How safe is it to use a Linux live CD to access my savings wallet?

11

It's clearly safe to create a savings wallet offline with a live CD, as no data can be sent to an attacker even if the live CD image is compromised (which seems unlikely).

However, when it comes to sending a transaction from a savings wallet, the client must be connected to the internet, so the risk increases. If you create a live linux CD, with an OS such as Ubuntu, it is out of date within a fairly short time of it being created as the live CD does not receive the latest patches that a permanent installation normally receives.

Presumably this means there's a chance (however small) that when you use the live CD and connect to the internet a security hole will exist that can be exploited to steal your wallet and wallet passphrase next time you enter it. How big is this risk? (Am I just being totally paranoid?!)

The severity of the risk is obviously a difficult thing to determine in the context of all possible live CDs, so perhaps a better question is this, if the first one is too difficult: have there previously been any security holes in live CD releases that allow an attacker to remotely control the computer?

Highly Irregular

Posted 2011-12-20T23:28:58.533

Reputation: 10 514

2I think this question belongs to other SEs, like StackOverflow, SuperUser, Ask Ubuntu, or IT Security, as it is not a Bitcoin-specific problem.ThePiachu 2011-12-21T08:19:47.820

1In my opinion, there is sufficient concern about private key safety within the Bitcoin community that it justifies a Bitcoin-specific answer here.Gary Rowe 2011-12-21T09:42:47.590

Answers

4

Security is always an issue and complex systems like operating systems are prone to attacks. However, it is possible to use an offline machine to create the signed transactions and then export them to another machine.

For example a soft copy of those signed transactions could be copied on to a fresh USB stick, or printed out on paper as plain text or QR codes and so on. These transactions could then be imported into an online Bitcoin client that does not have the private keys, but can just transmit the transactions to the network.

Your private keys are always held offline and thus only exposed to physical attack vectors which should be sufficient to relieve your concerns.

Gary Rowe

Posted 2011-12-20T23:28:58.533

Reputation: 7 175

1Is there any guides or tools on how to create the signed transaction then import it into another client?Sean Chapman 2011-12-21T09:48:31.163

2

Take a look at the forums here: https://bitcointalk.org/index.php?topic=28278.0

Gary Rowe 2011-12-21T09:55:45.387