Set up Monero Wallet Securely with Anonymity

Eventually, I found myself with enough leisure and motivation to set up a crypto wallet. For my situation, investing time and money into my skills, knowledge, and projects yields more return and safer than in finance.

But in this time, I found some good VPN deals which I would like to pay with XMR. Plus it’s convenient to have some spare crypto in wallet for making donations to my favorite creators and projects, so it’s time to set things up.

Much like other people who’s into technology itself, I do my wallet quite differently comparing to common speculators and conspiracy theorists, some where in between and even go beyond.

Going as free and open-source as possible is my goal, and I’ve read Mastering Monero before which makes me more into this particular currency. So, I would not like to deal with BTC alike unless I’ve to pay for a bitcoin ransom. But which is not so likely to happen.

Cold Wallet (Tails, Feather and KeepAssXC)

Although using the official monero gui/cli is the best way for creating cold wallets, I decide to go with Feather to try something new since I’ve been used the official tools years before for mining (perhaps winter heating).

Get Tails first, then verify hash to check if it returns 46ff2ce0f3b9d3e64df95c4371601a70c78c1bc4e2977741419593ce14a810a7

sha256sum tails-amd64-6.10.img

Verify signature

TZ=UTC gpg --no-options --keyid-format long --verify tails-amd64-6.10.img.sig tails-amd64-6.10.img

Get Feather and verify hash to check if it returns 6bd5d04e9dbfe80525880bdb72217712bd67dda170c0f18570b876d28bdecd6a

sha256sum feather-2.7.0-a.AppImage

Verify signature to check if it returns “Good signature”:

gpg --keyserver hkps://keys.openpgp.org --search [email protected]
gpg --verify feather-2.7.0-a.AppImage.asc feather-2.7.0-a.AppImage

Create Tails USB drive with cli or Etcher and boot into it. Using a water/shock resistant flash drive is preferred.

sudo fdisk -l
dd if=tails-amd64-6.10.img of=/dev/sdb bs=16M oflag=direct status=progress

Create Persistent Storage at the welcome screen, set up Administration Password in the Additional Settings. Enable Offline Mode to force an “air-gapped” environment if it is not yet physically.

Copy feather-2.7.0-a.AppImage into the persistent folder, then run it.

Create new wallet, generate a new seed and copy it.

Open KeepAssXC from the application menu, create a new database with a master password which could be memorable but at least typable.

To make it more secure with MFA is optimal—generate a key file and add a Yubico OPT challenge-response with YubiKey.

Make a new entry for the wallet seed and paste it there. Now the biggest risk is losing credentials rather than being stolen, so I need to make sure backing things up in the end.

In the KeepAss entry, use the password generator to create a crazy password which is impossible to memorize nor type for feather wallet since it is the weakest link in my defense model.

After finish the wallet creation, export view only wallet key and qrcode as needed.

This is the cold wallet without going too paranoid. I feel sorry for people who blindly decide to use pen and paper. Of course there are use cases for old school techniques, but non-tech people are probably having bigger trouble with their online hygiene practice and Surveillance Self-Defense skills.

What even worse is those who print their paper wallet with a modern printer! For those people, please read through The Hitchhiker’s Guide. This is way more beneficial than maintaining paper or investing in a hardware wallet.

Back to our topic, we have our cold wallet settled for now. Next step is to set up a hot wallet with haveno.

Hot Wallet (Kicksecure + Haveno + VeraCrypt)

For the system I want to run on a day-to-day basis, portable distros such as Tails and Kodachi are not good options. I really like ParrotOS’s built-in anonsurf, but that OS is a bit heavy and more leaning towards offense.

So, there is not lot of option for purely defensive pre-hardened OS which is stationary—Qubes and Kicksecure are left in the sight.

Qubes is a heavy OS (6.4 GB iso) which built upon Fedora with Xen hypervisor baked-in and sometimes not even considered as a Linux distro (meaning some learning curve). On the other hand, Kicksecure is a hardened lightweight Debian (1.3 GB iso) that Whonix is based-on (meaning work out-of-the-box).

Since I have enough low-end hardware to gain better compartmentalization, and system-wide torification is not ideal for a fiat/crypto mixed environment, so Kicksecure fits me the best.

Download Kicksecure and install it with Etcher.

After the OS is ready, install Tor browser:

sudo apt update && sudo apt full-upgrade
sudo apt install --no-install-recommends tb-updater tb-starter
update-torbrowser
torbrowser

Haveno is a Monero based fork of Bisq—open-source, non-KYC/custodial (even no registration) and private with Tor.

Download and run RetoSwap (Haveno-reto), it is a 3rd party Haveno instance recommended by this guide and in this video.

At the moment of writing this post, there are some issues with their unfinished new website so that I can’t get the public key from them. This is skeptical but also understandable, just take with a grain of salt.

To verify the files, I have to find the key file from here:

Save it as reto_public.asc or just download it from web cache, then check if it returns “Good signature”:

gpg --import reto_public.asc
gpg --verify v1.0.14-hashes.txt.sig v1.0.14-hashes.txt
gpg --verify haveno-linux-appimage.zip.sig haveno-linux-appimage.zip

sha512sum haveno-linux-appimage.zip

The sha512 checksum of the zip file should be adbbed81f5e898f29fa9a1966c86c5c42bd23edbb57ebdb4d9e8895cd4d0d50c0468c126ecc4e0089df126b0d96d20b3dd5688f3f39b4418d4e18da367e8f089 and the packed desktop-1.0.14-SNAPSHOT-all.jar.SHA-256 seems irrelevant.

Now run haveno-v1.0.14-linux-x86_64.AppImage and it will be automatically connecting to the Tor network first, Haveno network by next, then sync with Monero Mainnet at last. So this would take some time.

Next step is to set up the accounts. In the Account page, add a new account for traditional currency, then set a password for Haveno hot wallet and do a backup. This Haveno_backup folder should be easy to locate for later backup.

Additionally, download Feather Wallet and restore the secret view key of the cold wallet for convenience.

This post is mainly focusing on operations security than transaction, so let’s wrap it up here with two more backups (3-2-1 principle).

Download Veracrypt generic installer with key and signature, check if the key’s fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE

wget https://launchpad.net/veracrypt/trunk/1.26.14/+download/veracrypt-1.26.14-setup.tar.bz2
wget https://launchpad.net/veracrypt/trunk/1.26.14/+download/veracrypt-1.26.14-setup.tar.bz2.sig
wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc
gpg --import --import-options show-only VeraCrypt_PGP_public_key.asc

Then import the key, verify the signature to check if it returns Good signature

gpg --import VeraCrypt_PGP_public_key.asc
gpg --verify veracrypt-1.26.14-setup.tar.bz2.sig veracrypt-1.26.14-setup.tar.bz2

Extract, install and run

tar -xf veracrypt-1.26.14-setup.tar.bz2
sudo ./veracrypt-1.26.14-setup-gtk2-gui-x64
veracrypt

Here I use a small microSD card since this media type gives more environmental resilience compare to regular flash drive.

Plug in the SD card adapter, follow instructions of VeraCrypt Volumes - Create new Volume - Encrypt a non-system partition/drive - Hidden VeraCrypt volume to create a Hidden Volume around 100MB.

This anti-forensic feature goes beyond my threat model but it is fun to have.

The microSD card is ready for later use. Now, grab another USB drive which is better to be rugged, use same procedure to create Tails live system again.

Boot and set it up in the “air-gapped” machine, and plug the main cold wallet drive.

Mount the Encrypted persistent storage with password, and copy everything needed from TailsData/Persistent into Home/Persistent.

The backup cold wallet drive is done. Now eject the main cold wallet drive. Decrypt and mount the Kicksecure HDD where the hot wallet is at.

Plug in the SD card adapter and decrypt it with the outer volume passphrase. Copy the hot wallet Haveno_backup folder into the outer volume then eject.

Re-insert and decrypt it again but this time with hidden volume passphrase. Copy the feather_data folder and KeepAss database file of the cold wallet in there, then eject.

By now, three copies of the cold wallet are created. This is more than enough since my threat model is more against theft and natural disasters rather than getting hacked by cybercriminals or infiltrated by state actors.

Being a low value hard target is my way of security.

Also, protecting crypto wallet at home is all about OPSEC. No shenanigans such as farady bags or handwriting papers whatsoever!

So properly labeling them and putting one into a watertight container inside a fire resistant safe is good enough. I’ll send another one to a remote location as well.

Feel free to email me if you have any question or would like to social engineer me in a good way : )

Stay safe and sharp!

References:

The Hitchhiker’s Guide to Online Anonymity: https://anonymousplanet.org/guide.html

Haveno DEX Direct Fiat to Monero transactions: https://blog.nowhere.moe/opsec/haveno-client-f2f/index.html

Haveno Documentation: https://docs.haveno.exchange/the-project/

Feather Wallet Documentation: https://docs.featherwallet.org/

Malvarma cold wallet guide for Monero: https://malvarma.org/intro.html

Mastering Monero: https://masteringmonero.com/free-download.html

Attack of the Poisoned Outputs: https://youtube.com/playlist?list=PLk4xsazIq6TZUKDScrxFjhajOKTlHknRx

Monero Talk EPI 166: https://youtu.be/16c03c4kG8k

kycnot: https://kycnot.me/

Cold Wallet (Tails, Feather and KeepAssXC)#

Hot Wallet (Kicksecure + Haveno + VeraCrypt)#

Cold Wallet (Tails, Feather and KeepAssXC)

Hot Wallet (Kicksecure + Haveno + VeraCrypt)