Mind the Crypto Air Gap
Best Practices for Air Gapping Your Machine When Managing Digital Assets
If you’re in the cryptocurrency space, you’ve had to set up an air gapped machine. Air Gapping a machine is defined as the process of keeping a machine off the internet.
Why Air Gap?
Machines that are used day to day are easy targets for malware or other malicious software. You will want to air gap your machine if you have sensitive information that is being stored or processed. For example, in the world of cryptocurrency a wallet is defined as a private key and an associated public key which can be distributed in a public context for receiving funds. The private key is used to “sign” and therefore authorize outgoing transactions. If a wallet holds anything over $1 million, it is recommended that the private key is held offline in an air gapped machine.
The steps to create a transaction using an air gapped machine are as follows and assumes there is one online machine and one air gapped machine:
- Online Machine: Create the transaction and configure your payload appropriately.
- Via the USB stick: Transfer the created transaction to the offline machine, securely.
- Offline machine: Sign the transaction accordingly.
- Online machine: Emit (broadcast) the transaction to the relevant blockchain network (i.e. Ethereum, Bitcoin).
How to Setup an Air Gapped Machine
Using an air gapped machine for crypto currency wallet creation and transaction signing is considered the highest level of security (and, if you are an investor managing these assets, a fiduciary obligation).
In order to initialize your air gapped machine, you may perform the following:
- Purchase a brand new machine for dedicated, online use. I prefer using MacBook Airs due to the availability of common drivers and ease of use (also easy to find 2nd hand to reduce costs).
- Purchase a brand new machine for dedicated, offline use. You may optionally remove the WiFi or networking card prior to use.
- Purchase a brand new USB stick for transferring data or programs from the online machine to the offline machine. We will assume this USB stick is 5 GB for our example.
- Plug the USB stick into your offline machine. Assuming, the initial programs we want to place on the offline machine are 1GB or less.
- Open the terminal and create four files using the following command:
mkfile -n 1g fake.txt
- Move those four files onto the USB stick. We now have a USB stick with 4GB full and about 1 GB empty. If we experience any issues transferring our files onto the machine, it will be clear if there is a malicious payload inserted onto the USB.
- Transfer any files or data that are necessary for day to day use onto the offline machine to initialize the machine.
- If the files that need to be transferred from the online machine to the offline machine will be smaller in size moving forward. Add another fake file in order to reduce the free space on the USB stick.
Asset Management Going Forward
Online Machine — The online machine is to only be used for retrieving information for use on the offline machine. This machine should be dedicated and not be used for activities other than accessing the information necessary to conduct the offline processing or transactions. It is recommended that this machine does not access common attack surfaces such as email (the less contamination vectors, the more peace of mind and added security).
Offline Machine — The offline machine is to be used for processing the information transferred from the online machine only. If there are any private keys or root certificates, they should be stored and only accessed on here for any related processing.
USB Stick — This now sacred USB stick is not to be used in any other context or with any other machine (you are Frodo, the USB is the one ring, so to speak). Its sole purpose is to move information or data from the online machine to the offline machine. Take great caution in the storage of this USB stick as it is theoretically the only attack surface at play.
These practices were rarely used in the past, however due to the prevalence of cryptocurrency air gapping machines have become the status quo (rightfully so). Some cryptocurrency practitioners that operate with high value transactions have even gone to the lengths of even retaining their air gapped machines in faraday cages; while suitable for some in certain respects, a process as described above should be sufficient for most instances.
If you have not already, evaluate your private or personal asset management practice, and see if you can apply any of the techniques above to harden your Infosec/Opsec, and ensure you’re applying common industry best-practices.
Our industry is still learning, and its important to remain abreast of the most secure methodologies to ensure we don’t have anyone dealing with catastrophic loss.
Edited by: Steven McKie