Bitport — Electrum wallet software on a bootable USB flash device

Setting up a Bitcoin cold storage device requires a dedicated computer system that is completely separated from the network to avoid possible data theft.
This could be tricky to do in a cost effective way because the system including the Bitcoin wallet software and its private key storage need to be offline all the time.

Bitport provides a solution to this by having Electrum Bitcoin wallet software within a bootable Debian live system that can be installed on an inexpensive USB flash memory device.

Bitport consists of Debian Linux live system, the official Electrum software, the wrapper code for Electrum and an encrypted LUKS volume. The wrapper code makes it easy for Electrum to access the wallet data secured within the LUKS encrypted filesystem. It can be installed on a USB flash drive so that you can run Electrum on any PC that can boot from a USB device. Bitport is meant to be used as Bitcoin offline cold storage that stores Bitcoin wallet software and the private keys in a secure air-gapped system.

Bitport source code is available at the GitHub repository https://github.com/eov/bitport.

Features

Bitport has the following features :

  • Bitport is a cost effective implementation for Bitcoin cold storage.
  • It is a bootable live system based on Debian Linux.
  • The live system is installed in a device partition so that we can use the unused space of the device for other partitions to store any data including Electrum wallets.
  • It uses LUKS encrypted filesystem to store wallet data, so the wallet data is doubly protected by encryption if the user chooses to enable the wallet encryption option of Electrum.
  • It is built from vanilla Debian packages, the official Electrum source code package and the wrapper shell scripts so it is easy to inspect the code security.
  • Networking is disabled with the Debian live system.
  • It is trivial to upgrade Electrum to a newer version in the build process because we use the packaged version of Electrum (run_electrum) instead of creating Debian packages for Electrum and its dependency libraries.
  • It uses standard XFCE desktop environment and it is easy to change it to other desktop at build time.
  • It provides a facility to store wallet metadata (including the Electrum seed phrase) in GPG encrypted files within the same LUKS filesystem.
  • When the Debian live system is running all of its filesystem contents are on a RAM drive so no files will persist after shutdown except for the wallet data stored in the LUKS filesystem and other data manually stored in the data partition.
  • It is very easy to back up the wallet data to other similar devices.

At the same time we have the following restrictions :

  • Bitport limits the usage of Electrum to offline mode only. (This is because using the same device for offline and online modes could introduce a security weakness.)
  • Bitport supports Electrum but not other wallet software. (It should be easy to add support for Electrum-LTC.)
  • Bitport doesn’t use an ISO-9660 image but directly installs a bootable Debian live system on a drive partition.
  • Users need to create the Debian live system using the provided build scripts and the official Debian package repository.

How it works

Generally the partition 1 of the Bitport drive includes the Debian live system, while the partition 2 hosts the container file for the LUKS encrypted filesystem. The Electrum code is placed under /opt/electrum/ directory of the live system so it will not interfere with Debian package files.

Electrum wallets in LUKS

The user can manually mount the second partition of the drive so that the LUKS setup script can configure the container file for the LUKS encrypted filesystem. The mount point of the second partition filesystem is /media/user/EDATA/ and the container file will be /media/user/EDATA/electrum/electrum_data.fs. This manual mounting/un-mounting gives us flexibility of switching between different partitions/devices that have the same filesystem label EDATA. The LUKS setup script will ask the user for the passphrase to use for the LUKS encryption.

When the Electrum wrapper script is launched it will prompt the user for the LUKS passphrase that has already been configured via the setup script, and mount the LUKS encrypted filesystem at the mount point /data_dir/.
After mounting the LUKS volume the Electrum wrapper will run Electrum by the command line :

run_electrum --offline --dir=/data_dir/electrum/.electrum

This means all wallets will be stored in the directory /data_dir/electrum/.electrum/wallets/.

When the user chooses to store wallet metadata (together with seed phrase) the script will encrypt it via GPG command and then placed the result under
/data_dir/electrum/metadata/. If the wallet file name is /data_dir/electrum/.electrum/wallets/XYZ then the suggestion for its associated metadata file will be /data_dir/electrum/metadata/XYZ_metadata.gpg.

Requirements

Creating Bitport devices requires the followings :

  1. Debian Linux host PC to build the live system image.
  2. Network connection to the Debian package repository.
  3. Bitport source code cloned from the GitHub repository.
  4. The Electrum source code package downloaded from the official Electrum site.
  5. USB flash memory card with capacity larger than 1 GB.
  6. PC (BIOS or UEFI) to boot the Bitport system from USB.

The user needs to keep the three types of passphrases to ensure access to the Electrum wallets :

  1. LUKS volume passphrase.
  2. Password(s) for Electrum wallet(s).
  3. GPG passphrase(s) for wallet metadata file(s) that correspond to wallet(s).

Installation

The actual installation process and the usage are described in details at the GitHub page and should be easy to follow if you are familiar with running commands in a Linux shell.

Happy hodling!


Bitcoin tip jar: 3FovzStD2f61HRKdD4rA5Ew2hdugSyFZMD