Open in app

Sign in

Write

Sign in

BTC full node privacy with Ledger Nano S and Electrum personal server

Martin the Closet Maximalist
6 min readNov 13, 2018

Premise:

  • Bitcoind node is running in your home network on a server (Ubuntu or similar)
  • Ledger Nano S

Objective: Using any machine in your house, as long as you have your ledger Nano S, to be able to transact with BTC, also never use any other full node then your own, and not being forced to run a second/third full node on each machine you want to use your ledger from, one full node in the house is enough.

This might sound like a pretty simple thing, but it is not as obvious as it sounds. If you have a ledger Nano S you probably have Ledger Live installed, which is just a light client that connects to Ledger’s full nodes. Ledger Live does not let you connect to your personal full node. From a privacy point of view, Ledger will know what your view addresses are and they could monitor them, connect that with your IP and possibly trace back to your ISP, and then to your actual physical address. That is no way to maintain your privacy in the digital age when you can be your own bank. The first easy step would be to use a VPN (which should be standard practise), this would make the connection to you via your IP significantly harder, or if you want to ramp it up a bit more run tor on top of your VPN.

But what we want to do here and now is to use your own node as the backend for your ledger.

What I will show you in this article is how to setup an Electrum personal server which connects to your private bitcoin node which in turn lets you your Ledger Nano S to transact.

Let’s start

The first question to answer, do you currently have funds on your Ledger wallet? If you do we first need to extract some info and get it correctly imported into Electrum.

Yes, I have BTC on bitcoin addresses on my ledger, what do I do?

You will have to open Ledger Live one more time to get the location of your account on the ledger Nano, and maybe you have multiple accounts in your Ledger Live, no worries we can import them all.

  • Connect your Ledger, and start Ledger Live and login
  • select one of your accounts
  • Click the “Spanner” icon on the right side of the Recieve button
  • click “Advanced logs”
  • Copy paste the line that starts with “freshAddressPath”:
    it will have some value like “44'/0'/0'/0/4” (if it’s a classic/legacy bitcoin account, its based on the first 2 digits e.g. the 44 and your public addresses would start with “1” also known as p2pkh)
    “49'/0'/0'/0/1 if its a newer segwit account (49, which is a hybrid, this would mean that your public address start with “3”, this is known as a p2sh-segwit, or p2wpkh-p2sh)
    The final option is the native segwit which ledger live does not offer, but it would start with 84, and is known as p2wpkh, or bench32, and all public address start with “bc1"
  • change it a little bit, so it says something like:
    My Main Account — 49'/0'/3' (we only need the first 3 set of numbers, the ‘ are important
  • Do the same for your other account, and maybe you end up with a list that looks like this:
    My Main Account — 49'/0'/3'
    My Payment Account — 49'/0'/2'
    My backup Account — 49'/0'/1'
  • We will use these number when we import into the electrum wallet.

Installing Electrum Wallet

If you don't already have it, download and install Electrum bitcoin wallet.

to avoid compromising your privacy the electrum wallet should be started with command line argument the first time its started:
--server localhost:50002:s

This will make sure the electrum server does not connect to external bitcoin nodes, which it does by default.

Connect your Ledger Nano S, and open the bitcoin app on it.

Start the Electrum wallet with the above argument.

  1. First you will be asked to open a wallet choose a name for your wallet, e.g. “main” to be in line with the above account names, Next
  2. “Standard Wallet”, Next
  3. “Use a hardware device”, Next
  4. “An unnamed Ledger…”, Next
  5. You will now get 3 options to chose from,
    legacy
    p2sh-segwit
    native segwit
    as you click through the option you will see that below it will give you e.g. “m/44'/0'/0'” or m/49'/0'/0' or m/84'/0'/0'
  6. select the base type that you wrote down above for your main account to match on the first digits. and then fill in the remaining 2 according to what you copied. e.g. in my example case above I would select “p2sh-segwit” which would give me m/49'/0'/0' I would then tweak that to say: m/49'/0'/3' then click Next
  7. you will get the option to encrypt your wallet with your ledger, this means that you can only open the wallet, even for view purposes if you have the ledger connected, for maximum privacy you encrypt it.
  8. Once it opens, do not be alarmed, it will not have any transactions or any balances, since it is not connected to any node to find the balances, what we need to do now is extract your master public key go to menu > Wallet > Wallet Information and use the copy function for the “Master Public Key” paste it into your file above with your account names so you know which master public keys goes with what account.
  9. Close electrum, and repeat the process for each of your accounts, in essence

Installing Electrum Personal Server

You would for simplicity install this on the same machine that you have your bitcoind running, the below instructions assume some type of linux, but should be similar for windows assuming you got python and pip3 etc.

I would recommend building Electrum personal server from the source, its not too tricky, just clone the current master branch, and follow “How-to” in the pip-README

Install Electrum Personal Server in your home directory with pip3 install --user .. On Linux the scripts (electrum-personal-server and electrum-personal-server-rescan) will be installed in ~/.local/bin.

things that are very important:

  • Your bitcoin node must be running with server=1 this means that rpc is open so make sure this is a private node on the inside of your network you do not want random people from the outside accessing your node via rpc, please check the bitcoind configurations on how to lock it down to prevent external usage if you are running a public node.
  • you renamed the sample config to config.cfg
  • open config.cfg, tweak the basic parameters:
  • [bitcoin-rpc]
    ip or localhost and port of your local btc node
  • [electrum-server]
    from where to allow connections, you probably want to have that as 0.0.0.0 to allow other computers on your network to access, use the default port for simplicity.
    ip_whitelist to limit which IPs can connect to your Electrum server
  • [master-public-keys]
    This is where you put all those keys we copied before, the format is as follows:
    <a name> = <master public key>
    e.g.
    main = ypub6Y3KWnm7nh993xt5ZV6g5pGy3NEYDLUu342lsFer0343LK43ghH2321Csdqqd434214proE498822EeeEdddDD2224421ssSAwm9cCtPP13
    payment = ypub6234234sdfsdf234234lsdkf30453045sdsdfsdfsdf3LK43ghH2321Csdqqd434214proE498822EeeEdddDD2224421ssSAwm9cCtPP13
  • and just keep adding a new line with a wallet name (no spaces in names) followed by a = and then your public master address.
  • Save the file.

Scanning the blockchain for all your addresses:
~/.local/bin/electrum-personal-server-rescan -c config.cfg
this will first ask you how far back you want to import transactions from the further back you go the longer it will take, try to remember when you did the first transaction to any of the wallets, and put a date a month or week before that time.

Let it run, this could take anything from 5 minutes to several hours depending on how many wallets and active address and how far back in time. It will tell you if it found any active addresses.

Starting Electrum Personal Server
~/.local/bin/electrum-personal-server -c config.cfg

it will write out e.g:

INFO:2018–10–27 19:15:35,308: Starting Electrum Personal Server
INFO:2018–10–27 19:15:35,308: Logging to /tmp/electrumpersonalserver.log
INFO:2018–10–27 19:15:35,314: Obtaining bitcoin addresses to monitor . . .
INFO:2018–10–27 19:15:41,210: Obtained list of addresses to monitor in 5.8963623046875sec
INFO:2018–10–27 19:15:41,211: Building history with 600 addresses . . .
INFO:2018–10–27 19:15:41,385: Found 13 txes. History built in 0.12339901924133301sec

Starting Electrum wallet

The final part of this puzzle is to:

  • make sure you have your ledger connected and logged into and running the bitcoin app.
  • last time we started electrum with
    --server localhost:50002:s
    change that to:
    --oneserver --server <ip for your server>:50002:s
  • once you added this with your servers IP to your startup script of electrum, Launch electrum using it.
  • click the “choose…” and select one of the wallets that we created before e.g. the main wallet, Next
  • “An unnamed Ledger”, Next
  • Verify that in the bottom right corner you have a green light (and not a red one) that means it successfully connected to your electrum server
  • furthermore you can go back and check on the console where your electrum personal server is running and you will see that a connection was made from your electrum wallet.

Congratulations

You now have a personal electrum wallet that only connects to your own bitcoin node but without having the need to run a full node on your daily use computer when you already got a node running on one of your servers!

Bitcoin
Ledgerwallet
Electrum
Privacy

--

--

Martin the Closet Maximalist

Written by Martin the Closet Maximalist

9 Followers

Software developer in the legacy finance system, “discovered” bitcoin back in 2012 but dismissed it only to come back with renewed interest in 2015.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams