|Atlas Informatik How-To
Create a secure crypto wallet for free
How can we create a cryptocurrency wallet that costs nothing and will store our money safely?
Paper wallets are old fashioned, tedious and unsecure. Here is one method that I worked out for myself which is free of costs. Note: This is only for advanced computer users. It works on computers which have at least 8GB of RAM (better 12+) and maybe 10 GB free drive space. The steps are only tested on a Windows PC but should work also on other operating systems. This is how you do it:
- Install a third party antivirus software on the main computer. Such a software will most likely detect any listening spy programs. Note: Recognition statistics show that Windows Defender is not good enough!
- Install a proper firewall software like ZoneAlarm, Comodo or others. It will give you the possibility to also stop any connections that a software wants to make to the internet. Note: Windows Firewall is not good enough. It will not stop any programs sending data up to the internet.
- Download Oracle VirtualBox
- Download a fresh Windows Image from Microsoft, for example from here. Important: Do NOT download from other sources than from Microsoft servers, and use 'https' always.
- Download fresh copies of the following software packages directly from the producers, NOT from archives. If the softwares display a fingerprint on the website (sequence of byte codes), copy them to a text file "Fingerprints.txt".
- The cryptocurrency wallet software of your choice
- Keepass above version 2
- Copy the downloaded files from step 5 and "Fingerprints.txt" into a separate folder named "Shared Folder".
- Start VirtualBox. If your firewall software is asking for a connection, say no. Add the Windows Image. This will add a new virtual machine entry.
- Go to "Machine Setting->General->Avanced->Shared Clipboard" and select "Disabled". This will cut the transfer of clipboard data between the main computer and the virtual box.
- Go to "Machine Setting->General->Avanced->Drag'n'Drop" and select "Disabled"
- Go to "Machine Settings->Shared Folders" and add our "Shared Folder" from step 6. This will allow us to transfer data between the main computer and the virtual box.
- Go to "Machine Settings->Network->Attached to " and set it on "Not attached". This will disconnect the internet access of the virtual machine.
- Start the Virtual machine. You should now be able to see the content of the Shared Folder as a network drive
- Compare the fingerprints of each software by right clicking it and displaying the 'Properties->Digital Signature->Certificate->Details->Show Certificate->Details->Fingerprint'
- Install all of your software. If you have to enter a password, there is the possibility that a keyboard spy program on the main computer could catch those keystrokes. To counteract this you can use these methods:
- Never enter passwords in one consecutive sequence. You can trick out most spy programs by entering the password in parts. For example type first the end or the middle part, click on another program inside or outside the box, enter some dummy keys there, click on another part of the password (for example the start), enter some keys, and repeat that several times.
- Avoid copying data to the clipboard of the main computer. The clipboard is like a broadcaster and very easy to listen to. Better put your passwords in a keepass database file, put that on the 'Shared Folder' and open it from inside the virtual box. Inside the virtual box it's safe to copy data to the clipboard because in step 8 we were assuring that such data is not copied to the main computer's clipboard. Generally, make use of Keepass's feature "Perform Autotype" in the right click menu, which is much more secure than the clipboard. If you can't avoid using the clipboard, copy passwords in parts as described above and transfer at least three/four characters by your memory. This way the full password never gets on the clipboard.
- One more note:
There would be a product that would protect even more from eavesdropping:
Keyscrambler. But none of the product variants does protect Oracle Virtualbox for now [2018/04].
- Backup the virtual machine by copying the directory of the image (don't use the export function). This will freeze its state as it is, and you can continue to use the image after its expiration date.
- Save a copy of your KeePass database file to another location, eg. to a USB drive, an external drive, or even a cloud drive. Use an additional keyfile in conjunction with your password to make it even more unbreakable. You can write its content on paper (very safe) or simply put it on a local drive or USB stick. In any case, you have to copy the file out of the virtual image because the image will cease to run after a few months. You can then just restore the backup from step 15 and copy the KeePass database file into it.
How safe is this method? It depends on the safety of each part that is used. The combination of them determines the entire safety.
- Windows ISO Image: It's very unlikely that Microsoft has put some listening software in a Windows image. But it could be. There are rumours that there is a backdoor for the government [Edward Snowden]. But because we didn't allow the virtual machine to communicate over the internet it is nearly guaranteed to be secure. Furthermore because of the size of the image it's nearly impossible to copy it quickly out of your computer. And since the images are test images we have an automatic disable feature after a few months for free. You could say they have an automatic decay date, just in case your drive would fall into the wrong hands.
- Oracle VirtualBox Software: The same as for the Windows Image. The box could actually do a communication with the internet, but it's also very unlikely too. If you have installed a proper firewall you can also block this connection. But: In 2017 an attack was presented that allowed a malicious process to listen to data that was processed inside a VM. But it's very complicated and I never heard of a real attack that was using this scenario.
- Transfer of data using the 'Shared Folder': Yes, every malicious software can attack this. We counteract this by comparing the fingerprints and we don't store unencoded passwords there.
- Keepass above version 2: Keepass encrypts using AES-256 which is considered to be secure under the condition that it's protected by a strong master password.
You should not think out your passwords by yourself, but use the built-in password generator. Ideally, it should be at least 30 characters long. But sometimes there are older software that doesn't work well with long passwords and/or special characters. Often you can only find this out by testing.
It's recommended to do a few improvements in
'Tools->Options' in the tab 'Security':
- Lock workspace when locking the computer: On
- Lock workspace when Computer suspended: On
- Lock workspace when remote control changes: On
- Clear clipboard when closing: On
- Enter master key on secure desktop: On
- Clear master key command line: On
The security can even be greatly extended by using an additional keyfile stored on the local computer. The content of the keyfile can also be written on paper, it's very short, so there is no possibility that it will be seen online. Since the source code of Keepass is open it's very unlikely that some malicious code is in it.
- Wallet software: This is the weakest point. It's very unlikely that a wallet software is malicious if you downloaded it directly from the originator, because it would ruin his/her business. Even if the wallet would decide to send out your private key, there would be no internet connection to do that.
- In general: There is always the risk that spyware on the main computer will constantly take screenshots and send them home. It seems that such measures are part of the German Government Trojan, and probably also in the tools produced by the three-letter US government companies. You stand generally no chance against them. However, this is nothing new, this risk exists with or without a cryptocurrency wallet. However, according to the above report, such spying tools are recognized by any good antivirus software. In addition, the data to be transmitted is considerably large, which in turn can attract attention from an attentive observer. What's more, I guess the data still needs to be interpreted by humans. Something like that is most rarely used. If you want to go for the hunt too, in addition to your antivirus program, I can recommend the tools Process Monitor and Process Explorer from Microsoft.
You can never stress it enough: Something like this should be downloaded directly from the manufacturer, never from a third party website.
Additional useful info
- This is much more convenient with a crypto stick, but only at a cost of about 70 €/CHF/$. There are mainly the Trezor and the Ledger products. We ourselves use the Ledger Nano S, and it works very well once the initial problems have been overcome. If you know our problem solving web page here, everything is fine.
- We have embedded some useful functions regarding crypto wallets in our Freemium Software Mighty Desktop:
- With Seed Enigma™ you can encode your wallet passphrase with a personal password. This guarantees that your precious wallet can only be opened by you, and only you.
- With the Generate Random String function you can create your totally random password containing any characters and of any length
- With the function Select Random Words of 'Text Expert' you can choose words for a seed phrase from any table of words from anywhere in the world.
- With the tab File Protector you can keep your wallets locked at any time until you need them. As soon as you start the wallet program they will get unlocked, until you close the program again.
© 2018 Andres Rohr. This topic stems from the author himself. It is not simply copied from the internet.