Tails on a USB thumb drive as a signer and wallet. Going Deep...

By Saniat0r | my_bitcoin_articles | 10 Oct 2020


  • Create a signer and broadcast using Tails on two USB thumb drives.
  • Deep Cold Storage.


What now?

This tutorial is the third of a series of three wallet tutorials.

In the first one, we used Tails in DVD in a offline machine to create a seedkey with a passphrase. But since the DVD is read only, there is no way to write the wallet of the Electrum wallet on it.

In the second, we used again a Tails in a DVD and a encrypted USB thumb drive that allowed to store the wallet. This setup also run offline.

In the third and final one, we will use Tails in two USB thumb drive using the persistence storage option of Tails to store our wallet in one USB thumb drive and our watch only wallet in another. The Tails USB thumb drive with the wallet it will run offline and it will be the signer.
And we also will talk about deep cold storage.

Ok... But why did I wrote the second one? It is very similar to the third one.
First it is not easy to run Tails with persistent storage option in Virtualbox.
And second it's in alternative to store wallets without using Tails, because your are storing your wallet in a different device/storage.


Create a signer and broadcast using Tails on two USB thumb drives.

Doing this is very easy


Tails website has amazing help guide with pictures step by step of the process.

It will teach you how to create a Tails USB thumb drive in Linux, MacOS and Windows.

Don't forget to verify the PGP signature of your Tails installation medium. You need to be sure that your Tails is authentic and wasn't modified by an attacker.

You need to create two Tails USB thumb drives.

And you need to enable the encrypted persistence storage in both of them. This is where Tails will store the electrum wallets.

Don't forget to select that option on the configuration of the encrypted persistence storage.


The first thumb drive it will be the signer and this will run always offline.

You will create your wallet in here. You will get your seedkey in here and type the passphrase in here.

And you will not ever put your seedkey and passphrase on a online machine.

This means that you never connect this thumb drive to your computer when the computer is online.


The second one it will be your broadcaster and runs online. But only has your watch only wallet.

A watch only wallet don't hold any private keys, so you can't sign any transactions.


But you will need a way to communicate the transaction data between the broadcaster and the signer.

You can use two webcams in each machine or you can use another USB thumb drive formated in vfat filesystem. Making this setup using a total of three USB thumb drives.

And remember the vfat filesystem on Linux doesn't allow to run executables. So this is good way to exchange the transaction data between the signer and the broadcaster.

Is not 100% safe. Because there isn't such a thing, but it is pretty good.


Deep Cold Storage

In the first guide we created a seedkey with passphrase that will never be online. But the setup didn't allow to store this seedkey with passphrase as a wallet.


In the second guide we could store the wallet and sign transactions, creating what is called a signer.  And in both guides we created watch only wallets.  That are wallets without the private keys and only have the public keys. From the public keys you can generate addresses.


When using this setup your watch only wallet it will be online. And it will request your balance to your node or to someone else node. Being the last option the less private since the node operator can know your balance or ban you from using the network at all. Because this node is a 3rd party.

If you don't run your own node, you require always a 3rd party to allow you to use the network. And this is a point of failure and centralize the network.

Besides this, even connected to your node  there is the problem of plausibility deniability.

If your machine get compromised, other people will know your balance.

And in the limit (put your thin foil hat on) you know your balance.


So deep cold storage consists on a wallet that it will be always offline. And you can use Tails for this, just creating the wallet and configuring a printer.

When using this wallet, you print the qr codes of the addresses for receiving bitcoin on a printer, checking that your printer is a safe printer.

The best option is to use a very old printer. Buy one second hand if needed.

To send bitcoin to your wallet you just send to the qr codes of the addresses you printed.

And after using each address, destroy that qr code.

Don't send always the same amount and use Coinjoin to increase the privacy of your coins.

In this way you will not know how much you own.

So even if you are captured and drugged you will not know your balance.

And if you hide wallets using passphrases, even in case of being kidnapped our someone you care being kidnapped and you had to give up on your seedkey. You can still have a hidden wallets in that seedkey and you will not loose all your coins.

You can use a few hidden wallets with less amount as bait and hide your main stash in another one.

But this must be avoided, physical security is as important as online security.

If you are your own bank you need to take care of the security that comes with that responsibility.

And physical threats are much dangerous for your health than online threats. Because it is much easier to break your legs that hack your computer.

Always take online and physical threats very serious and act accordingly!


Be safe and hodl!



How do you rate this article?




This is my blog about bitcoin.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.