Actions

How-to: Use Monero with Wallet Isolation in Qubes-Whonix ™

From Whonix



Monero
Monero Logo

Introduction[edit]

This instructions document how to isolate the network part (monerod) from the wallet part (Monero Wallet) for better security. monerod is the Monero daemon, a full blockchain verifying background process which downloads and verifies the whole blockchain.

That advantage of this setup is, should there ever be a vulnerability that allows the exploitation of monerod by malware, then all user funds would remain safe, since these would remain isolated in the Monero Wallet in a different VM.

If monerod was ever compromised, then this setup would have the same issues as descried on the Monero wiki page in chapter Remote Node Security and Privacy Considerations. This is an issue unspecific to these instructions.

The connection scheme is Monero WalletmonerodTorMonero network.

Instructions on this wiki page are compatible with the Whonix ™ isolating proxy feature, i.e. after disabling transparent proxying.

Inappropriate Use of Root Rights should be avoided. Instructions on this wiki page have been carefully crafted with when to use and when not to use sudo in mind. The user should not use sudo unless instructed in documentation. [1]

Ambox warning pn.svg.png Warning: This is for testers-only!

Credits: These instructions are based on How to use Monero CLI/daemon with Qubes + Whonix [archive] by getmonero.org [archive].

Prerequisite Knowledge[edit]

Since this setup is more complex and for advanced users only, it is highly recommended to acquire essential knowledge about the usage of Monero first without reference to the instructions on this wiki page as per the "normal", simpler instructions on the Monero wiki page. Only after the essential knowledge has been acquired, the more complex setup documented on this wiki page should be layered on top.

Exercising with small amount of value is recommended but not too small (below the dust level, unable to move funds due to funds being worth less than the required transaction fees). Exercising on Monero testnet first should also be considered. This is unspecific to Whonix ™.

1. Optional. How to use Monero Wallet GUI.

If the end-goal is using an offline (airgap) Monero Wallet, learning how to use Monero Wallet GUI would be expendable.

2. How to use Monero Wallet CLI.

Wallet creation, receiving funds, spending funds.

Setup[edit]

Qubes dom0 Configuration[edit]

Create App Qubes[edit]

In dom0.

It is easier to use the exact same names as in the example below in this chapter. Otherwise, adjustments in next chapter "Qubes qrexec Policy Configuration" would be required.

Qubes VM ManagerVMCreate App Qube

  • Create Qubes-Whonix-Workstation ™ App Qube
    • Name: monero-wallet-ws.
    • Color: Choose a color label for the Whonix-Workstation ™ App Qube. Optional suggestion: yellow
    • Use this template: Choose the Whonix-Workstation ™ Template. For example: whonix-ws-16.
    • Standalone: Leave the Standalone field unchecked.
    • Type: Choose the type App Qube.
    • Allow networking: Choose none.
    • Press: OK.

Qubes VM ManagerVMCreate App Qube

  • Create monerod-ws App Qube
    • Name: monerod-ws.
    • Color: Choose a color label for the Whonix-Workstation ™ App Qube. Optional suggestion: red
    • Use this template: Choose the Whonix-Workstation ™ Template. For example: whonix-ws-16.
    • Standalone: Leave the Standalone field unchecked.
    • Type: Choose the type App Qube.
    • Allow networking: Choose the desired Whonix-Gateway ™ ProxyVM from the list. For example: sys-whonix.
    • Press: OK.
    • Make sure this workstation has enough private storage. You can estimate how much space you need by checking the size of the raw blockchain. Keep in mind that the blockchain will take up more space with time.

Qubes qrexec Policy Configuration[edit]

In dom0.

1. Create the file /etc/qubes-rpc/policy/user.monerod:

sudo nano /etc/qubes-rpc/policy/user.monerod

2. Add the following line:

Note: If the user is using different names for the VMs other than monero-wallet-ws and monerod-ws, the next line would have to be modified accordingly. If the user is using the exact names as suggested in previous chapter "Create App Qubes", then no modifications are required.

monero-wallet-ws monerod-ws allow

3. Save and close file.

4. Done.

Qubes dom0 setup is complete.

monerod-ws VM Configuration[edit]

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monerod-ws).

1. Create folder ~/.config/systemd/user.

mkdir -p ~/.config/systemd/user

2. Create file ~/.config/systemd/user/monerod.service.

Open file ~/.config/systemd/user/monerod.service in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/.config/systemd/user/monerod.service

If you are using a terminal, run.

nano ~/.config/systemd/user/monerod.service

3. Paste the following contents. [2]

[Unit]
Description=Monero Full Node
After=network.target

[Service]
Type=simple
PIDFile=/home/user/.bitmonero/monerod.pid

## https://github.com/monero-project/monero/issues/5098
KillSignal=SIGKILL

Environment=DNS_PUBLIC=tcp
Environment=TORSOCKS_ALLOW_INBOUND=1

ExecStart=torsocks monerod --data-dir=/home/user/.bitmonero \
    --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \
    --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \
    --non-interactive

Restart=always
PrivateTmp=true

[Install]
WantedBy=default.target

4. Save and close file.

5. Reload systemd user instance.

systemctl --user daemon-reload

6. Optional: Enable autostart for the monerod systemd user instance.

systemctl --user enable monerod

7. Start monerod systemd user instance.

systemctl --user restart monerod

8. Done.

Creation and configuration of monerod systemd user unit has been completed.

monero-wallet-ws VM Setup[edit]

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws).

1. Open file /rw/config/rc.local in an editor with root rights.

This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /rw/config/rc.local

2. Append at the bottom.

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"

3. Save and close file.

4. Make the /rw/config/rc.local script executable.

sudo chmod +x /rw/config/rc.local

5. Restart the monero-wallet-ws VM.

6. Done.

Setting up automatically starting the socat process has been completed.

Usage[edit]

Introduction[edit]

Note: On the host (Qubes users: in dom0).

The involved VMs need to be started using any usual method (using Qubes VM Manger (QVMM), starting a terminal emulator or otherwise).

1. Start monerod-ws VM.

2. Expectations.

Nothing is expected to happen. monerod is a background service. To monitor it, see chapter monitoring.

3. Start monero-wallet-ws VM.

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws).

3. Start Monero Wallet. Either,

  • A) Start Monero Wallet GUI using any method (from start menu, from command-line or autostart), or
  • B) Monero Wallet CLI using any method.

Monero Wallet GUI First Time Setup[edit]

This first time setup only needs to be performed once.

Optional. The user could also avoid using Monero Wallet GUI and use Monero Wallet CLI instead.

Monero Wallet GUI lacks support for multisig and offline signing.

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws).

1. Monero Wallet GUI → Choose Advanced Mode.

2. After Monero Wallet GUI was started it will ask to create or restore a wallet as usual, which is unspecific to these instructions.

3. Configure Monero Wallet GUI to use local monerod (which is running in monerod-ws VM).

The following settings will be called remote node. This is no need for concern. See footnote. [3]

Monero Wallet GUI should now be running. Go to: [4]

Connect to a remote nodeAdd Remote NodeAddress: 127.0.0.1Port: 18081

  • Damon username: No modifications required. Leave empty.
  • Daemon password: No modifications required. Leave empty.
  • It is discouraged to select Mark as Trusted Daemon. [5]

Using a "remote node" in this case is safe, see footnote for explanation why it is safe. [3]

(If Monero Wallet GUI was already started, these settings can be found under: SettingsNode)

4. Done.

Monero Wallet GUI First Time Setup has been completed.

Monero Wallet CLI First Time Setup[edit]

Alternatively Monero Wallet GUI can be used.

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monero-wallet-ws).

Start Monero Wallet CLI.

monero-wallet-cli

Monero Wallet CLI is more "clever" and automatically detects the already available monerod. [6] Therefore as opposed to Monero Wallet GUI, no "remote node" configuration is neccessary.

Monitoring[edit]

Note: The following instructions should be applied in Whonix-Workstation ™ (Qubes-Whonix ™: App Qube monerod-ws).

Check the status of the monerod systemd user service.

systemctl --user status monerod

Follow the journal log of the monerod systemd user service.

journalctl --boot --user -f -u monerod

Follow the log file of the monerod.

tail -f ~/.bitmonero/bitmonero.log

View the log file of monerod.

Open file ~/.bitmonero/bitmonero.log in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run.

mousepad ~/.bitmonero/bitmonero.log

If you are using a terminal, run.

nano ~/.bitmonero/bitmonero.log

For the initial author of this wiki page it took approximately 7 minutes from monerod log file starting SYNCHRONIZATION started until further progress on synchronization having actually started has been reported.

2021-11-02 10:53:55.204	[P2P4]	INFO	global	src/cryptonote_protocol/cryptonote_protocol_handler.inl:413	SYNCHRONIZATION started
2021-11-02 11:00:20.821	[P2P9]	INFO	global	src/cryptonote_protocol/cryptonote_protocol_handler.inl:1680	Synced 201/2484385 (0%, 2484184 left)

See Also[edit]

Donations[edit]

After installing the Monero with wallet isolation server, please consider making a donation to Monero and Whonix ™ project (Donate) to help keep it running for many years to come.

Monero accepted here Donate Monero (XMR) to Whonix ™.

49sP9cMQ5jvhzKW477TH6NJJ2z3pqD8pYRqCyCAqN1Y7QYQMxKf7SPq356BBiNcRwzagpcjqkK66LG4wwr37YjSS3kY3x5P

Monero donate Whonix.png

Footnotes[edit]

  1. The systemctl --user must be run as normal, non-root user without sudo because these are systemd user units and not systemd system units.
  2. Do not use --detach - outdated style for daemons. Better error handling without.
  3. 3.0 3.1 This is safe, because connection will be made from monero-wallet-ws VM Monero Wallet to a self-hosted server monerod running in monerod-ws.
  4. Monero Wallet GUI fails to detect already running monerod [archive]
  5. Benefits would need to be researched and why trust if not needed.
  6. monero-wallet-cli detects that monerod's default port 18081 is open on localhost. The detection mechanism is port based. Not process based.


Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Monero Wallet Isolation&body=./Monero_Wallet_Isolation link=https://reddit.com/submit?url=./Monero_Wallet_Isolation&title=Monero Wallet Isolation link=https://news.ycombinator.com/submitlink?u=./Monero_Wallet_Isolation&t=Monero Wallet Isolation link=https://mastodon.technology/share?message=Monero Wallet Isolation%20./Monero_Wallet_Isolation&t=Monero Wallet Isolation

Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.