All my ADA stolen from Daedalus!

I applaud you for taking the extra work in making your wallet more secure, but a VM is not going to help you much, if at all.

Why? Online keys are exposed to hackers. See Qubes-os for how difficult it is to operate a secure VM environment.

The best way right now is to create a paper wallet certificate, with the following caveats:

  1. When saving the pdf file for printing and verifying do NOT save or view on Daedalus computer, instead save to a removable flash drive, which is promptly ejected from the computer. Take that flash drive to an air-gapped (not connected to any network ever) computer, enabling viewing and verifying of the paper certificate offline. I use Raspberry-pi computers for air-gapped work, they never go online and are low cost.
  2. Write the additional 9 words down on a piece of paper.
  3. If on windows, when typing in the 27 words to verify your certificate use a virtual keyboard like Oxynger KeyShield.

The trick when only using a virtual keyboard is doubling the last letters, then delete one, Daedalus will then expose the appropriate word choice, which is clicked, advancing to next recovery word.

Like so, click on the revealed word:

After every word, change the virtual keyboard layout (overkill but I do this):

Some of the security features it offers:

I’m targeting the most likely attack vectors, grabbing the pdf certificate and logging keystrokes.

By not viewing or saving the paper certificate on an internet machine, the pdf is safe, by the way, scrub that flash drive so no one can recover your certificate. As Daedalus requires us to input the 27-word paper wallet recovery phrase, using a virtual keyboard thwarts key, mouse and screen capture loggers.