Transferring Bitcoins to a secure offline wallet using Armory
Update: For a quicker (but less flexible) way to store bitcoins, see my other post.
You have some Bitcoins. They’re being stored with an online exchange or wallet service. But you’re no longer comfortable storing all your funds with a third party—since hacks happen, and allowing another entity to control your private keys means that it’s possible for that entity to spend your coins without your consent.
You’d prefer to self-manage the bulk of your Bitcoin funds in a safe way. This post will describe how to achieve this using Armory.
Standard disclaimer: I accept no liability for funds lost or equipment damaged by following or (attempting to follow) these instructions. Readers do so entirely at their own risk.
You can set up an offline wallet before you acquire any bitcoins, but I’ll be assuming that you already have some Bitcoins stored with a third party website somewhere.
This process will likely take you a few of hours. It’s up to you to decide whether the time, effort (and expense if you have to buy any of the ingredients) is worth the extra security and peace of mind that self-managing an offline wallet will bring. This will likely depend on the amount of Bitcoins you have and their market price.
Online Computer: An internet-connected computer running windows or Linux
This can be your main computer for daily use. It is connected to the internet. I will call this the online computer. Throughout the walk-through I’ll assume this computer is running Windows.
Purpose: As far as managing your offline wallet goes, the online computer will run Armory in online mode to:
- View the balance of your offline wallet.
- Create receiving addresses for the offline wallet.
- Create unsigned transactions (when sending money from your offline wallet).
- Broadcast signed transactions (when sending money from your offline wallet).
- Optionally you can use your online computer to maintain a second ‘current’ Bitcoin wallet for keeping and transferring small amounts of funds for goods and services. This walkthrough won’t cover this use.
We are deliberately setting things up in such a way that it will not be possible to use the online computer to actually sign transactions to send funds from your offline wallet. The signing of transactions happens on the offline machine.
Offline computer: a cheap (second hand) laptop or netbook.
The smaller the better. It doesn’t have to be powerful. I’m based in the Netherlands and I bought a second hand DELL Latitude from http://www.2dehandslaptops.nl/. I also understand that the EEEPC range of netbooks work well for this purpose.
I will call this the offline computer. It doesn’t require a CD drive, we’ll be installing Ubuntu onto this computer with the help of a USB stick.
Purpose: A fresh install of a trusted Ubuntu version will be carried out on this computer. Bluetooth and WiFi will be turned off and it will never connect to the internet so that we can be confident that the computer is free of malware. This computer will be used to securely generate a deterministic wallet using Armory. It will then display the data we need to create a physical record that can be used to recover that wallet after we delete it from the computer. Later, when funds need to be sent from the savings wallet, the wallet will be reconstructed on this offline computer, and Armory will be used to sign transactions, which are then transferred by USB key to the online computer to be broadcast to the Bitcoin network.
Once the savings wallet is set up, the offline machine will rarely be used. We will not be using this machine to store the savings wallet between power-downs. Instead we will re-generate the wallet as needed using the physical record, and delete it from the machine after each use. This means that even if the offline machine is lost or stolen, we needn’t worry about loss or unauthorized access to our funds, and a new offline machine can be prepared to take its place.
A stick with a capacity of 1GB or more should be more than enough. We’ll be formatting this stick, so make sure there’s nothing on it that you’d prefer to keep.
Purpose: The stick will be used to transport files to and from the offline computer, both for initial set-up, and when sending funds from the savings wallet. We do this because it’s much more difficult for a potential attacker to access sensitive information from a system set up this way than if the machine it’s stored on has a direct connection to the internet itself.
Ubuntu 10.04.4 LTS (Lucid Lynx) install .iso file
This .iso is the collection of files that allows us to install an appropriate version of Ubuntu on the offline computer. We’re using this Ubuntu install because by default it’s more secure (and less of an attractive target) than a Windows install.
Using your online computer, go to http://releases.ubuntu.com/lucid/ and click the link labelled “PC (Intel x86) desktop CD” to download the .iso file. The download can take quite a while to complete.
Using your online computer, go to the "Get Armory" page, find the section entitled “Linux – Offline Bundle for Ubuntu 10.04-32bit” and click the link entitled “Armory 0.86.3-beta: All-Dependencies-Bundle for Ubuntu 10.04 32-bit (*.zip)” to download the package. This package is for the offline computer.
This package provides an easy way for us to install everything that Armory needs, as well as Armory itself, onto the offline machine once it’s running Ubuntu.
Also download the appropriate Windows version of Armory while you’re there, for the online computer.
Unetbootin is a utility that can create installable Linux distributions on a USB stick. We’ll need this to install Ubunto on the offline machine if that machine doesn’t have a CD drive (for this walk through I’m assuming yours doesn’t). Download Unetbootin for your system here, and install it.
Online Computer: Install Bitcoin-Qt and download the blockchain
With your online windows machine, download and install Bitcoin-Qt. This is the official Bitcoin client, Armory needs Bitcoin-Qt installed if we want to run it in online mode.
Run Bitcoin-Qt when it’s finished installing. Bitcoin-Qt needs to download the blockchain (the public ledger of all Bitcoin transactions) when it runs for the first time. While doing this the program will report ‘Synchronizing with the network’. This can take a long time to complete. Be prepared to let your computer work on this task overnight or longer.
While this is happening you can install Armory for windows that you downloaded earlier. Or download it here: Get Armory).
Online computer: Preparing the USB key with installable Ubuntu
On the online computer, remove all other usb sticks and insert the one reserved for installing Ubuntu. Format ithe stick using the FAT32 option. Next open Unetbootin. In Unetbootin, Click the ‘Diskimage’ radio button. Ensure that the dropdown next to it reads ‘ISO’.
Click the ‘…’ button over to the right and navigate to where you placed the ubuntu-10.04.4-desktop-i386.iso file, select that file so that its path appears in the text input field. Ensure that the ‘Type’ dropdown reads USB Drive. The ‘Drive’ dropdown should automatically show the correct device identifier for your USB stick if it’s the only one plugged in (NB. your stick should be plugged in before runing Unetbootin).
Click ‘Ok’ and accept any prompts that appear. Unetbootin will now work for a while creating the necessary files on the USB stick. Safely eject and remove the stick when complete.
Offline computer: Disabling connectivity and installing Ubuntu
Start up your offline computer and hold down f12 to enter Bios Setup.
When in the setup screen, use the arrow keys to highlight the ‘Wireless’ group in the left-hand list. Press enter to reveal the sub items. Using the arrow keys and enter, set each of these sub items (if available) as follows:
- Internal Bluetooth: Off
- Internal Wi-Fi: Off
- Internal Celular: Off
- Wi-Fi Switch: None
- Wi-Fi Catcher: Off
Next insert the Ubuntu install USB key into the offline machine. While still in the bios setup pages, press Escape, and then select ‘Save/Exit’ to save your changes and restart the machine. Hold down F2 while it’s restarting.
In the boot menu that appears, choose the option to boot from a USB device. Ubuntu should start up. Accept any prompts that might appear.
Once start up has completed, you should see an icon on the desktop labelled Install Ubuntu 10.04.4 LTS. Double click this and follow the instructions in the screens that appear to install and configure Ubuntu on the hard drive of the offline machine. I chose to use the entire hard drive as the Ubuntu partition (deleting Windows XP) to keep things simple. You will be prompted to restart the machine once configuration is complete, do so.
Offline computer: Installing Armory
Safely eject the USB stick from the offline computer and insert it into the online computer. Copy the file Armory_0.86.3_Offline_Ubuntu10.04-32bit.zip onto the stick. Safely remove it and reinsert into the offline machine. Copy the package to the desktop and unzip it.
There’s a .sh script in this package that we need to run. In the version of the package that I downloaded the script was called Install_All_Deps.sh. Yours may have a different name. Try double clicking it to run the script in a terminal window. If that doesn’t work do the following:
Press Ctrl + Alt + t to open a terminal window. Enter the following lines one by one:
CD Desktop/Armory_0.86.3_Offline_Ubuntu10.04-32bit sudo bash Install_All_Deps.sh
You may need to change the exact paths and filenames entered here to match the package and script name in case your version uses different names to the one I downloaded.
When the script runs, you will be prompted for the password you entered when setting up Ubuntu (if applicable), enter it. Armory and its dependencies will install and you should see a success message in the terminal.
Offline computer: Running Armory and setting up a savings wallet
Now start Armory from the menu bar: Applications - Internet - Armory (Offline). If opening Armory for the first time, click the ‘Create Your First Wallet’ button. Otherwise click the ‘Create Wallet’ button.
Accept the default name of Primary Wallet. Uncheck Use wallet encryption. It would be important to use encryption if we were storing the wallet on the offline machine while we weren’t sitting behind it, but we won’t be doing that so encryption isn’t necessary.
Check the Print a paper-backup of this wallet box and click the Accept button. After a short while a window entitled Print Wallet Backup will open.
Creating a physical wallet record
We need to make a physical record of at least three pieces of information from the sheet that Armory has generated for us: Wallet Unique Id, Root Key and Chain Code. The quickest way to do this is to print the sheet that Armory generated. A more time consuming way is to manually write down the information.
How you create and store the physical record of this information (or records, if you choose to make more than one) is up to you. Here are some things to bear in mind:
- You probably want the record(s) to be recoverable in case of fire or flood at the location in which they are stored.
- Assume that anyone else who views the information on your physical record is able to recreate your wallet in Armory without you knowing about it, which means they can spend the coins contained in it at at time (possibly years in the future). Bearing this in mind, it would be a mistake to employ a third party to engrave, etch or print this information, for instance.
- It might be wise to create more than one record of this information, in case there’s a chance of one of the records being destroyed or lost.
- You may want your next of kin to be able to recover the record in case of your death.
- Do not print a paper copy of this information over WiFi, as this can be intercepted. If you’re going to print it, connect a printer directly to your offline computer with a USB cable.
- Some printers may have internal memory and store a cache of the pages they print. Bear in mind that such a cache is a possible attack vector.
- Consider drawing your curtains before working with your physical record, or Armory’s on-screen representation of this data.
- You may want to store the physical record in such a way that you could tell if someone else had seen it since you last used it (since this would mean it’s no longer safe to store funds here).
Before creating your final physical record, I recommend simply writing down the information and testing that it works before you send any coins to your wallet. Write carefully so that there’s no ambiguity about any of the characters. Of course you still need to be careful to keep this written information strictly to yourself.
Delete your wallet, for practice
Once you’ve safely written down the information (or carefully made a physical record of it somehow) press cancel to get back to Armory’s main screen. With the Primary Wallet selected, click the Wallet Properties button, and then click the Delete/Remove Wallet link. Choose Permanently Delete This Wallet. Press the Delete button.
Import your wallet
Now click Import Wallet and Restore from paper backup. Enter the Root Key and Chain code from your physical record. Uncheck Encrypt Wallet and click OK. You’ll see that your wallet has been successfully recreated, (it lost it’s name in the process, but that’s okay).
That’s how you’ll recreate your savings wallet on your offline machine in the future, this is a necessary step when you want to send any funds contained in it.
Exporting a ‘Watch Only’ wallet
Because your offline computer has no access to the Blockchain, it can’t know how many Bitcoins are attached to any of the addresses in your savings wallet. But of course you do want to know this information in the future. To arrange this we need to export a ‘Watching-Only Copy’ of the savings wallet, so that we can watch its balance on our online computer.
On your offline machine, with the freshly recreated savings wallet selected in Armory’s main screen, click Wallet Properties and Create Watching-Only Copy. Save the resulting file to your USB key.
Delete the savings wallet from Armory again. Even though we will be using it again during this walk-through, deleting it each time and recreating from a physical record as needed is a good habit to cultivate.
Importing the ‘Watch-Only’ wallet
Once Bitcoin-Qt has finished synchronising on the online computer, open Armory. You’ll see several programs inside the Armory folder under the All Programs menu. The appropriate version to run on the online machine is labelled Armory Bitcoin Client. Armory will first scan the blockchain, this will take a while. Wait for the scan to complete.
Insert the USB key into the online computer. Then in Armory: Import Wallet and Import Wallet from file. Navigate to the USB key in the file chooser, select the .wallet file that you copied to the USB stick, and click Open.
After a short delay Armory will tell you that the wallet was imported successfully, and that another scan has to take place to accurately display the balance of this new wallet. Click Yes to start the scan. This scan took a few minute to complete for me.
After the scan is complete. you should see your wallet listed in the Available Wallets list as, displaying a balance of 0.00.
With the wallet selected, click Wallet Properties and use Change Wallet Labels to give it a descriptive name like ‘Savings Wallet (watch)’.
Click the blue link next to the Belongs to label. Check the This wallet is mine checkbox and click OK. Click Go Back to get to the main screen again.
Get a Receive address for your savings wallet
With the wallet still selected click Receive Bitcoins. Armory will warn you that you’re requesting a payment address for a wallet whose funds you cannot spend from this computer. That’s as we want it, so click OK.
In the New Receiving Address window that opens, add a label to the address: ‘Test receiving address’. And click the Copy to Clipboard link beneath the text representation of the new address.
At any time you can view all the receiving addresses you’ve requested in this way in the wallet properties screen.
Next we want to be able to send a small amount of funds to the savings wallet to test that that works as expected (we don’t want to send all the money at once, just in case something goes wrong).
Send a test payment to the savings wallet
Transfer a small amount of Bitcoins from your third party service to the receive address of your wallet, which should still be in your clipboard (try to avoid manually typing in the address if possible, to avoid errors). I transferred 0.01 BTC, which at the time of writing is about one dollar’s worth.
If you include a transaction fee (0.0005BTC is usual at the time of writing this), your transaction will quickly be ‘seen’ by your online computer, which will update the balance of your savings wallet to display the amount you sent. Notice that at this point, the new funds are part of an unconfirmed transaction, which means you’d need to wait a while before you’d be able to spend those funds.
Next we’ll transfer that amount back to where it came from, to satisfy ourselves that we understand how to spend the funds in the savings wallet when we need to, and that we’re able to do so. We don’t need to wait for the transaction to reach confirmed status before we start preparing this next step.
Execute an offline transaction
On your online computer, navigate to the website where you’re storing your Bitcoins currently. Somewhere on that site you should be able to find a Bitcoin receiving address associated with your account there. Copy that address to your clipboard.
Using the online computer still, back in Armory, with the savings wallet selected, click the Offline Transactions button and then Create New Offline Transaction. Next you’re required to select a wallet. Since we only have one, that will be selected by default. Click OK.
In the Send Bitcoins screen window that opens, paste the receiving address of the webcoin service into the Address 1 field. In the amount field, fill in a small amount. You should choose an amount that, when deducted from your currenct savings wallet balance, leaves enough left over to cover the suggested transaction fee (in my case this fee is 0.0005). Including a transaction fee means that the transaction will be processed more quickly by the network.
In the comment field I added ‘Testing sending money from savings account’.
Next click Create Unsigned Transaction in Armory. A dialogue will appear summarising the transaction details. Check that they look okay then click continue. A window entitled Offline transaction will appear, giving instructions for how to complete the transaction. Read it through to make sure you understand what’s going on. When you’re satisfied, click the Save as file button. Accept the suggested file name and save the file to the USB stick.
Safely eject the stick. Plug it into the offline computer and turn it on. Open Armory (Offline) as before. Making sure no one can watch what you’re doing, retrieve the physical record you made. Click Import Wallet and enter the Root code and Chain codes for your savings wallet as before. Once the wallet has been imported click Offline Transactions , Sign Offline Transaction and Load file. Navigate to your USB stick and open the file ending in .unsigned.tx.
Review the details of the transaction when Armory has loaded it. When satisfied that all is correct, slick Sign. Armory will again show you a summary of the transaction, once you’ve confirmed this, Armory will ask if you want to overwrite the unsigned transaction file with the newly signed version, choose Yes.
As before, delete the savings wallet from Armory on your offline computer now that we’ve finished using it.
Take the USB stick back to the online computer and insert it. The Offline Transaction window should still be open, click Next Step. Alternatively from the main screen click Offline Transaction and Sign and/or Broadcast Transaction.
From the Review Offline Transaction screen that opens, click Load file…, and choose the file from your USB stick ending in .signed.tx. Verify that the details of the new transaction are still correct, and then click the Broadcast button to tell the rest of the Bitcoin network about the transaction.
After the broadcast has been sent Armory will ask whether you want to have the signed transaction file deleted. Since we don’t need it anymore, to avoid future confusion click Yes.
You’re now familiar with how to safely get funds in and out of your savings wallet. Feel free to repeat the above steps with small amounts of bitcoins until you’re comfortable that you understand what’s going on.
When you’re ready. Use the methods described above to transfer all, or a larger portion, of your Bitcoins to the savings wallet. Although you can successfully use previously generated receiving addresses to accept tansfers tyo your savings account, for privacy, it’s a good idea to generate a new receiving address for each transfer, wherever practical. So get Armory to supply you with a new receiving address for each new transfer that you make from your third party Bitcoin website to your savings address.
If you haven’t done so already, create a durable and secure version (or versions) of your physical record, and store it very safely.
With all the set-up work done it’s also not much more work to create multiple savings wallets and spread your funds across them if you like.
Donate to Armory Developers
If you appreciate Armory, don’t forget that there’s a donate to Armory Developer button built into Armory, on the Send Bitcoins window.
Donate to me
If this guide was useful for you, you can also donate to me using: 13WEq9EQJ4Tck8LRxSWU7DgvfH4r8rLMDQ