How-to: Use Monero with Wallet Isolation in Qubes-Whonix ™
From Whonix
Introduction[edit]
This instructions document how to isolate the network part (monerod
) from the wallet part (Monero Wallet) for better security. monerod
is the Monero daemon, a full blockchain verifying background process which downloads and verifies the whole blockchain.
That advantage of this setup is, should there ever be a vulnerability that allows the exploitation of monerod
by malware, then all user funds would remain safe, since these would remain isolated in the Monero Wallet in a different VM.
If monerod
was ever compromised, then this setup would have the same issues as descried on the Monero wiki page in chapter Remote Node Security and Privacy Considerations. This is an issue unspecific to these instructions.
The connection scheme is Monero Wallet
→ monerod
→ Tor
→ Monero network
.
Instructions on this wiki page are compatible with the Whonix ™ isolating proxy feature, i.e. after disabling transparent proxying.
Inappropriate Use of Root Rights should be avoided. Instructions on this wiki page have been carefully crafted with when to use and when not to use sudo
in mind. The user should not use sudo
unless instructed in documentation. [1]
Credits: These instructions are based on How to use Monero CLI/daemon with Qubes + Whonix [archive] by getmonero.org [archive].
Prerequisite Knowledge[edit]
Since this setup is more complex and for advanced users only, it is highly recommended to acquire essential knowledge about the usage of Monero first without reference to the instructions on this wiki page as per the "normal", simpler instructions on the Monero wiki page. Only after the essential knowledge has been acquired, the more complex setup documented on this wiki page should be layered on top.
Exercising with small amount of value is recommended but not too small (below the dust level, unable to move funds due to funds being worth less than the required transaction fees). Exercising on Monero testnet first should also be considered. This is unspecific to Whonix ™.
1. Optional. How to use Monero Wallet GUI.
If the end-goal is using an offline (airgap) Monero Wallet, learning how to use Monero Wallet GUI would be expendable.
2. How to use Monero Wallet CLI.
Wallet creation, receiving funds, spending funds.
Setup[edit]
Qubes dom0
Configuration[edit]
Create App Qubes[edit]
In dom0
.
It is easier to use the exact same names as in the example below in this chapter. Otherwise, adjustments in next chapter "Qubes qrexec Policy Configuration" would be required.
Qubes VM Manager
→ VM
→ Create App Qube
- Create Qubes-Whonix-Workstation ™ App Qube
- Name:
monero-wallet-ws
. - Color: Choose a color label for the Whonix-Workstation ™ App Qube. Optional suggestion:
yellow
- Use this template: Choose the Whonix-Workstation ™ Template. For example:
whonix-ws-16
. - Standalone: Leave the Standalone field unchecked.
- Type: Choose the type
App Qube
. - Allow networking: Choose
none
. - Press:
OK
.
- Name:
Qubes VM Manager
→ VM
→ Create App Qube
- Create
monerod-ws
App Qube- Name:
monerod-ws
. - Color: Choose a color label for the Whonix-Workstation ™ App Qube. Optional suggestion:
red
- Use this template: Choose the Whonix-Workstation ™ Template. For example:
whonix-ws-16
. - Standalone: Leave the Standalone field unchecked.
- Type: Choose the type
App Qube
. - Allow networking: Choose the desired Whonix-Gateway ™ ProxyVM from the list. For example:
sys-whonix
. - Press:
OK
. - Make sure this workstation has enough private storage. You can estimate how much space you need by checking the size of the raw blockchain. Keep in mind that the blockchain will take up more space with time.
- Name:
Qubes qrexec Policy Configuration[edit]
In dom0
.
1. Create the file /etc/qubes-rpc/policy/user.monerod
:
sudo nano /etc/qubes-rpc/policy/user.monerod
2. Add the following line:
Note: If the user is using different names for the VMs other than monero-wallet-ws
and monerod-ws
, the next line would have to be modified accordingly. If the user is using the exact names as suggested in previous chapter "Create App Qubes", then no modifications are required.
monero-wallet-ws monerod-ws allow
3. Save and close file.
4. Done.
Qubes dom0
setup is complete.
monerod-ws
VM Configuration[edit]
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monerod-ws
).
1. Create folder ~/.config/systemd/user
.
mkdir -p ~/.config/systemd/user
2. Create file ~/.config/systemd/user/monerod.service
.
Open file ~/.config/systemd/user/monerod.service
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run.
mousepad ~/.config/systemd/user/monerod.service
If you are using a terminal, run.
nano ~/.config/systemd/user/monerod.service
3. Paste the following contents. [2]
[Unit] Description=Monero Full Node After=network.target [Service] Type=simple PIDFile=/home/user/.bitmonero/monerod.pid ## https://github.com/monero-project/monero/issues/5098 KillSignal=SIGKILL Environment=DNS_PUBLIC=tcp Environment=TORSOCKS_ALLOW_INBOUND=1 ExecStart=torsocks monerod --data-dir=/home/user/.bitmonero \ --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \ --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \ --non-interactive Restart=always PrivateTmp=true [Install] WantedBy=default.target
4. Save and close file.
5. Reload systemd user instance.
systemctl --user daemon-reload
6. Optional: Enable autostart for the monerod
systemd user instance.
systemctl --user enable monerod
7. Start monerod
systemd user instance.
systemctl --user restart monerod
8. Done.
Creation and configuration of monerod
systemd user unit has been completed.
monero-wallet-ws
VM Setup[edit]
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws
).
1. Open file /rw/config/rc.local
in an editor with root rights.
This box uses sudoedit
for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.
sudoedit /rw/config/rc.local
2. Append at the bottom.
socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"
3. Save and close file.
4. Make the /rw/config/rc.local
script executable.
sudo chmod +x /rw/config/rc.local
5. Restart the monero-wallet-ws
VM.
6. Done.
Setting up automatically starting the socat
process has been completed.
Usage[edit]
Introduction[edit]
Note: On the host (Qubes users: in dom0
).
The involved VMs need to be started using any usual method (using Qubes VM Manger (QVMM), starting a terminal emulator or otherwise).
1. Start monerod-ws
VM.
2. Expectations.
Nothing is expected to happen. monerod
is a background service. To monitor it, see chapter monitoring.
3. Start monero-wallet-ws
VM.
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws
).
3. Start Monero Wallet. Either,
- A) Start Monero Wallet GUI using any method (from start menu, from command-line or autostart), or
- B) Monero Wallet CLI using any method.
Monero Wallet GUI First Time Setup[edit]
This first time setup only needs to be performed once.
Optional. The user could also avoid using Monero Wallet GUI and use Monero Wallet CLI instead.
Monero Wallet GUI lacks support for multisig and offline signing.
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws
).
1. Monero Wallet GUI → Choose Advanced Mode
.
2. After Monero Wallet GUI was started it will ask to create or restore a wallet as usual, which is unspecific to these instructions.
3. Configure Monero Wallet GUI to use local monerod
(which is running in monerod-ws
VM).
The following settings will be called remote node
. This is no need for concern. See footnote. [3]
Monero Wallet GUI should now be running. Go to: [4]
Connect to a remote node
→ Add Remote Node
→ Address:
127.0.0.1
→ Port:
18081
Damon username
: No modifications required. Leave empty.Daemon password
: No modifications required. Leave empty.- It is discouraged to select
Mark as Trusted Daemon
. [5]
Using a "remote node" in this case is safe, see footnote for explanation why it is safe. [3]
(If Monero Wallet GUI was already started, these settings can be found under: Settings
→ Node
)
4. Done.
Monero Wallet GUI First Time Setup has been completed.
Monero Wallet CLI First Time Setup[edit]
Alternatively Monero Wallet GUI can be used.
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws
).
Start Monero Wallet CLI.
monero-wallet-cli
Monero Wallet CLI is more "clever" and automatically detects the already available monerod
. [6] Therefore as opposed to Monero Wallet GUI, no "remote node" configuration is neccessary.
Monitoring[edit]
Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monerod-ws
).
Check the status of the monerod
systemd user service.
systemctl --user status monerod
Follow the journal log of the monerod
systemd user service.
journalctl --boot --user -f -u monerod
Follow the log file of the monerod
.
tail -f ~/.bitmonero/bitmonero.log
View the log file of monerod
.
Open file ~/.bitmonero/bitmonero.log
in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run.
mousepad ~/.bitmonero/bitmonero.log
If you are using a terminal, run.
nano ~/.bitmonero/bitmonero.log
For the initial author of this wiki page it took approximately 7 minutes from monerod
log file starting SYNCHRONIZATION started
until further progress on synchronization having actually started has been reported.
2021-11-02 10:53:55.204 [P2P4] INFO global src/cryptonote_protocol/cryptonote_protocol_handler.inl:413 SYNCHRONIZATION started 2021-11-02 11:00:20.821 [P2P9] INFO global src/cryptonote_protocol/cryptonote_protocol_handler.inl:1680 Synced 201/2484385 (0%, 2484184 left)
See Also[edit]
Donations[edit]
After installing the Monero with wallet isolation server, please consider making a donation to Monero and Whonix ™ project (Donate) to help keep it running for many years to come.
Donate Monero (XMR) to Whonix ™.
49sP9cMQ5jvhzKW477TH6NJJ2z3pqD8pYRqCyCAqN1Y7QYQMxKf7SPq356BBiNcRwzagpcjqkK66LG4wwr37YjSS3kY3x5P
Footnotes[edit]
- ↑
The
systemctl --user
must be run as normal, non-root user withoutsudo
because these aresystemd
user units and notsystemd
system units. - ↑
Do not use
--detach
- outdated style for daemons. Better error handling without. - ↑ 3.0 3.1
This is safe, because connection will be made from
monero-wallet-ws
VM Monero Wallet to a self-hosted servermonerod
running inmonerod-ws
. - ↑
Monero Wallet GUI fails to detect already running
monerod
[archive] - ↑ Benefits would need to be researched and why trust if not needed.
- ↑
monero-wallet-cli
detects thatmonerod
's default port18081
is open on localhost. The detection mechanism is port based. Not process based.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
100px | |
Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.