “wallet drive” on the computer on which you install it.
      • that’ll go better anyway since you’ll be able to set it up to work with that host computer’s unencrypted partitions, to back up your (always encrypted!) files there for safe backup over the Internet and using other media.
  • One way to avoid leaving your frankenwallet in the computer when NOT booting with it:
    • go into your computer’s BIOS settings and give the USB connected drives a higher boot priority than the one that stores your regular operating system.
    • This way if it’s plugged in when the computer starts, it’ll boot from there... and if you didn’t intend to do that you’ll be able to shut your computer down again & remove the frankenwallet.

keep in mind: certain types of system infection will be able to modify GRUB & inject code at boot time, if your wallet root partition isn’t itself encrypted (Full_Disk_Encryption_Howto_2019)

  • ManualFullSystemEncryption (another Ubuntu up to date article... installer not mentioned)
  • Migrating an unencrypted PureOS Debian install to fully encrypted -
  • If you want to encrypt the partition created here, that’s left as an exercise for the reader, since as this article says there are too many variations of the procedure that depend on the hardware that you have.
  • It used to be possible to set up encryption at boot time, but that’s no longer possible since 18.04 and you have to set up encryption on the whole thing.
    • Unfortunately that doesn’t help us isolate the first partition from the second, since we’d be unencrypting the whole drive at boot time which would then have the opportunity to install malicious software on the wallet partition.
  • another treatment (Encrypting disks on Ubuntu 19.04)
    • pictorial... involves gparted setting up partitions by hand
    • this method is based on “Dropbox script” in the ManualFullSystemEncryption article, with command text & screenshots.
    • BUT the method requires leaving the /boot directory unencrypted... so is there any real security here?
      • NO by our standards, since the “daily driver” machine wouldn’t withstand the cryptocurrency searching malware that caused (the Korean guy’s) theft from a compromised VM on his computer.
      • We’d be in a no-different situation because the extra partition would be just like a VM.
        • without a “chain of trust” all the way from boot time, you’d never know if the disk wasn’t be tampered with at boot time.
        • without an encrypted /boot you’d never know if GRUB wasn’t be modified to compromise the booting of the encrypted root.
  • I can’t guarantee that even part of a disk would be usable as non-encrypted if the “whole disk” Ubuntu install option were selected.
    • Therefore that’s what we’ll have to do: install on extra HD with a USB3 cable.
  • THE STARTING POINT I’D RECOMMEND TO OTHERS:
    • probably would get really good results on a USB3 memory stick but I can’t spare mine right now :(
    • Get a FAST memory stick and it'll save you the trouble of slow "garbage collection" like I have seen using a USB cable & rotational drive.  Periodically it will need to flush the cache from memory out to that slow rotational disk and you don't want the anxiety of waiting for an important file to save, or to wait while Linux hangs unresponsive.
    • HUGE advantage... it’ll work with ANY computer... just boot off of it, keep that memory stick like a USB wallet... and it’s a lot cheaper!
  • unless you can BE SURE (as illustrated below) that your /boot partition is encrypted, don’t ever attach this drive to any computer or mobile device unless 1) that device is turned off and 2) you plan to boot from it!

references & things you should know (external “nofollow” links)

  • How to download & install Ubuntu
  • How to get around on the Linux command line
  • How to edit a file (probably nano)
  • How to get into your computer’s BIOS settings

Preparation - equipment

zero-write the drive first.  Why?

  • How would you feel about some executable code with government mandated spyware  on your disk... ready at a certain location in that partition to be linked to?
  • You will also have the opportunity to do this in the creation of your encrypted root, but it may take longer.

get a drive having at least 32Gig on it. Space considerations:

  • 8G for OS, may grow to 10 (we don’t be installing apps there, no desktop usage, no fun & games) (allow 12)
  • 4G for the software build
  • 5G (circa 2020-08) and growing for the blockchain (allow 8GB), if you’re installing cardano-node
  • 5G (circa 2020-08) for Daedalus’s copy of the blockchain (allow 8GB), if you’re installing Daedalus
  • add once for Daedalus, once for cardano-node, or twice if you’re installing both (10gb)
  • add some swap space if you will be running the cardano-node or Daedalus, each of which may use as much as 10GB virtual memory
    • as of original writing time, there are reports of 4G system memory + 4G swap still crashing the node during peak memory usage, so 10G total memory use is a reasonable requirement.
    • i.e. to use in a computer with 4GB ram, you should plan to create 6GB swap space
    • if you’re got 8GB RAM, you should have 2GB swap, for those rare times it goes over the current limit.
  • so generally a 32GB drive will do, while a 64GB drive will be more future-proof.
  • I have tried this with the lowest bandwidth drive / interface combination I could think of, to document what could be possible along with what to do in case of any practical failures:
    • a 500GB extra HD (like people have hanging around in piles of junk, if not in your own house then computer & mobile phone shops)
    • a USB-to-SATA cable.
    • If you are living in a modern Western location (I currently am not) it’s best to run out right now and get a USB3.0 drive with high certfied write speeds, so the result of this process will be something you want to keep for a while.
      • one consequence of using old/slow drives & memory sticks, or a SATA cable with a crappy old rotational drive, is that you may have to do more cleanup by hand (forward reference to manual fsck on encrypted root partition)

download Ubuntu & checksum (e.g. 20.04.1 LTS with checksums)

  • verify checksum as usual and/or GPG signature, according to your own requirements
  • build it onto your favourite media & boot from it on the computer you’ll be creating the extra partition on.

on your computer:

  • Make sure you do a full backup of every partition on your target computer, including the partitions you don’t think you’ll be affecting (you, or the computer, might make a mistake in the partition that it affects, wipes out, or installs the new OS on).
  • Be sure you note the manufacturer and disk size of your computer’s internal drives... it will help to avoid overwriting them by accident or error during the installation procedure.
  • Save a copy of these instructions where you can find them on your computer after it reboots from the wallet partition (since you can add that partition later to transfer unimportant or encrypted files between the secure & insecure partitions)
  • To make things easier later, you can also install:
    • (if building the cardano software) a copy of the official Cardano node installation instructions;
    • (if installing Daedalus) a copy of the installer (checking signature and/or checksum)

procedure

shut the computer down & disconnect it from the Internet

  • attach your boot media
  • attach your new drive
  • boot off of your Ubuntu installation media.
  • TAKE SCREENSHOTS FROM THE INSTALLER NEXT TIME I’m doing this
    • ... just remember to zip up & transfer them out of the Pictures directory before they get lost with the Ramdisk when the system boots.
    • keep them in PNG since they’ll be in unusually good clarity.

installation screens

  • “Install” Ubuntu rather than just trying it
  • select keyboard layout
  • Wireless - DO NOT connect
    • NOTE it might only ask you this if it determines that you don’t have a cabled Internet connection... so if you get that screen it’s a good change to double check that the cable is unplugged!
    • so move on saying “I don’t want to connect to a WiFi network right now”
  • Updates and other software
    • select Minimal software installation
      • LibreOffice may be an exception to what we’re excluding, and has AES encryption on *.odt files which can be acceptable places to store keys and passwords, if handled properly.
      • but don’t worry, if you need LibreOffice for this you can install the package during the “one connection to the Internet” stage. The rest of the utilities
    • do NOT tick (as you normally would) the option to “third party hardware for graphics and WiFi”
      • unfortunately closed source can be subverted with no accountability
      • the last think you will need is WiFi to be active when you’re booting with this partition... it would be blessing if Linux doesn’t have a driver for your WiFi chip.
  • Installation type: here you have to be very careful not to wipe out what’s on your host computer!
    • tick “Erase disk and install Ubuntu” ... DON’T WORRY it will ask you later which disk to do that on... whether your external drive or any of the internal ones.
    • hit the button below that option,” Advanced Features” (which will currently say “None selected”)
    • tick “Use LVM with the new Ubuntu installation”
    • tick the option below: “Encrypt the new Ubuntu installation for security”
    • Don’t hit the Continue button unless you can verify it now says “LVM and encryption selected” under Advanced options.
  • Enter the high-security volume decryption key you have prepared in advance.
    • Last bit of advice: you’re welcome to use this same key for other encryption & keys within the wallet partition only, e.g. a Daedalus spending password, but don’t use a password that you’ve set up in another Daedalus wallet.
    • Again being pedantic: we are assuming all other computers, wallets and servers where you may have entered other passwords have been compromised in one way or another without being detected.
    • No need to Tick box for “Overwrite empty disk space” since that only makes a difference to the visitbility of OLD data.
      • The warning “For more security” refers to the security of data that was previously stored on this drive, NOT the security of the data or environment that we’re creating anew.
  • Finally, choose the external drive from the list of available disks.
    • WARNING it will allow you to choose your internal, OS disk and/or the drive with all your files on it without very little warning.
    • Make sure you have a match for both the size and the manufacturer of the external drive (sometimes shows as the manufacturer of the USB cable or hub it’s connected through).
    • Also compare your choice to the list you made of your computer’s internal or habitually connected drives... and be sure whatever you select is not one of them unless you intend to do so (i.e. if your computer has a second, unused disk and you want to install the wallet partition on one of them).
  • hit “Install now”
    • Continue to confirm the partition creation.
    • NOTE you can get strange errors if you hit the Back at the very last stage (this happened to me because I wanted to get 1 or 2 more screenshots). If you get a message something like “cannot create LVM group” or “volume group”, restart the system and go through the installation procedure again with the same settings as above.
  • select time zone
    • It will greatly improve the speed of installation & updates if you select the location where the computer is actually installed (it chooses package servers based on your answer here).
  • and enter basic user information - none of this really matters, except:
    • you should enter the high-security password also for your user password.
      • This means anyone using your setup when it’s unattended will have to enter your password to escalate to root privileges.
    • however since nobody can get into that environment without booting up with the same password, you can safely tick the option “Log in automatically” (rather than the generally better default “Require my password to sign in”), saving you having to enter your (hopefully) very long & complex password twice whether you use the wallet partition.
  • errors seen during installation (inconsequential) in 20.04.1 release
    • “wspanish” package has a dependency problem. If it stops the installation to complain about this, just ignore the problem and click Continue.

Boot the computer from the new drive (OK to leave Internet connected here, we’re doing legitimate software updates & installations)

  • In case you have another Ubuntu installed on your list: the boot menu choice will be first on the list.
    • At the time of this writing, the default GRUB installs the partition name as “Ubuntu”.
    • It’s probably better to leave it called this that something attractive to hackers and thieves like “My encrypted wallet partition” but the documentation for GRUB explains how you can change it.
  • First time starting says had to “do filesystem checks - Ctrl-C to interrupt” ... it’s important that this passes before proceeding, do don’t interrupt it.
  • There is a program called Welcome to Ubuntu which shows as a tab all the way on the left on the top bar. You should be able to “Quit” the dialogue that follows, but currently this has no effect. So you must answer these questions manually, hitting “Next” each time:
    • DO NOT link with any online accounts (obviously)
    • DO NOT set up Canonical Livepatch which would be almost as bad (you will be patching soon, and possibly at other well defined intervals)... just hit Next
    • NO don’t send system info.
    • LOCATION services disabled by default: of course leave them that way.
    • finally click Done.
  • if it complains about any missing packages during the installation:
    • if reporting a System Error, tell it to ignore the error as well as reports of it in the future.
    • With the 20.04.1 release we’ve seen this happen with:
      • “wspanish” package as you may have seen during installation time.

system settings

  • look for any WiFi button in the right corner, right-click and DISABLE IT (menu selectin = Turn Off).
    • Likewise with Bluetooth.
  • GNOME will show an Airplane symbol when both WiFi & Bluetooth will turn off, automatically engaging "Airplane Mode".
    • You can think of this as "cleared for takeoff"
    • BUT ONLY say that for the "key operations" configuration
  • When you get a message from the Software Updater, make sure that service is disabled (since it’s useless with this OS will be mainly disconnected from the network). Either:
    • wait for it to pop a notification about software updates, which it will some time after you do that “apt update”, and click it
    • that notification will go directly to the Software Updater settings dialogue box (see photo),
      • or you can go to it anytime by clicking the Settings button in the upper right corner (see photo) and selecting Software & Update and then the Updates tab.
  • Make sure box is un-ticked for Proprietary Drivers (close source... it could be subversive or contain spyware).
    • on Ubuntu Software tab:
      • I’ve seen this box ticked recently in 20.04 even though NOT selecting the “Proprietary drives” box at installation time!
      • You may also feel comfortable unticking the selections for “Community-maintained” software but you may have to add a lot more packages manually if so.
      • also (on the same tab) Untick the box for the media you just installed from since we’ll never be connecting it again.
    • on Other software:
      • make sure both boxes are un-ticked for Canonical Partners software (i.e. companies like Google, Microsoft, Adobe, Dropbox, you get the idea)
    • on Updates tab:
      • Automatically check for updates: Never
    • Close, and when it pops up a message about “information about available software is out-of-date” then just close it
      • i.e. rather than clicking Reload as it suggests, we’ll be running it by hand to observe the results.
  • Considering how long it will take you to install Daedalus and/or the cardano-node, you might want to disable or lengthen the time it takes for the lock screen to engage.
    • right corner > Settings > Privacy > Screen Lock
    • FYI any time you want to engage the lock manually, press Meta(“Windows” icon on many keyboards)-L.
    • There are other relevant options on Settings > Power but they only apply to laptops on battery power (i.e., automatic suspend).
      • If you have mistakenly left WiFi or Bluetooth enabled, it will confirm that here.
  • other security relevant settings in Ubuntu under “Settings”
    • WiFi OFF (yes I know we already said this) by the switch
    • Bluetooth OFF by the switch
      • if you turn off both, it might indicate Airplane Mode which is ideal.
    • Search OFF (note this list includes “Passwords and Keys”)
    • Privacy >
      • Connectivity > Connectivity checking OFF
      • Location services: verify it is OFF
      • File History & Trash >
        • File History OFF (hit button Clear History...)
      • Diagnostics > Problem reporting >
        • Automatic Problem reporting OFF
        • Send error reports to Canonical: NEVER
      • Removable media > NEVER prompt of start programs on media insertion
      • Date & Time > Automatic Date & Time OFF
        • therefore you might want to check the time & set manually every once in a while...
        • Exception: if you’re on a Windows machine whose hardware clock is set in local time. In that case leave the Automatic Date & Time setting on until you can fix the relevant setting as described here.

browser settings

  • it’s likely you’ll need to reconnect the Internet every once in a while and with great prejudice may need a browser to get software.
    • Therefore we must remove institutionalised security breaches from Firefox, whose source code is pretty secure but whose default settings are far too open.
    • Remember Firefox changes and moves these options constantly so there’s no way off assuring this list is complete from one month to the next.
      • You’ll have to go over every setting in Preferences to make sure you’re not divulging your Internet presence in some new way.
  • NOTE following the advice in this section is PRECAUTIONARY ONLY and DOES NOT make it “safe” to browse the Internet, which you should NEVER do from this environment!
  • thinking about how you may use the browser: it should only be
    • known secure software repositories like Github or Gitlab (NOT spammy ones like Sourceforge!), or a Cardano explorer perhaps
  • If you are incapacitated on the Internet without Google Chrome, FYI you can install the Chromium package (i.e., the open source part of the browser, without the spyware) but then you will have to make your own audit of the relevant security settings (suggestions welcome, and might be included here):
    • apt install chromium-browser
  • Firefox > Preferences >
    • Home >
      • New Windows and Tabs > New Windows and Tabs: set both to “Blank page”
      • Firefox Home Content: untick EVERYTHING
    • Search >
      • Search Bar: select “Add search bar in toolbar”
        • to avoid inadvertently searching for something if you type a badly formatted URL
      • Default search engine: DuckDuckGo (doesn’t really matter, since we stop it from searching, so upon general principles)
      • Search Suggestions: untick everything
      • One-click Search Engines: remove everything except DuckDuckGo (Firefox requires you to leave one behind :zany:)
        • We don’t want some commercially provided plugin to ever run in reponse to something being searched from the browser.
        • FYI Firefox updates may bring these back. If you ever find out how to suppress that please let us know.
    • Privacy and Security >
      • Enhanced Tracking Protection >
        • select Strict
        • DO NOT send DO NOT TRACK requests (and you will not be going anywhere that tracks you)
      • Cookies: make a point to check which ones are stored every once in a while.
        • if you have more cookies than you would need for a Github or Gitlab login, you are getting yourself into trouble :angry:
      • Logins and Passwords > UNTICK EVERYTHING otherwise it will use the “Firefox Lockwise” service to determine if you’re trying to save a password on a “breached website” (see link)
      • Permissions > nothing to change here, but DO NOT ALLOW Firefox to grant any web site access to ANY of these.
        • Keep in mind that passwords and wallet key phrases can be gleaned from the camera and/or the noise you make when you type on the keyboard.
        • Prevent accessibility services (see link) from accessing your browser: TICK THIS BOX

cleaning & upgrading the system - at the command line TEST PARAGRAPH

  • click the Activities menu, find Terminal, and right-click on it to add it to your Favourites on the left bar, and run it.
  • remove snaps and “snap”
    • in this order (if not, it’ll complain about one being dependent on the other):
      • snap remove <GNOME version 3.34 for Ubuntu 18 snap)
      • snap remove snap-store
      • snap remove core18
      • snap remove snapd
      • apt remove snapd
    • SEE SERVER PROVISIONING INSTRUCTIONS
      • keep in mind we’ve also got GUI based snaps: “gtk-common-themes”
    • If anyone things “snap” images are a good thing please remember the consequences of using the Docker images wholesale.
      • Since there can be any software, open source or closed, in these “snaps” it is better never to use them unless you fully understand the security risks & can accept them.
    • If you get error message “error: cannot communicate with server: timeout exceeded while waiting for response”
      • reboot and try again.
        • It’s trying to communicate with something which synchronises with the outside world (the “snap store”) and therefore trying to remove.
        • If you have trouble removing “snap” and all its “snaps” then you can move on. Some people don’t believe the Ubuntu default snaps to be a security risk. I’m considering them a security risk until proven otherwise, which is impossible because of the proprietary nature of the “snap” so I have done a few reboots at times in order to be sure I’m rid of them. How rigorous you want to be in this case is up to you.
  • other package removals
    • apt remove cups;
      • includes a remove printer manager service & opens up a web port
    • apt remove unattended-upgrades
      • You won't be connected to the Internet, so if there's a failed or inappropriate package... if you didn't know about the original security problem, then you won't know if the patch to fix it has a problem either.  And this machine won't be on the Internet to fix it even if you did.
      • And if you did know about the security problem in advance... you wouldn't need unattended-upgrades since you'd simply put the machine on the Internet, get all security updates with "apt update", and then immediately take it off.
  • sudo apt update
    • to prepare for all the OS & essential application packes that have come out since the last Ubuntu official release.
    • if you get a message about having to run “sudo dpkg --configure -a” - usually seen after it reports a package glitch during the installation - do so now.
      • This may also happen if system is interrupted in the middle of adding or removing a package.
  • sudo apt upgrade
    • to do all those installations (answer Y and get used to taking a look at what it’s upgrading)
  • sudo apt install secure-delete
    • makes sure you can delete original key files in a way that zero-writes their file data, and randomises the directory entries before deleting them
  • sudo apt install p7zip-full p7zip-rar
  • if you want to use LibreOffice to store keys and passphrases, or other confidential material about your transactions, private addresses, etc... given that you now have an environment on which to cold-encrypt these documents:
    • sudo apt install libreoffice
  • since generally there will have been a kernel patch since your Ubuntu version was made:
    • menu > Shut down
    • don't "sudo reboot" (see FAQ)

CHECK Ubuntu install - still without connecting to Internet

  • add swap space (as determined above), if you need it
  • the 20.04.1 installer might encrypt /boot a well, depending on what version of GRUB it uses...
    • SO run the Disks application to see if /boot shows up as an LUKS partition, after it’s all done.
    • NOTE whether it has encrypted the /boot partition, so you know whether or not your disk should be kept from attaching to other booted systems.
  • if you’re running cardano-node, probably set system time zone to UTC to be consistent with log messages

OPTIONAL - AND DON’T INCLUDE unless we don’t see our /home folder after removing /dirty from /etc/fstab & rebooting

  • SINCE YOU CAN USE BOOKMARKS for your commonly used folders on the "host machine" so they appear in the left sidebar of the Files app.
  • you are very likely to see your host “usual” computer filesystems if you:
    • run “Files” (the thing that looks like a folder)
    • select + Other Locations
    • select your familar “Home” folder by its label and/or size.
    • Only continue with these instructions if you don’t see it there...
  • mount the filesystem on the host machine, so you have a place to put files (encrypted OR insecure) and read from.
  • if you have gotten this far on a Mac refer to the appropriate documentation to mount a filesystem from another disk (TO FIND)
  • open Terminal again
  • sudo lsblk
    • from the size you can probably tell which “sd??” combination is your computer partition where you normally keep your files.
    • note that term sd?? (as per screenshot here; my home directory / folder name is sda2)
  • mkdir /dirty
  • add this line to the end of your /etc/fstab
    • if host system is Linux:
      • /dev/sda2 /dirty ext4 defaults 0 1
      • If you’re the first user on your Linux system, you’ll be able to write here without “sudo” since your user ID will be the same.
        • Otherwise you’ll have to “sudo” to write into this filesystem.
    • if host system is Windows:
      • /dev/sd?? /dirty ntfs defaults 0 1
        • By default NTFS permissions are wide open so you’ll be able to read & write here: and that includes your Windows OS files, so BE CAREFUL!
    • I CAN PROBABLY LOOK UP THE DEFAULT FSTYPE FOR MOST MACs

POSTPONED installing Daedalus - NOT DOING YET

  • AFTER STAKE POOL can refine this idea
    • PLAN to redo the cardano-node setup on a high speed memory stick.
    • THEN a final check redoing the old slow HD drive as a Daedalus wallet.
  • MOST IMPORTANT PART - saving your wallet phrase securely
    • THIS is what the “common denominator” user needs the walk-through for!
  • when times comes to “verify your passphrase” and “make a secure copy” - you can copy & paste to LibreOffice in perfect fidelity.
    • MUST tell them to make a paper copy (hopefully temporary) because, if that computer gets struck by lightning AND if you have transferred funds into that wallet immediately, WHAT’S ON THIS COMPUTER IS THE ONLY COPY OF THAT PASSPHRASE.
    • Likewise for storing your “spending password” that you set for this particular wallet.
      • You don’t have to set the same spending password for this wallet as you do the Unique password.
      • In fact you can use a more familiar password for this particular wallet... since nobody is getting into it without your unique password entered when the system boots up.
      • You just need to have something there in case somebody comes to the computer while it’s unattented... so they can’t transfer all your ada away from you and then run off. :embarrassed:
  • two options for how you encrypt that file:
    • (recommended) Use your unique password for the Frankenwallet.
      • PRO you can be sure that nobody is ever getting into this file.
      • CON that means you unfortunately, on every other machine, since if you enter that unique password on any other machine it should be considered “blown”
      • YET the file is still good for making a backup, even safe to email to yourself... you’ll just have to create another “cold” machine or frankenwallet in order to decrypt the file, check its contents, or use them to set up your wallet again.
    • (NOT recommended) Use the password you normally use to encrypt files on the main computer.
      • PRO once the file is copied back to your computer, you can check it easily to make sure your wallet data is still there.
      • CON you must accept the bitter truth that all your super-secure encryption passwords that have been entered on your "daily driver" machine may be compromised.  So if you have your wallet passwords and/or key files encrypted with that password, that "bot" or controlling user would have access to clean out all of your funds. :crying:

install Cardano software - cardano-node & cardano-cli

  • open the save instructions from the Cardano Github and begin following them.
    • We’re using the installation prerequities for Ubuntu & Debian.
  • [DON’T duplicate it again here]
  • If you saved them as recommended in the beginning with your own computer’s files, run Files (the file manager), go to “Other locations” and then find your home files in the list of disks on the native computer.
  • some issues you may find, or find incomprehensible, about trying to do this build on the Ubuntu GUI:
    • when putting cabal into ~/.local/bin or ~/bin it still doesn’t run from the command line.
      • That part of your environment is only read by `bash` at login, so you have to log out & login for ~/bin to be incorporated into your $PATH as you are telling it to do in ~/.profile
    • Q: if we have our local file storage for our host machine available on the frankenwallet, why are we slowing things down by putting & building all these files over a slow USB disk connection?
      • A: because we want to be able to REbuild them when there are new software releases...
      • If we have the source files on the insecure / dirty host, we can never really be sure if some malicious code was not injected into them... which is much easier to do into source code than it is into compiled binaries... not to mention commands or scripts put into the Makefiles or configure scripts which would then run as the user inside the secure environment.

DEMONSTRATION: a transaction cycle

TEST before you fund your pledge or create your pool

  • green light: you can do this in your usual environment, with Internet & Daedalus access
  • yellow light: you must do this on your node
  • red light: you must do this in your frankenwallet.

cycle 1: return funds from your Daedalus wallet & back again.

cycle 2: send funds from Daedalus into your payment address

tips for working with stake pool files

DISCONNECT from Internet for the complete generation of your stake pool keys! This means you'll need to have this information already on your host computer where you can find it:

  • a protocol.json file generated on an Internet connected Cardano node (like for the core or relay server you are setting up)
  • the payment.addr you are using for both:
    • the payment for your stake pool registration
    • your pledge deposit
  • if you need to copy the generated addresses back to an Internet connected machine (e.g. your payment address "payment.addr" to send a payment through it to your Daedalus wallet), you can:
    • encrypt the file with Archive Manager (7z with a password uses AES, the strongest encryption available for this purpose)
    • save the *.7z file to your host directory

VERIFICATION - if and when you are feeling paranoid

  • checking that your cold key encrypted archive has the contents you think it does, WITHOUT decrypting it anywhere but the frankenwallet...
    • example: payment.skey - where your life savings is stored.
    • first: open it both in the Frankenwallet, anywhere you may already have used it for signing successful transfers out of payment.addr - as a text file.
    • then: open it from the cold.7z archive, or wherever you encrypted it, so it opens up in another tab.
    • It'll confirm in the tab headers for the text editor that one is the file in the encrypted archive and the other is your "known" good version of the file.
    • Switching back & forth between the tabs will verify that the files are the same.
      • You could do that by comparing checksums, but seeing the idential files is reassuring and you're like to remember it and feel a sense of safety later.
  • THEN confirm that encrypted archive is the same as the one you have on your backup.
    • make sure you close cold.7z file first, to be sure you don't inadvertently make any changes to it.
    • get its checksum by whatever means you're likely to have where you're keeping your backup file (MD5 is the most common, and is available in cloud backups like AWS S3):
      • md5sum cold.7z
    • visually compare that with the MD5 checksum of the file on your backup.
      • YES you can copy the checksum from the frankenwallet to a file saved on the host machine, if that makes you feel better.
    • This confirms the files must have the same contents, without having to give a way your cold key password.
    • Even a single bit difference in the files... produced by operator error, encrypting the wrong file, or any kind of transmission error between machines, or anything... will produce a completely different checksum.

Tips & troubleshooting

workflow tips

  • create a notes file (LibreOffice) & set password.
  • create backup file & means of saving it to my non-LUKS partition
    • NOT through LibreOffice since I don’t trust the kind of backup files it might make.

ASKED TO FSCK EVERY TIME it boots?  The most common problem, and probably not necessary.

  • Depends on reliability of drive write-throughs, most commonly related to USB bandwidth and/or drive speed.
  • Suggest just being ready to Ctrl-C to skip the disk check, if you know you've powered it off cleanly.
  • If you are tormented by that message, you can try following instructions here (Disable Ubuntu 20.04 disk checkup every boot?).
    • N.B. The mandatory disk check when booting from a USB Ubuntu image is a "safety feature" which is helpful to have in most circumstances.

Other problems

  • “wspanish” package can’t be added during installation time
  • “snap” won’t go quietly
    • I WISH WE COULD REMOVE IT but LVM is installed as a snap, and I think we have a dependency problem.
      • I managed to scuttle my system by removing one of the snaps, even though it wasn’t LVM.
  • problem with “have to run fsck manually on root” - I DON’T THINK ANYONE WOULD TOLERATE THIS
    • (instructions to fix) (also here expressed as a more common problem)
    • it says name of root that it’s decrypting (and this is the only filesystem) when prompting for the password
  • what I”m doing to fix it, after the crash to initramfs)
    • initramfs) exit
      • shows an “fsck” (file system cleaner) error it can’t fix.
    • initramfs) fsck /dev/mapper/vgubuntu-root -y
      • just copy the same root device name from the one it told you it couldn’t scan...
      • initramfs) exit
  • DON’T WORRY if you see this and DON’T REINSTALL. It’s normal having to fsck by hand every once in a while and is a symptom of low bandwidth to your USB device. If you see it more than once it means your USB device, your connection to it, or the combination isn’t giving enough throughput to keep the integrity of the encrypted filesystem and you should begin again with a faster device (assuming you still don’t have that “throwaway computer”).
  • getting a message that you’re on a “read only file system” while you were in the middle of doing something
    • same as above, probably a bandwidth problem... start over with something faster. Your basic filesystem resources shouldn’t be dropping like this.
    • IF YOU'RE ON ONE OF THESE SLOW DRIVES (and ALWAYS when on USB booted environemtngs), SAVE any work you are doing frequently... the read-write access to folder you're working in, or the file you're working on, could go at any time.
  • if you can't Restart or Shut Down after you get in that "read only" state, it's no problem powering off, no point doing a "sync" since any further writes to the disk are impossible, and you're not losing anything by powering off the machine (without being able to shut down, in fact it's the only thing you can do).
  • DON’T type “sudo reboot”, type “reboot” or “shutdown -h now” at a root prompt (like I love to do), since over slow USB connections Ubuntu appears not to have time to sync the LUKS encrypted partition.
    • Without adequate shutdown time you may find yourself having to do “fsck -y” on the root partition from BusyBox regularly, as described above.
    • click Power Off from the menu just to give it time to shut down & unmount the root partition gracefully.
  • OR since I'm getting this error anyway:
    • just close all apps except the shell, do "sync" (3 times) or (9 times for my own superstition), then click "log out" (DON'T exit with browser running... it leaves far too many files open!!!!)

Appendix: alternatives considered & ruled out; things we don't do & why we don't do them

Other approaches to persistence?

  • just keep using the Ubuntu installer but add some "persistence" to it as explained here (for Kali):
  • more official Ubuntu docs: none really current
    • mkusb - tool to create boot drives
      • > Persistent live systems -
      • PRO: probably a lot easier to set up, and will will boot faster from an ISO.
      • CON: not a big performance difference if you keep cancelling those automatic filesystem checks.
      • CON !!! !!!: without enforced encrypt it's too easy to:
        • make a mistake by booting an insecure system with the wallet drive attached
        • place key files on the unencrypted parition
        • fail to remember the complex sequence of commands to mount your LUKS encrypted file storage area by hand.
          • if not setting it up that way... it's actually easier to go through the tedium of an OS installation than it is the trial & error of getting your encrypted filesystems to mount persistently at boot... while the LUKS based installation takes care of all this automatically when Ubuntu is originally installed.
      • CON: since the installed wallet drive has a writable root, we can install packages.
        • This is vital for encrypting your key files... and without that, they can't be copied to the outside world.
      • CON: if your home directory wasn't encrypted (as it wouldn't be in the installation image), saved files like encrypted keys, screenshots, password archives, everything will be wiped out without question when you restart the system.
        • This would cause grave difficulties if one of those files was the payment.addr where you just stored your ₳100K pledge, or the payment.skey that you will need to return that pledge someday :(
        • Persistence everywhere gives you one more line of rescue until you can be sure that these files are encrypted with a password used only in frankenwallet and saved on another kind of backup.
        • In fact if you want to leave these files on the frankenwallet, even without being encrypted, you are still satisfying the Cardano security recommendations of never storing these passwords except on an encrypted drive.