Is your feature request related to a problem? Please describe.
In Electrum it is possible to generate private keys on network disconnected machine (main), copy the master public key to the machine with network and have a watching wallet there. That wallet sees all the transactions and even can create transactions spending the coins stored in the wallet, but it can not sign them. To sign, the transaction is copied to the network disconnected machine, signed there and then copied back to broadcast.
The benefit of this approach is that is you get a malware from the network, it can not steal your bitcoin. It can destroy your anonymity but it is less severe.
Describe the solution you'd like
I would like Wasabi to support this mode. Coin Join function is also needed. This can be achieved with the following compromise: the user can generate the private key only from the coin that is being mixed and give only this key to the watching wallet. This private key is useless for spending any other coin in the wallet and it is also useless after the coin is sent, so the exposure to a possible malware will be limited in time and in space. The same method can be used for regular sending as well. It will work in the same way as now, but you will copy per-coin private key, not the main password.
Describe alternatives you've considered
So we have two alternatives: either signing transactions in the network disconnected machine or copying per-address private key from the network disconnected machine into the watching machine. The second option is the only user friendly option for coin join. It also has an advantage that you don't need to copy data in two directions (both watching->main and main->watching), but only in one (main->watching). This reduces the risk that you infect your network disconnected machine with a malware. Also the private key can be encoded into words mnemonic (like a seed) and re-typed by the user to avoid any electronic means of information transfer. The downside is that if the malware is already in your watching machine, it can steal the coin you are about to send. But is is better to loose one coin than all coins.
ratpoison4
All 15 comments
air-gapped mode does sound interesting, though not sure how the wallet will know if the keys have coins or not.
Though to copy only one private key to the hot machine won't do, because there are many failed rounds which requires to use a new output address. So I think it does not make sense to support the coin join feature for air-gapped wallets. This is similar to how hardware wallets do not allow coin join in the current implementation.
MaxHillebrand
on 19 Sep 2019
I think air gapped mode is well-suited for Wasabi's current design. In Wasabi (unlike other wallets) we let users do stuff and only fail when something is not available. (For example we won't prevent sendtransaction if the wallet is not yet fully synced.)
On the other hand, Wasabi is privacy focused, so moving towards airgapped mode is a disctraction.
nopara73
on 20 Sep 2019
not sure how the wallet will know if the keys have coins or not.
The offline wallet does not know it. In one approach it gets unsigned transaction from the online watch only wallet and signs it. If there are no such coins or they are already spent, then... well, the signed transaction is invalid and won't be accepted by the blockchain anyway. It works this way in Electrum. In another approach that I proposed the user copies the private key of a coin from the offline wallet to online wallet. So it is the user's task to select the right address in the offline wallet and to copy its key.
Though to copy only one private key to the hot machine won't do, because there are many failed rounds which requires to use a new output address.
In this approach the user copies the private key of the input address, not of the output. If a round fails, the online wallet just selects a new output address (which it can do without knowing a private key). The input UTXO is the same in all attempts and the wallet remembers its private key until some attempt succeeds.
So I think it does not make sense to support the coin join feature for air-gapped wallets. This is similar to how hardware wallets do not allow coin join in the current implementation.
That is unfortunate that coin join does not work with hardware wallets. I don't think it is a good reason not to support it in air gap mode. Coin-join is the biggest advantage of Wasabi, so I think it should work with as many modes as possible. Now I have to choose between privacy (Wasabi) and security (Electrum in air gap mode). The main point of having privacy is to increase security (but from different kind of threads), so I would prefer to have both :-)
ratpoison4
on 20 Sep 2019
I think air gapped mode is well-suited for Wasabi's current design. In Wasabi (unlike other wallets) we let users do stuff and only fail when something is not available. (For example we won't prevent sendtransaction if the wallet is not yet fully synced.)
:+1:
On the other hand, Wasabi is privacy focused, so moving towards airgapped mode is a disctraction.
I want to have both :-)
Privacy and security are needed for the same reason: to provide economic freedom. If funds are stolen, I don't care much if they were private or not.
Also guys I would be happy to join the development and implement this feature, but I need some guiding to start.
ratpoison4
on 20 Sep 2019
Also guys I would be happy to join the development and implement this feature, but I need some guiding to start.
Simply clone the repo, read this https://docs.wasabiwallet.io/building-wasabi/HowToDebug.html and start making questions.
lontivero
on 20 Sep 2019
Actually copying a private key to the hot machine is a bad idea.
From https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki :
One weakness that may not be immediately obvious, is that knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it).
So knowing of account zpub + private key of any child => knowing of account zprv.
So the proposed approach would give the hot machine knowledge of zprv (which we want to avoid).
ratpoison4
on 5 May 2020
this is a good poitn @ratpoison4 - but, I'm not sure if Wasabi hardenes the keys... I see no reason why not though... @lontivero ?
MaxHillebrand
on 5 May 2020
According to https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki the path is
m / purpose' / coin_type' / account' / change / address_index
So the account is hardened.
ratpoison4
on 5 May 2020
But change and address_index are not hardened, and there is reason for this -- public keys do not work on hardened parts of the path, so you need to have parts under zpub non-hardened to be able to generate them from zpub. So disclosing a single private key of an address together with zpub knowledge gives an attacker all private keys.
So for the proposed approach of copying private keys from an offline machine to a hot machine you need a separate path (possible on the same seed) in which all parts are hardened). The user transfers many addresses (e.g. 100) to the hot machine in advance and transfers the private key on demand when it is need to sign tx.
ratpoison4
on 15 Aug 2020
For those interested you can maybe try the following work around:
- Create a Wasabi wallet on a cold machine.
- Import this wallet into Electrum in the cold machine.
- Import the wallet extended public key to Wasabi on a hot machine. https://docs.wasabiwallet.io/FAQ/FAQ-UseWasabi.html#can-i-import-a-watch-only-extended-public-key
- Create a transaction on Wasabi hot, sign it in Electrum cold, and then broadcast it in Wasabi hot.
Votollo's idea: https://www.reddit.com/r/WasabiWallet/comments/j1ynnx/cold_wasabi_for_an_airgapped_computer/g84bzk1?utm_source=share&utm_medium=web2x&context=3
yahiheb
on 8 Oct 2020
Do you need wasabi wallet on a cold machine to sign an offline transaction?
What about creating an electrum wallet on a cold machine, exporting master extended public key, and importing it into wasabi wallet on a hot machine?
In my theory, any wallet that supports BIP-39 mnemonic code and can sign transactions with BIP-32 master extended private key on a cold machine will suffice. Does the offline wallet need to support BIP-84?
crocket
on 5 Dec 2020
Do you need wasabi wallet on a cold machine to sign an offline transaction?
No, Wasabi doesn't have an option to sign transactions.
What about creating an electrum wallet on a cold machine, exporting master extended public key, and importing it into wasabi wallet on a hot machine?
Wallets created using Electrum can't be restored in Wasabi.
yahiheb
on 5 Dec 2020
Wallets created using Electrum can't be restored in Wasabi.
Electrum and wasabi support BIP-39 mnemonic code and BIP-32 extended keys and bech32 addresses.
Export mnemonic code from electrum. Import it in wasabi.
Create an unsigned transaction on wasabi. Sign it in electrum on a cold machine.
You can save account names in a text file or a separate database.
crocket
on 6 Dec 2020
For these reasons, Electrum does not generate BIP39 seeds.
https://electrum.readthedocs.io/en/latest/seedphrase.html
Electrum's seed mnemonic is not compatible with other wallet software so you can't restore from seed in any other wallet.
https://www.reddit.com/r/Electrum/comments/d7rfcw/restore_electrum_wallet_in_other_wallets_eg/
yahiheb
on 6 Dec 2020
Okay, I did not see that.
crocket
on 6 Dec 2020
Related issues
nopara73
路
3Comments
MaxHillebrand
路
3Comments
UkolovaOlga
路
3Comments
yahiheb
路
3Comments
nopara73
路
3Comments
Most helpful comment
For those interested you can maybe try the following work around:
Votollo's idea: https://www.reddit.com/r/WasabiWallet/comments/j1ynnx/cold_wasabi_for_an_airgapped_computer/g84bzk1?utm_source=share&utm_medium=web2x&context=3