Air gapped on usb stick

Johann_ADAholycs · 24 January 2021 07:33

Hey folks,

I wonder if you will like this idea to put your air gapped machine on a bootable USB stick with persistent memory.

How to do it:
To use it successfully you need 2 USB sticks. The first one will be used to run the air-gapped machine on an USB stick. The second one will be used to share the files between your cold and hot environment.

Install the bootable UBUNTU with persistent memory following this guide:
https://www.howtogeek.com/howto/14912/create-a-persistent-bootable-ubuntu-usb-flash-drive/
It is a copy and paste guide. Just be careful to choose your USB stick device and not your system partition. The good thing is, this guide is for Windows and Linux users! I did try it on Mac, but I have UBUTNU installed on my MAC.
After you have followed this guide shut down your system plug in the bootable USB stick with persistent memory. Then turn on your computer. This time if you are on MAC press the ALT/[Option Key]. This will prompt you to the menu where you can boot from your USB stick. On Windows you need to enter your BIOS and boot from USB stick. On Windows It helps to press during the boot time multiple times F2 or F10 or F12. If you are not familiar on how to boot UBUNTU from an USB stick, there are many guides out there. But we can open for this an extra topic.
Now you should be able to use UBUNTU as usual, but this time shut down all connections, like Bluetooth and WIFI. The persistent memory of your UBUNTU will safe these changes. Also make sure you are disconnected from your wired internet connection.
You can use your second USB stick to copy your cardano-cli binary and all your keys to the air-gapped machine. For example make sure that you create your cold keys on the air-gapped machine
- cardano-cli node key-gen --cold-verification-key-file node.vkey --cold-signing-key-file node.skey --operational-certificate-issue-counter node.counter
- Create your payment key pair: payment.skey and payment.vkey air-gapped
Now you are able to sign your tx/transaction files on the air-gapped machine and push them signed with the second USB stick to your hot environment. For this shut down your air gapped, machine remove the bootable USB stick. Start your computer as you would usually do and plug in the second USB stick containing the signed files.
Make sure to make a copy of all your cold files to some other device which will never be connected to the internet.

This is not a complete guide about an air-gapped machine itself, but you can find it useful to study this source:
https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node#6-configure-the-air-gapped-offline-machine

I am happy to hear from you some critics and if you agree that this idea is as good as using a second computer which never connects to the internet.

I wish you happy delegates!

Best,
Johann ADAholycs

cybervisiter · 25 February 2021 08:37

Hi Johann ,

Thank you for the guide, I copied the the Cardano-cli binary from the Core node (./local/bin), but the air-gapped Ubuntu does not recognize (cardano-cli), the error message reads (cardano-cli: command not found), What files I need to copy from the Core Node to make this works?

Thanks,

Johann_ADAholycs · 25 February 2021 08:37

Hi cybervisiter,

please excuse me if I offend you going through some basic stuff.
But first things first.
When you run the cardano-cli with the command
./cardano-cli
is this binary in the same directory.
Second is this binary an executable?
chmod +x cardano-cli
should resolve this.

Best,
Johann

Johann_ADAholycs · 25 February 2021 08:38

Hi,
have you been successful?

What files I need to copy from the Core Node to make this works?

You do not need any additional files to be able to run the binary.

Best,
Johann

kthedges · 25 February 2021 22:15

This seems to be a viable option. The issue I am running into is the memory is not persisting on my 2nd USB when I transfer something over to it.

Johann_ADAholycs · 26 February 2021 07:14

Hi kthedges,

There are bunch of possible errors:

Are you using the guide to install the Ubuntu on the USB stick with the persistent memory.
I use a second USB stick to copy files from the hot environment to the Ubuntu with persistent memory on the USB stick . Is it the same for you?
Note, the shutdown process on your Ubuntu with persistent memory on the USB stick takes longer than usual. The reason is, it keeps everything in the main memory of your computer until you invoke the shutdown process then it starts to write everything to the USB stick. Are you interrupting the shutdown process?
In my case when I start Ubuntu with persistent memory from the USB stick the default option is to launch Ubuntu with persistent memory (there are many options to choose from at the start up). Maybe for some reason your default option is the live option.

Best,
Johann

RandyInLA · 2 March 2021 03:33

Is it possible to have a VM on say, Virtual Box or VMWare Fusion that will boot up off of this bootable USB drive? I imagine all I have to do to make the VM air-gapped is to disable the network interface to the VM, right? But at that point, couldn’t I just have an Ubuntu VM with no network interface and skip booting off the USB drive altogether? I could still use the 2nd USB drive to copy files from my non-networked VM to its host OS and then SCP to my producer node in the cloud.

Or are there concerns with a possible virus running on the host OS that is running Virtual Box/VMWare somehow gaining access to the data in the non-network enabled VM?

I do have an Intel NUC ready to install Ubuntu on, but then I have to keep a monitor, keyboard & mouse out and connected and I’d rather not.

Thanks,
-=Randy

Johann_ADAholycs · 2 March 2021 06:29

Hi -=Randy,

You describe the way how I run my block producing node. I bet many people run this solution. I do not trust it.

How much safe your funds are depends on the amount of the pledge. If the pledge is very high your solution is still not air-gapped enough and it is possible to hack. I mean I can still access it from a machine which is hot, right? Like with the help of an ssh tunnel or by grepping the data on your disk?

If you keep your pledge low your set-up will stay not profitable for a hack attempt.

The true air-gapped is disconnected physically from any hot environment.

Best,
Johann

RandyInLA · 2 March 2021 09:34

Thank you for your reply, Johann. I ended up installing Ubuntu directly onto my Intel NUC HD instead of a bootable USB drive and did not install any network devices/drivers. It is physically air-gapped from everything and this installation has never been connected to a network. The architecture & OS version match what’s installed on my main servers, so I should be able to run the binaries just fine once I copy them over.

-=Randy