An encrypted, air-gapped Linux bootable USB drive for Cardano & other cryptocurrency secure operations
Who needs it?
➤ Anyone working with cryptocurrency private keys or seed phrases (e.g. for Cardano, Bitcoin or Ethereum or other cryptocurrency addresses) or other high value resources targeted by hackers (e.g., Ada stake pool keys).
➤ Anyone wishing to work in high security with these resources without either of these usual requirements:
- a second computer, often called a cold or air gapped machine, for the sole purpose of storing keys, signing transactions, and other secure operations.
- a hardware wallet with a fixed environment supporting these operations (these devices often have well supported feature sets, although with high price tags and proprietary design).
➤ Anyone wanting or needing direct access to all their own files on their main computer, in an air-gapped and securely prepared environment, while working with high security data.
➤ Anyone who cannot afford — either financially or logistically (e.g. frequent travellers) — a second machine or hardware wallet.
➤ Anyone who finds the small form factor of a hardware wallet appealing, and has wondered how you might get the same (or better) features on a cheap, ordinary memory stick.
➤ Anyone who has wished they could have a full featured operating system — with general purpose software, including the ability to edit & save encrypted key files, archives and other records — on their premium hardware wallet.
➤ Anyone using memory sticks to store or back up private keys — for bare addresses or assets like stake pool pledges & smart contract accounts — who has worried about an unencrypted memory stick being lost or stolen.
➤ Anyone wishing for an option for an off-site backup of their keys, wallet seed phrases, and other cryptocurrency asset records… given that AES based encryption is considered unbreakable when properly used.
How to use this guide?
Most readers interested in this subject will already know how to:
- install Linux (our reference is Ubuntu 20.04, chosen based on popularity and especially to match the majority of Cardano stake pool & other servers)
- compile and install the Cardano node and CLI software, or the CLI for their preferred blockchain
- use the Linux command line
Therefore, please be familiar with the external references above, so we can focus on:
- particular installation procedures & parameters to ensure an encrypted OS partition (and, where possible, an encrypted boot partition);
- a model for secure workflow: to allow common tasks to be done repeatedly in the Frankenwallet, while allowing the data & procedures for these tasks to be recorded, stored, and backed up on the host machine;
- OS and application security tuning: in case some applications or software upgrades require periodic or specialised Internet access (not a general requirement).
Nobody can anticipate the wide range of adversaries, attack methods, and operator errors which might lead to the loss of your privacy and/or funds even if you follow this security model. This material is a "best guess" tradeoff between security and convenience: one in which I am trusting my own enterprise and livelihood. That fact that I take responsibility for maintaining and improving this material does not imply any responsibility for losses that may happen to you, as you use this material (as you would use anything else) entirely at your own risk.
Found an error, or want to make a suggestion?
COSD pool and its architects would be happy to hear your feedback, even if critical. The goal is to keep refining not only the instructions but the guides themselves, including of course the security standards. If you have a well defined suggestion or reproducible problem, please post it here: