Re: [qubes-users] Bitcoin Qubes tutorial

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-09-15 17:50, Franz wrote:
> On Thu, Sep 15, 2016 at 5:26 AM, Andrew David Wong  wrote:
> 
> On 2016-09-14 19:11, Franz wrote:
 On Wed, Sep 14, 2016 at 8:54 PM, Marek Marczykowski-Górecki <
 marma...@invisiblethingslab.com> wrote:
> On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
>> On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
>> wrote:
>>> On 2016-06-29 09:37, Franz wrote:
 But how can I trust a printing dispVM for something as sensitive as
 a hot wallet? We would need two different dispVMs but we are not
 there yet.
>>>
>>> Indeed, not yet, but it will be implemented in R4.0:
>>>
>>> https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
>>> https://github.com/QubesOS/qubes-issues/issues/866
>>> https://github.com/QubesOS/qubes-issues/issues/2075
>>>
>>
>> Andrew,
>> After various tests I am getting a bit more confidence about bitcoins.
> So I
>> prepared the promised tutorial. I tried to go to Qubes documentation to
> see
>> if there is any way to upload it, but found no reference. So I post it
>> here. Perhaps you know what to do.
>
> 
> Thank you for taking the time to write this, Franz. However, we
> already have a page on using Split Bitcoin wallets (using
> Electrum) here:
> 
> https://www.qubes-os.org/doc/split-bitcoin/
> 
> Nonetheless, it looks like your guide has some additional
> information that is missing from the current page. Please
> consider submitting a pull request against this page with your
> additions.
> 
> 
>> Andrew
>> Additions? Well I used a somehow different way, because i sign the
>> transactions on both the hot and the cold VM. So the hot VM is not for
>> "watching" it is for doing exactly all what does the non-connected one
>> (including signing) and obviously for doing the real job of generating
>> addresses for receiving and sending bitcoins to other addresses. It is what
>> is called multi-signature.
> 
>> Is it worth to sign the transaction two times, once for each VM? I do not
>> know, but it is not so much additional work because in both cases you
>> always have to copy a file forward and back between VMs.
> 
>> But the two ways are somehow alternative. I see no point to mix them in the
>> tutorial just to increase confusion to a matter that is already a bit
>> complicated.
> 
>> The final part of editing the firewall rules of hot VM to limit connection
>> to Electrum servers may be worth to protect the keys in hot VM, but may
>> have less sense if there are no keys to protect in hot VM.
> 
>> So did nothing, but am obviously open to suggestions.
>> Best
>> Fran
> 

Ok, I understand. Thanks for explaining, Fran.

> 
> You can see the documentation guidelines including
> a step-by-step how-to) here:
> 
> https://www.qubes-os.org/doc/doc-guidelines/
> 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX3FdMAAoJENtN07w5UDAwBxoP/11xlq+k73ECJ1HYB4otxrfa
e8rlWTUrs1gbnzwJxMGKwhyRsF++oivCFmjCwFqNfL8moVQS72yIgy4rwSdmQ9gm
iJNWTf+bqrYIs/yxBg3U55gdzrdiJ8CW1djnoOPqwCnCivvogmobkN4POX3vGluY
LR9ni2QqzqALXU6lpfM65hllfWlxeSQQNYlE749RKxj/Yk23tE3VqWT+q7D4/K4X
djymr/5ksmdHwPVrIz/Xr80XT9yo2C94+qAsE8Q5vRwD/4ik9h/jSP9byvU2cv7n
OTmN0Eqsc03XHIAwbs/7Il5Lf0g7qXu0Ycb0nkwCegUhXtQFnD6kHQV9CRR8qznf
wwn4sp8qPw8aufhH4BeM7GI3V71hhT3PJCI7b4+MJwJEU70vo9U0+Saos75jOYF+
szeHloKfn/k7ZcSX/q61qcuJIE4Q0u0yhb/ellohYe8WAZ+ZPoUyHmnmJpmzL0jp
52knik1Ivq3yH1raHYV5jPzA0kqfwNlD7oO54yG/F/f9QGh7cdjerY/p7uJfFUwu
3Oy2wNiIVnNHMxgkTiGQbXn8vn4zAuBHjWr4OBpw5HvqZti+1ywJBQkpoLXj89Ri
GMzXQV3YhNhroe+ma77WqymJMLdw3SNE5aSoF3zvikN/Z3jJuHkd8P/QJ20DWtdG
xuu01Q0m2mvlOmwZQI0f
=viO+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ca4ade2-277b-688d-426f-4abddd802003%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Franz]

On Thu, Sep 15, 2016 at 5:26 AM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-09-14 19:11, Franz wrote:
> > On Wed, Sep 14, 2016 at 8:54 PM, Marek Marczykowski-Górecki <
> > marma...@invisiblethingslab.com> wrote:
> >> On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
> >>> On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
> >>> wrote:
>  On 2016-06-29 09:37, Franz wrote:
> > But how can I trust a printing dispVM for something as sensitive as
> > a hot wallet? We would need two different dispVMs but we are not
> > there yet.
> 
>  Indeed, not yet, but it will be implemented in R4.0:
> 
>  https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
>  https://github.com/QubesOS/qubes-issues/issues/866
>  https://github.com/QubesOS/qubes-issues/issues/2075
> 
> >>>
> >>> Andrew,
> >>> After various tests I am getting a bit more confidence about bitcoins.
> >> So I
> >>> prepared the promised tutorial. I tried to go to Qubes documentation to
> >> see
> >>> if there is any way to upload it, but found no reference. So I post it
> >>> here. Perhaps you know what to do.
> >>
>
> Thank you for taking the time to write this, Franz. However, we
> already have a page on using Split Bitcoin wallets (using
> Electrum) here:
>
> https://www.qubes-os.org/doc/split-bitcoin/
>
> Nonetheless, it looks like your guide has some additional
> information that is missing from the current page. Please
> consider submitting a pull request against this page with your
> additions.


Andrew
Additions? Well I used a somehow different way, because i sign the
transactions on both the hot and the cold VM. So the hot VM is not for
"watching" it is for doing exactly all what does the non-connected one
(including signing) and obviously for doing the real job of generating
addresses for receiving and sending bitcoins to other addresses. It is what
is called multi-signature.

Is it worth to sign the transaction two times, once for each VM? I do not
know, but it is not so much additional work because in both cases you
always have to copy a file forward and back between VMs.

But the two ways are somehow alternative. I see no point to mix them in the
tutorial just to increase confusion to a matter that is already a bit
complicated.

The final part of editing the firewall rules of hot VM to limit connection
to Electrum servers may be worth to protect the keys in hot VM, but may
have less sense if there are no keys to protect in hot VM.

So did nothing, but am obviously open to suggestions.
Best
Fran


> You can see the documentation guidelines including
> a step-by-step how-to) here:
>
> https://www.qubes-os.org/doc/doc-guidelines/
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJX2ltIAAoJENtN07w5UDAwZwwQAL6eJaF0jCqlsKkN94DTFfYw
> 9fcC2w/ybGbPii7h0zHeuzpLsdKc8BQt1ijQ4UiBKzotEQIqyBGDW5xs/7ex6iYn
> vZibLWsfDK9Zoxqj0kxlZrGTmHbzInvWTVIjtoKY7pOfDfosgGTBqvd9uM1RqSn3
> MfWuWbJtY2JjRp4+Q80IUS4soQB8Emcm7ZSEBqu6TvX61ycBWyxm/DDLt9xLoFNg
> WFB6jVFnUGkucRoKEKwevVOfFoSiLTPjiDjIarlhTKaiG1NCT5otItbfq60mdZcf
> BYqS+1vb5WDm55YdDy8p4znz0ImKcLErmUZK+TgRLK4Yi36bvKb3EXr3gUQa4Tqd
> MZHpjR6IP/t4tbgBXWc7x6CDqFv+T8LRdD1v5IlsmMl7RmcyV8ES1xFwYXDl4I81
> 7iYvOPjTqoMOASIOejdkuufu+adfgy4BYLqd1SV/C1oJk8SXJ0dkuvoT4IJ1nDBc
> FAHIDE9S1MiJZ2fdHGq/B6plrDe/JluhT9L0A8NPCIZetCkTcvgyQQ5CrNyR2UWw
> nedk+L2zvzwNQxbZXXVmGSR3gczEkWYfn/ZT+OAFmo72qWPJmLwtmZg/q9zbm6Vw
> Bd7ne4mbnOyLshrQ6ZFVui0ZnDfQn4QLauMEQEwS2xNEU88qjIjlNt4klpwtFPVN
> 5AWniVUYJXpjwvKiJeSx
> =OMbs
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAAHdbVz9LkTTENM-f1_%2BPhhG7HHezOv%2B%3DcMHvpVs4pRg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-09-14 19:11, Franz wrote:
> On Wed, Sep 14, 2016 at 8:54 PM, Marek Marczykowski-Górecki <
> marma...@invisiblethingslab.com> wrote:
>> On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
>>> On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
>>> wrote:
 On 2016-06-29 09:37, Franz wrote:
> But how can I trust a printing dispVM for something as sensitive as
> a hot wallet? We would need two different dispVMs but we are not
> there yet.

 Indeed, not yet, but it will be implemented in R4.0:

 https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
 https://github.com/QubesOS/qubes-issues/issues/866
 https://github.com/QubesOS/qubes-issues/issues/2075

>>>
>>> Andrew,
>>> After various tests I am getting a bit more confidence about bitcoins.
>> So I
>>> prepared the promised tutorial. I tried to go to Qubes documentation to
>> see
>>> if there is any way to upload it, but found no reference. So I post it
>>> here. Perhaps you know what to do.
>>

Thank you for taking the time to write this, Franz. However, we
already have a page on using Split Bitcoin wallets (using
Electrum) here:

https://www.qubes-os.org/doc/split-bitcoin/

Nonetheless, it looks like your guide has some additional
information that is missing from the current page. Please
consider submitting a pull request against this page with your
additions. You can see the documentation guidelines including
a step-by-step how-to) here:

https://www.qubes-os.org/doc/doc-guidelines/

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJX2ltIAAoJENtN07w5UDAwZwwQAL6eJaF0jCqlsKkN94DTFfYw
9fcC2w/ybGbPii7h0zHeuzpLsdKc8BQt1ijQ4UiBKzotEQIqyBGDW5xs/7ex6iYn
vZibLWsfDK9Zoxqj0kxlZrGTmHbzInvWTVIjtoKY7pOfDfosgGTBqvd9uM1RqSn3
MfWuWbJtY2JjRp4+Q80IUS4soQB8Emcm7ZSEBqu6TvX61ycBWyxm/DDLt9xLoFNg
WFB6jVFnUGkucRoKEKwevVOfFoSiLTPjiDjIarlhTKaiG1NCT5otItbfq60mdZcf
BYqS+1vb5WDm55YdDy8p4znz0ImKcLErmUZK+TgRLK4Yi36bvKb3EXr3gUQa4Tqd
MZHpjR6IP/t4tbgBXWc7x6CDqFv+T8LRdD1v5IlsmMl7RmcyV8ES1xFwYXDl4I81
7iYvOPjTqoMOASIOejdkuufu+adfgy4BYLqd1SV/C1oJk8SXJ0dkuvoT4IJ1nDBc
FAHIDE9S1MiJZ2fdHGq/B6plrDe/JluhT9L0A8NPCIZetCkTcvgyQQ5CrNyR2UWw
nedk+L2zvzwNQxbZXXVmGSR3gczEkWYfn/ZT+OAFmo72qWPJmLwtmZg/q9zbm6Vw
Bd7ne4mbnOyLshrQ6ZFVui0ZnDfQn4QLauMEQEwS2xNEU88qjIjlNt4klpwtFPVN
5AWniVUYJXpjwvKiJeSx
=OMbs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7525e69d-d899-3d1d-6e42-bf9c78daaca9%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Franz]

On Wed, Sep 14, 2016 at 8:54 PM, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
> > On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
> > wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA512
> > >
> > > On 2016-06-29 09:37, Franz wrote:
> > > > But how can I trust a printing dispVM for something as sensitive as
> > > > a hot wallet? We would need two different dispVMs but we are not
> > > > there yet.
> > >
> > > Indeed, not yet, but it will be implemented in R4.0:
> > >
> > > https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> > > https://github.com/QubesOS/qubes-issues/issues/866
> > > https://github.com/QubesOS/qubes-issues/issues/2075
> > >
> > > - --
> > > Andrew David Wong (Axon)
> > > Community Manager, Qubes OS
> > > https://www.qubes-os.org
> > >
> >
> > Andrew,
> > After various tests I am getting a bit more confidence about bitcoins.
> So I
> > prepared the promised tutorial. I tried to go to Qubes documentation to
> see
> > if there is any way to upload it, but found no reference. So I post it
> > here. Perhaps you know what to do.
>
> Thanks!
>
> Below some comments about installation.
>
> > Best
> > Fran
> >
> > BITCOIN WITH ELECTRUM
> >
> > Install Electrum in Fredora template
> >
> > Download the Electrum executable:
> > wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz
> >
> > Download the signature:
> > wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc
> >
> > Import the public key of the signer, ThomasV
> > gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
> >
> > Verify the executable
> > gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz
> >
> > If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
> > ...) it is ok independently from the subsequent warning.
>
> To this point it's ok.
>
> > Install
> > sudo apt-get update
>
> Interesting - I've thought it was for Fedora template (as stated at the
> beginning)...
>
> > Install dependencies:
> > sudo apt-get install python-qt4 python-pip
> >
> > On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
> > full access for 5 minutes”
> > Install Electrum:
> > sudo pip install Electrum-2.6.4.tar.gz
>
> But if that's going to be on Debian, there is already electrum Debian
> package. I suggest using version from backports, as the one in stable is
> quite ancient.
>
> So, for Debian installation instruction would be:
>
> 1. Enable Debian Backports:
>
> https://backports.debian.org/Instructions/#index2h2
>
> 2. Install electrum:
>
> sudo apt-get update && sudo apt-get -t jessie-backports install
> electrum
>
> For Fedora on the other hand, it's better to avoid using 'pip install',
> especially in template, as it does not verify any sort of signature. I
> believe the only integrity assuring mechanism used there is HTTPS to the
> server. But nothing to verify actually downloaded file.
>

I started writing this tutorial time ago using the Debian template. But
then found that the available release on apt-get install was so old
(1.9.8-4) that it did not include the multi-signature wallet mentioned in
the tutorial. So wanted the new release and the suggested method was
pip-install, but for some reason pip- install did not worked of the old
release, even after removing it. So resorted to using Fedora which worked
with pip-install, but forgot to correct the tutorial.

Anyway, using Debian backports the installed version is 2.6.4, just the
same that was available using pip. So everything ok and much  easier.
Thanks Marek.

I have corrected the tutorial accordingly:

BITCOIN WITH ELECTRUM

Install Electrum in Debian template (Fedora template is not recommended
because Electrum package is not available and the pip install method does
not veriry signatures)

Enable Debian Backports:

https://backports.debian.org/Instructions/#index2h2

Install electrum:

sudo apt-get update && sudo apt-get -t jessie-backports install electrum

After installation, create two new VMs depending from the same Debian
template

one allowing networking, we call it “hot”
the other one not allowing networking, we call it “cold”

Launch the Electrum application in the cold VM for example writing
“electrum” in Qubes Manager/”run command in VM”

Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
the password.

Do the same with the hot VM, then follow the GUI exchanging the public kays
between hot and cold VMs.

Next option on hot VM: autoconnet is the easier way. It will take some time
to connect.

Then on receive tab of hot VM you find your address for receiving bitcoins.
It is enough to send bitcoins to this address to receive them. They will
appear only on Electrum of hot VM because it is the only one connected.

Once you have bitcoins you can send them. Transaction should 

Re: [qubes-users] Bitcoin Qubes tutorial

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
> On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
> wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 2016-06-29 09:37, Franz wrote:
> > > But how can I trust a printing dispVM for something as sensitive as
> > > a hot wallet? We would need two different dispVMs but we are not
> > > there yet.
> >
> > Indeed, not yet, but it will be implemented in R4.0:
> >
> > https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> > https://github.com/QubesOS/qubes-issues/issues/866
> > https://github.com/QubesOS/qubes-issues/issues/2075
> >
> > - --
> > Andrew David Wong (Axon)
> > Community Manager, Qubes OS
> > https://www.qubes-os.org
> >
> 
> Andrew,
> After various tests I am getting a bit more confidence about bitcoins. So I
> prepared the promised tutorial. I tried to go to Qubes documentation to see
> if there is any way to upload it, but found no reference. So I post it
> here. Perhaps you know what to do.

Thanks!

Below some comments about installation.

> Best
> Fran
> 
> BITCOIN WITH ELECTRUM
> 
> Install Electrum in Fredora template
> 
> Download the Electrum executable:
> wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz
> 
> Download the signature:
> wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc
> 
> Import the public key of the signer, ThomasV
> gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
> 
> Verify the executable
> gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz
> 
> If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
> ...) it is ok independently from the subsequent warning.

To this point it's ok.

> Install
> sudo apt-get update

Interesting - I've thought it was for Fedora template (as stated at the
beginning)...

> Install dependencies:
> sudo apt-get install python-qt4 python-pip
> 
> On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
> full access for 5 minutes”
> Install Electrum:
> sudo pip install Electrum-2.6.4.tar.gz

But if that's going to be on Debian, there is already electrum Debian
package. I suggest using version from backports, as the one in stable is
quite ancient.

So, for Debian installation instruction would be:

1. Enable Debian Backports:

https://backports.debian.org/Instructions/#index2h2

2. Install electrum:

sudo apt-get update && sudo apt-get -t jessie-backports install electrum

For Fedora on the other hand, it's better to avoid using 'pip install',
especially in template, as it does not verify any sort of signature. I
believe the only integrity assuring mechanism used there is HTTPS to the
server. But nothing to verify actually downloaded file.

> create two new VMs depending from the same template
> 
> one allowing networking, we call it “hot”
> the other one not allowing networking, we call it “cold”
> 
> Launch the Electrum application in the cold VM for example writing
> “electrum” in Qubes Manager/”run command in VM”
> 
> Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
> the password.
> 
> Do the same with the hot VM, then follow the GUI exchanging the public kays
> between hot and cold VMs.
> 
> Next option on hot VM: autoconnet is the easier way. It will take some time
> to connect.
> 
> Then on receive tab of hot VM you find you address for receiving bitcoins.
> It is enough to send bitcoins to this address to recieve them. They will
> appear only on Electrum of hot VM because it is the only one connected.
> 
> Once you have bitcoins you can send them. Transaction should start on hot
> VM Electrum, because the balance on cold Electrum is zero.  So using "Send
> tab" of hot Electrum you prepare you transaction with the address of the
> beneficiery. Then you clik on send button. On the next window you can save
> your transaction file and then move your file to the cold VM see:
> https://www.qubes-os.org/doc/copying-files/. Using Tools tab/load
> transaction on cold Electrum you can find the moved file, sign it and save
> it again. Finally you move the signed transaction file to the hot VM in the
> same way, load it to the hot Electrum and pay it.
> 
> LIMIT FIREWALL RULES TO ELECTRUM SERVERS
> For additional security you can limit the firewall rules of hot VM to
> connect only to Electrum servers.
> To do that:
> Run Marek script
> https://gist.github.com/marmarek/1d0a296930b7784327aaf9a801ec5585
> into a terminal of hot VM then launch Electrum that tries to connect to the
> net, but cannot because the firewall is manually set to "Deny network
> access except...". After some time the terminal will fill with firewall
> setting of Electrum servers. Then copy these settings into a file in the
> same hot VM.
> 
> then from Dom0 terminal write:
> 
> qvm-run --pass-io appl-VM-name 'cat path to just-created-file'
> 
> This makes all the firewall setting to appear 

Re: [qubes-users] Bitcoin Qubes tutorial

[Franz]

On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-06-29 09:37, Franz wrote:
> > But how can I trust a printing dispVM for something as sensitive as
> > a hot wallet? We would need two different dispVMs but we are not
> > there yet.
>
> Indeed, not yet, but it will be implemented in R4.0:
>
> https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> https://github.com/QubesOS/qubes-issues/issues/866
> https://github.com/QubesOS/qubes-issues/issues/2075
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
>

Andrew,
After various tests I am getting a bit more confidence about bitcoins. So I
prepared the promised tutorial. I tried to go to Qubes documentation to see
if there is any way to upload it, but found no reference. So I post it
here. Perhaps you know what to do.
Best
Fran

BITCOIN WITH ELECTRUM

Install Electrum in Fredora template

Download the Electrum executable:
wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz

Download the signature:
wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc

Import the public key of the signer, ThomasV
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Verify the executable
gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz

If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
...) it is ok independently from the subsequent warning.

Install
sudo apt-get update

Install dependencies:
sudo apt-get install python-qt4 python-pip

On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
full access for 5 minutes”
Install Electrum:
sudo pip install Electrum-2.6.4.tar.gz

create two new VMs depending from the same template

one allowing networking, we call it “hot”
the other one not allowing networking, we call it “cold”

Launch the Electrum application in the cold VM for example writing
“electrum” in Qubes Manager/”run command in VM”

Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
the password.

Do the same with the hot VM, then follow the GUI exchanging the public kays
between hot and cold VMs.

Next option on hot VM: autoconnet is the easier way. It will take some time
to connect.

Then on receive tab of hot VM you find you address for receiving bitcoins.
It is enough to send bitcoins to this address to recieve them. They will
appear only on Electrum of hot VM because it is the only one connected.

Once you have bitcoins you can send them. Transaction should start on hot
VM Electrum, because the balance on cold Electrum is zero.  So using "Send
tab" of hot Electrum you prepare you transaction with the address of the
beneficiery. Then you clik on send button. On the next window you can save
your transaction file and then move your file to the cold VM see:
https://www.qubes-os.org/doc/copying-files/. Using Tools tab/load
transaction on cold Electrum you can find the moved file, sign it and save
it again. Finally you move the signed transaction file to the hot VM in the
same way, load it to the hot Electrum and pay it.

LIMIT FIREWALL RULES TO ELECTRUM SERVERS
For additional security you can limit the firewall rules of hot VM to
connect only to Electrum servers.
To do that:
Run Marek script
https://gist.github.com/marmarek/1d0a296930b7784327aaf9a801ec5585
into a terminal of hot VM then launch Electrum that tries to connect to the
net, but cannot because the firewall is manually set to "Deny network
access except...". After some time the terminal will fill with firewall
setting of Electrum servers. Then copy these settings into a file in the
same hot VM.

then from Dom0 terminal write:

qvm-run --pass-io appl-VM-name 'cat path to just-created-file'

This makes all the firewall setting to appear directly on Dom0 terminal. It
is enough to copy all of them and past them on the same terminal and it is
done. These are the firewall settings that appeared in hot VM for Electrum
servers:
qvm-firewall -a hot btc.mustyoshi.com. tcp 50002
qvm-firewall -a hot erbium1.sytes.net. tcp 50002
qvm-firewall -a hot electrum.trouth.net. tcp 50002
qvm-firewall -a hot eniac.snel.it. tcp 50002
qvm-firewall -a hot electrum.vom-stausee.de. tcp 50002
qvm-firewall -a hot bitcoins.sk. tcp 50002
qvm-firewall -a hot ecdsa.net. tcp pop3
qvm-firewall -a hot antumbra.se. tcp 50002
qvm-firewall -a hot ELECTRUM.jdubya.info. tcp 50002
qvm-firewall -a hot home.hach.re. tcp 50002
qvm-firewall -a hot JElectrum.jdubya.info. tcp 50002
qvm-firewall -a hot us4.einfachmalnettsein.de. tcp 50002
qvm-firewall -a hot electrum.online. tcp 50002
qvm-firewall -a hot elec.luggs.co. tcp https
qvm-firewall -a hot jwu42.hopto.org. tcp 50004
qvm-firewall -a hot electrum.no-ip.org. tcp 50002
qvm-firewall -a hot electrum-europe.trouth.net. tcp 50002
qvm-firewall -a hot VPS.hsmiths.com. tcp 50002
qvm-firewall -a hot petrkr.net. tcp 50002
qvm-firewall -a hot bitcoin.dragon.zone. 

Re: [qubes-users] Bitcoin Qubes tutorial

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-06-29 09:37, Franz wrote:
> But how can I trust a printing dispVM for something as sensitive as
> a hot wallet? We would need two different dispVMs but we are not
> there yet.

Indeed, not yet, but it will be implemented in R4.0:

https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
https://github.com/QubesOS/qubes-issues/issues/866
https://github.com/QubesOS/qubes-issues/issues/2075

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXdJUiAAoJENtN07w5UDAwemsP/igQT206kD3EZ+wUymvNzw1A
8edG9ubseQjZNsSfENGTXzBIX4OG4Hh5DGcHUpyRqywl70/teUThfV/WdaeJ2Iib
k5iE1OYwwnEgoXKktx+hKPJ6Bazq66Reas0xElzS7z3pGH/sbWz5NJLT5sczv9BP
qO+djAXvaLyqN8HhmeWDeOWqgHQ5OaV7vJcEZpAfxvX4crGDOXWEuqBs6CaTT1L/
R5NXh+q64StVUbPDpZQV8OsbbD8G/6Gvq1e/G90YusNzZuuPhpLpLiwVYJzCt9D4
p0ZYm51SEpCQu6+yGrEZY6Bf7v9cC19NUMRZQQbzyfRj9zoKXw043xS9aa3d4T6u
tBQskcF36zdyetula50vQFP9nLlhZwEXtgARHjIadeJ5B6sGGCufcwks8eVMTg6Q
SnF7FxPVbGU122OBXHNE6R20uwxPIhCU7Npp3A4SSdy6tFW6JPdvBmgHF4aeaq9m
sYxAcG8T1JTjfJBqB3ndL4Tb9LQh2aG7gzntRRQi6qAE0xIKB2Xvxlee2OnWff38
rYvMZKjNVEoRLYrxfHF/2lFNPXIFmcHWBq5NTX5BgYeAcqcJ8ojvomnBPyZ45CUg
qchcoUXj3FEnQ90OO73t6XiclcarbTEzsOEFHbv6f6sm9n2QOL7hjuSemX07VESe
cgNngS/j1o8z35WizQ2X
=wbxB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e636b464-e106-7439-be0d-97876f554302%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Todd Lasman]

On 2016-06-28 12:01, Franz wrote:

Hello,

is there some form of tutorial for using Bitcoins with Qubes,
considering that I have no experience of bitcoins?

It seem I should have a VM for a hot wallet for making transactions
and another for a cold wallet to keep the bitcoins. But have no idea
if it is possible to move bitcoins between the two

Also imagine a good practice would be to make a backup of the VMs
containing the wallets using Qubes backup.

It would be also interesting to know which clients you consider safer
for buying and selling bitcoins.

Thanks

Best
Fran


Hi, Fran. I've done exactly this using the Electrum bitcoin wallet. I 
have a dedicated hot ("watching") wallet in its own VM, and a cold 
(offline) wallet in a separate VM that's never network-connected. 
Although I'm hardly a bitcoin expert, I don't think it's a matter of 
"transferring bitcoin from one wallet to another." Rather, I think the 
cold wallet just holds the private keys used when authorizing bitcoin 
transactions. For example, if I'm buying something with 1 bc, I generate 
a pending transaction in the hot wallet, sign that transaction in the 
cold wallet, transfer the signed transaction back to the hot wallet, and 
then broadcast it from there. That way, only that 1 bc is ever 
vulnerable in a network-connected VM.


If I'm misunderstanding this, or doing it wrong, I'd love to be educated 
by a bitcoin guru!


Todd

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59a6d11ff0484fc1ae7bda853f9dbada%40nowlas.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Bitcoin Qubes tutorial

[Franz]

Hello,

is there some form of tutorial for using Bitcoins with Qubes, considering
that I have no experience of bitcoins?

It seem I should have a VM for a hot wallet for making transactions and
another for a cold wallet to keep the bitcoins. But have no idea if it is
possible to move bitcoins between the two

Also imagine a good practice would be to make a backup of the VMs
containing the wallets using Qubes backup.

It would be also interesting to know which clients you consider safer for
buying and selling bitcoins.

Thanks

Best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qBkNyzzNnp-dX9%3DpFL3_B6hwu6kVgUNXsLFz_D0wRxb7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.