Monero wallet with offline signing for QubesOS

General Discussion
1

Hey! I’m working on a monero wallet (Unnamed Monero Wallet or xmruw for short), that supports offline signing and view-only mode on mobile devices, and I’ve figured that it would be a good idea to add support for QubesOS.

The idea behind offline signing is to have one device that doesn’t have access to the internet and one device that is allowed to connect to the internet. The offline device is responsible for storing private key and signing transactions, while the online device is responsible for talking to the network directly.

Using setup like this protects users from accidentally leaking their wallet private keys by ensuring that they are never stored in an online environment.

How does that differ from having a single dedicated online qube for monero wallet? By using that approach your security could potentially be broken in few ways

  • dom0 getting hacked into
  • software installed the online wallet qube contains a bug that can be used to extract private key
  • security flaw in monero code itself would allow to retrieve the private key (bug in the protocol leading to extraction of private key)
  • security flaw in the UI (monero-gui, feather, cake desktop, etc.) that would lead to the leak of the private key

While all of the things are very unlikely to happen, and didn’t happen to me for last 2 years of using such setup for my monero-gui, there are quite a few ways to break the security of such setup considering the fact that finding a critical bug in a system is more likely to be a matter of when rather than if.

So how does offline + online setup differ?

  • dom0 getting hacked into - no way to protect against this.
  • software installed the online wallet qube contains a bug that can be used to extract private key - the bug would neede to be activated locally, without the internet in offline qube to leak the private qube, and if it would happen in online qube then only view-only secret key could be leaked, which wouldn’t lead to loss of funds.
  • security flaw in monero code itself would allow to retrieve the private key (bug in the protocol leading to extraction of private key) same as above, offline wallet doesn’t connect to any external services.
  • security flaw in the UI (monero-gui, feather, cake desktop, etc.) that would lead to the leak of the private key - same as above

This setup minimizes the attack vector that is available to the attacker by moving private keys to an offine qube.

How does this affect user experience? Everything is intuitive and require minimal extra effort from the user (just copying unsigned transaction to offline qube and signed transaction to online qube (+outputs/key images but that’s too technical and the process is exactly the same)).

Demo on how transaction sending works can be seen here: https://xmruw.net/assets/videos/qubesos/stage6.mp4

Installation instructions are available here: xmruw - Unnamed Monero Wallet (both video and written)

Let me know what do you think about this kind of setup and tell me if there are any kind of issues that I should fix or things that I could improve. I’m looking forward to your feedback.

2 Likes
2

Welcome to the Qubes Forums, I appreciate your work on this. When I first saw anonero + feather airgapped transaction signing setup via QR codes, that’s what came to my mind too: this works well for QubesOS.

For feather + anonero setup, it was supposed to work with animated qr codes, right? Now, in your case, you are smply copy-paste’ing between the offline & online qubes.

That sounds cool, imo. Can you make the offline signing part work with feather wallet as well?

3

Yeah, you can also use the animated QRs here (it defaults to text if it is running on linux but you can have both options available), and they will (in near future!) be compatible with both feather and anonero.
Also - as far as I know (I did use feather to test that feature long time ago… but there are too few hours in a day to check against each wallet) feather supports file based transactions - which are supported in xmruw, so I could tweak the code a little to move files to the other qube… now that I think about it it could be a much better idea in the first place, as it wouldn’t involve manual copying of the text.

1 Like
4

Nice project.
Will it also be able to sign transactions created on the Monero GUI?
And vice versa?

2 Likes
5

How would this workflow work? You mean, the xmruw qube would be watching over the ~/QubesIncoming directory and auto-detect if there is an offline signing data?

6

Also, since the wallet project is still “unnamed” may I offer you the name “ColdNero Wallet” :slight_smile: It alludes to the fact that this wallet can be used in very cold storage monero wallet setups.

1 Like
7

@jonf3n: Will it also be able to sign transactions created on the Monero GUI?

Yeah! It uses the same transaction format (I’ve never made a transaction using monero-gui, but monero-cli wallet worked fine for that).

@tanky0u: You mean, the xmruw qube would be watching over the ~/QubesIncoming directory and auto-detect if there is an offline signing data?

Yes, that’s something I’m thinking of.

@tanky0u: “ColdNero Wallet”

NERO was part of Anonero wallet, and I wouldn’t like to resemble it in any way, but thanks for the suggestion :slight_smile:

2 Likes
8

Just when I thought cryptography couldn’t get any better. Offline signing huh. So I no longer have to expose my many trillions worth of offline crypto to the internet for every withdrawal? QOL++++

Thanks for the :exploding_head: :exploding_head: