How-to: Use Monero with Wallet Isolation in Qubes-Whonix

From Whonix
Jump to navigation Jump to search
Monero
Monero Logo

Isolate the network part (monerod) from the wallet part (Monero Wallet) for better security.

Introduction[edit]

This instructions document how to isolate the network part (monerod) from the wallet part (Monero Wallet) for better security. monerod is the Monero daemon, a full blockchain verifying background process which downloads and verifies the whole blockchain.

That advantage of this setup is, should there ever be a vulnerability that allows the exploitation of monerod by malware, then all user funds would remain safe, since these would remain isolated in the Monero Wallet in a different VM.

If monerod was ever compromised, then this setup would have the same issues as descried on the Monero wiki page in chapter Remote Node Security and Privacy Considerations. This is an issue unspecific to these instructions.

The connection scheme is Monero WalletmonerodTorMonero network.

Instructions on this wiki page are compatible with the Whonix isolating proxy feature, i.e. after disabling transparent proxying.

Inappropriate Use of Root Rights should be avoided. Instructions on this wiki page have been carefully crafted with when to use and when not to use sudo in mind. The user should not use sudo unless instructed in documentation. [1]

Warning: This is for testers-only!

Credits: These instructions are based on How to use Monero CLI/daemon with Qubes + Whonixarchive.org by getmonero.orgarchive.org.

Prerequisite Knowledge[edit]

Since this setup is more complex and for advanced users only, it is highly recommended to acquire essential knowledge about the usage of Monero first without reference to the instructions on this wiki page as per the "normal", simpler instructions on the Monero wiki page. Only after the essential knowledge has been acquired, the more complex setup documented on this wiki page should be layered on top.

Exercising with small amount of value is recommended but not too small (below the dust level, unable to move funds due to funds being worth less than the required transaction fees). Exercising on Monero testnet first should also be considered. This is unspecific to Whonix.

1. Optional. How to use Monero Wallet GUI.

If the end-goal is using an offline (airgap) Monero Wallet, learning how to use Monero Wallet GUI would be expendable.

2. How to use Monero Wallet CLI.

Wallet creation, receiving funds, spending funds.

Update Required[edit]

These instructions were written when monerod and monero-wallet-cli were available in /usr/bin. Nowadays these are not by default.

TODO: rewrite this guide to use Monero from flatpak or by installing these tools to /usr/bin (update Monero/Manual Instructions)

Setup[edit]

Qubes dom0 Configuration[edit]

Create App Qubes[edit]

In dom0.

It is easier to use the exact same names as in the example below in this chapter. Otherwise, adjustments in next chapter "Qubes qrexec Policy Configuration" would be required.

Qubes VM ManagerVMCreate App Qube

  • Create Qubes-Whonix-Workstation App Qube
    • Name: monero-wallet-ws.
    • Color: Choose a color label for the Whonix-Workstation App Qube. Optional suggestion: yellow
    • Use this template: Choose the Whonix-Workstation Template. For example: whonix-workstation-17.
    • Standalone: Leave the Standalone field unchecked.
    • Type: Choose the type App Qube.
    • Allow networking: Choose none.
    • Press: OK.

Qubes VM ManagerVMCreate App Qube

  • Create monerod-ws App Qube
    • Name: monerod-ws.
    • Color: Choose a color label for the Whonix-Workstation App Qube. Optional suggestion: red
    • Use this template: Choose the Whonix-Workstation Template. For example: whonix-workstation-17.
    • Standalone: Leave the Standalone field unchecked.
    • Type: Choose the type StandaloneVM.
    • Allow networking: Choose the desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
    • Press: OK.
    • Make sure this workstation has enough private storage (StandaloneVM). You can estimate how much space you need by checking the size of the raw blockchain. Keep in mind that the blockchain will take up more space with time.

Qubes qrexec Policy Configuration[edit]

In dom0.

1. Create the file /etc/qubes-rpc/policy/user.monerod:

sudo nano /etc/qubes-rpc/policy/user.monerod

2. Add the following line:

Note: If the user is using different names for the VMs other than monero-wallet-ws and monerod-ws, the next line would have to be modified accordingly. If the user is using the exact names as suggested in previous chapter "Create App Qubes", then no modifications are required.

monero-wallet-ws monerod-ws allow

3. Save and close file.

4. Done.

Qubes dom0 setup is complete.

monerod-ws VM Configuration[edit]

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monerod-ws).

1. Create folder ~/.config/systemd/user.

mkdir -p ~/.config/systemd/user

2. Create file ~/.config/systemd/user/monerod.service.

Open file ~/.config/systemd/user/monerod.service in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. mousepad ~/.config/systemd/user/monerod.service

If you are using a terminal, run. nano ~/.config/systemd/user/monerod.service

3. Paste the following contents. [2]

[Unit] Description=Monero Full Node After=network.target [Service] Type=simple PIDFile=/home/user/.bitmonero/monerod.pid ## https://github.com/monero-project/monero/issues/5098 KillSignal=SIGKILL Environment=DNS_PUBLIC=tcp Environment=TORSOCKS_ALLOW_INBOUND=1 ExecStart=torsocks monerod --data-dir=/home/user/.bitmonero \ --no-igd --hide-my-port --pidfile=/home/user/.bitmonero/monerod.pid \ --log-file=/home/user/.bitmonero/bitmonero.log --p2p-bind-ip=127.0.0.1 \ --non-interactive Restart=always PrivateTmp=true [Install] WantedBy=default.target

4. Save and close file.

5. Reload systemd user instance.

systemctl --user daemon-reload

6. Optional: Enable autostart for the monerod systemd user instance.

systemctl --user enable monerod

7. Start monerod systemd user instance.

systemctl --user restart monerod

8. Create folder /rw/usrlocal/etc/qubes-rpc.

sudo mkdir -p /rw/usrlocal/etc/qubes-rpc

9. Open file /rw/usrlocal/etc/qubes-rpc/user.monerod in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /rw/usrlocal/etc/qubes-rpc/user.monerod

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /rw/usrlocal/etc/qubes-rpc/user.monerod

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /rw/usrlocal/etc/qubes-rpc/user.monerod

10. Add this line:

socat STDIO TCP:localhost:18081

11. Make the /rw/usrlocal/etc/qubes-rpc/user.monerod script executable.

sudo chmod +x /rw/usrlocal/etc/qubes-rpc/user.monerod

12. Done

Creation and configuration of monerod systemd user unit has been completed.

monero-wallet-ws VM Setup[edit]

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monero-wallet-ws).

1. Open file /rw/config/rc.local in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /rw/config/rc.local

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /rw/config/rc.local

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /rw/config/rc.local

2. Append at the bottom.

socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm monerod-ws user.monerod"

3. Save and close file.

4. Make the /rw/config/rc.local script executable.

sudo chmod +x /rw/config/rc.local

5. Restart the monero-wallet-ws VM.

6. Done.

Setting up automatically starting the socat process has been completed.

Usage[edit]

Introduction[edit]

Note: On the host (Qubes users: in dom0).

The involved VMs need to be started using any usual method (using Qubes VM Manger (QVMM), starting a terminal emulator or otherwise).

1. Start monerod-ws VM.

2. Expectations.

Nothing is expected to happen. monerod is a background service. To monitor it, see chapter monitoring.

3. Start monero-wallet-ws VM.

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monero-wallet-ws).

3. Start Monero Wallet. Either,

  • A) Start Monero Wallet GUI using any method (from start menu, from command-line or autostart), or
  • B) Monero Wallet CLI using any method.

Monero Wallet GUI First Time Setup[edit]

This first time setup only needs to be performed once.

Optional. The user could also avoid using Monero Wallet GUI and use Monero Wallet CLI instead.

Monero Wallet GUI lacks support for multisig and offline signing.

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monero-wallet-ws).

1. Monero Wallet GUI → Choose Advanced Mode.

2. After Monero Wallet GUI was started it will ask to create or restore a wallet as usual, which is unspecific to these instructions.

3. Configure Monero Wallet GUI to use local monerod (which is running in monerod-ws VM).

The following settings will be called remote node. This is no need for concern. See footnote. [3]

Monero Wallet GUI should now be running. Go to: [4]

Connect to a remote nodeAdd Remote NodeAddress: 127.0.0.1Port: 18081

  • Damon username: No modifications required. Leave empty.
  • Daemon password: No modifications required. Leave empty.
  • It is discouraged to select Mark as Trusted Daemon. [5]

Using a "remote node" in this case is safe, see footnote for explanation why it is safe. [3]

(If Monero Wallet GUI was already started, these settings can be found under: SettingsNode)

4. Done.

Monero Wallet GUI First Time Setup has been completed.

Monero Wallet CLI First Time Setup[edit]

Alternatively Monero Wallet GUI can be used.

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monero-wallet-ws).

Start Monero Wallet CLI.

  • Outdated command. Requires monero-wallet-cli in /usr/bin.
    • monero-wallet-cli
  • Untested command:
    • flatpak run --command=monero-wallet-cli org.getmonero.Monero

Monero Wallet CLI is more "clever" and automatically detects the already available monerod. [6] Therefore as opposed to Monero Wallet GUI, no "remote node" configuration is necessary.

This might not easily work with flatpak because the host listening port might not be visible form within the flatpak chroot. This will most likely require additional flatpak options.

Monitoring[edit]

Note: The following instructions should be applied in Whonix-Workstation (Qubes-Whonix: App Qube monerod-ws).

Check the status of the monerod systemd user service.

systemctl --user status monerod

Follow the journal log of the monerod systemd user service.

journalctl --boot --user -f -u monerod

Follow the log file of the monerod.

tail -f ~/.bitmonero/bitmonero.log

View the log file of monerod.

Open file ~/.bitmonero/bitmonero.log in a text editor of your choice as a regular, non-root user.

If you are using a graphical environment, run. mousepad ~/.bitmonero/bitmonero.log

If you are using a terminal, run. nano ~/.bitmonero/bitmonero.log

For the initial author of this wiki page it took approximately 7 minutes from monerod log file starting SYNCHRONIZATION started until further progress on synchronization having actually started has been reported.

2021-11-02 10:53:55.204	[P2P4]	INFO	global	src/cryptonote_protocol/cryptonote_protocol_handler.inl:413	SYNCHRONIZATION started
2021-11-02 11:00:20.821	[P2P9]	INFO	global	src/cryptonote_protocol/cryptonote_protocol_handler.inl:1680	Synced 201/2484385 (0%, 2484184 left)

See Also[edit]

Donations[edit]

After installing the Monero with wallet isolation server, please consider making a donation to Monero and Whonix project (Donate) to help keep it running for many years to come.

Monero accepted here Donate Monero (XMR) to Whonix.

84ZZSsqyh5niztCgxmWAejDLu9eDerWo4Wsx8woEhDGpdKP3BWPtqenNjKuv8vojrB968U3hqYTKgLGt2zEcGopX1qaEPew

Footnotes[edit]

  1. The systemctl --user must be run as normal, non-root user without sudo because these are systemd user units and not systemd system units.
  2. Do not use --detach - outdated style for daemons. Better error handling without.
  3. 3.0 3.1 This is safe, because connection will be made from monero-wallet-ws VM Monero Wallet to a self-hosted server monerod running in monerod-ws.
  4. Monero Wallet GUI fails to detect already running monerodarchive.org
  5. Benefits would need to be researched and why trust if not needed.
  6. monero-wallet-cli detects that monerod's default port 18081 is open on localhost. The detection mechanism is port based. Not process based.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!