How To Set Up A Trusted USB Drive For Saving Private Bitcoin-Related Files Across Ubuntu 16.04 Temporary Live-Boot Sessions


There is a bit of a contradiction in what you want when providing bitcoin-related tasks. On one hand, it is a complicated thing with lots of hard-to-type hexidecimal-encoded and base58-encoded information that must be exact. On the other hand, this is private information that we would rather not leave lying around for someone to find in the future.

Here, we will show you how to properly set up an encrypted USB flash storage drive for saving files. This allows you the convenience of being able to save documents while keeping the security standard high.

This guide assumes you previously set up a temporary Ubuntu 16.04-based live boot session by following the article:

Should You Use a SD Card Instead?

SD cards have some security advantages over USB flash storage devices. First, USB devices are more complicated and a modified (ie. hacked) USB drive can do more malicious things than a SD card. It can present to your PC more than just a connected storage device that can possibly exploit your OS at a root level. Second, it is easier to hide something malicious in it. To pick an example of something in the realm of imagination, the plastic enclosure of the USB drive could hide a microphone and a wireless interface that gets powered when you plug it in and the audio patter of your keystroke presses, not to mention the words you speak could be broadcast to someone else nearby.

If you have a Laptop or PC with a built-in SD card reader, the security advantage is that they are only capable of powering an SD card and can only present to the OS a storage device. If it is a micro-SD card, it is that much harder to hide something nasty in the plastic enclosure. If you have a PC that has a SD card reader that actually just connected via USB to the motherboard internally, the security advantage is diminished since that reader is accessible and open to the same set of exploits as a USB drive. Most laptops with a card reader will have a more native SD card reader that does have the security advantages.

All things being equal, it is better to us a SD card. If you wish to go that path, we have a similar article tailored for that on Ubuntu:

Buying A USB Flash Storage Drive For Secure Use With Bitcoin

It is advisable that you do not re-use a spare USB drive for this use that that has been lying around. To be sure it has not been tampered with physically or has picked up malware ahead of this use. It is best you buy it brand new from a physical brick-and-mortar store. In that, you get to show up at a random time and pick one randomly from a store rack ahead of you setting it up. Since we are dealing with Bitcoin, it is advisable to purchase this USB stick using cash. This will prevent some future record linkage between the serial number of this USB stick and your fiat banking information.

The good news is that the best recommendation is to buy the absolute cheapest USB drive available at the store. The cheaper it is, the less remorse you will have when it comes time to 'securely erase'. Also, fancy features drive speed and capacity is generally not a concern for this use.

Set Up Encrypytion

Since the goal is to maximize security, there is no need for a network connection while working on the USB flash drive. If your PC has some means of disabling the WiFi via an external switch or disconnecting the Ethernet connection by unplugging the cable, it is best if you boot the temporary session up without the connection. This will ensure that this OS instance has been completely isolated from the Internet for its entire duration. You can verify this by checking the connection status in the upper right menu:


When you plug in the drive, it should pop up a File Manager window with the drive automatically mounted for your use. It will appear in the side menu of the window near the bottom. In order to reformat the drive and set up encryption, we need to right-click on it and select the Format... option:

USB right click

In the dialog that appears, we want to select the options Don't overwrite existing data (Quick) and Encrypted, compatible with Linux systems, (LUKS + Ext4). We want to give the drive a name Forkdrop Article here, and a relatively secure passphrase:

USB luks setup

It will prompt you before it proceeds to format the volume. Stop and make sure that this is indeed the drive you intend and not some other drive connected to your system that was selected by mistake. Pressing the Format button will permanently overwrite the contents of this drive:

USB luks are you sure

Ubuntu doesn't give you a progress report. It may look like nothing happened, and you might see some devices flicker in and out from the File Manager window. It should take a minute or two to fully finish. When it does, your named device will re-appear in the side menu of the window like so:

USB luks finish

If it doesn't appear, make sure you have waited 10 minutes or longer before trying to disconnect the USB drive. This could be a case of it being a particularly slow drive.

If you haven't unplugged the device, you should be able to mount it without the password by clicking on it. However, we want to make sure the device can be mounted by providing the password. If you click on the device to mount it, and then press the Eject icon to unmount it, you can then unplug the USB device. You can then close all windows to a blank desktop. When you plug it back in, you should get a password prompt:

USB luks password prompt

If it accepts your password, it should show you a blank mounted USB flash drive:

USB luks mounted

What To Do With This Drive Afterwards

If you wish to keep the USB drive and the written data afterwards, do be sure to store it in a safe, physically-protected location. If you are worried about the password being found or guessed, do consider destroying the drive beyond repair. Also, be aware that if the data is not set up to be encrypted, permanently erasing all of the data beyond recovery is quite difficult, so there is no good advice that can be offered other than complete destruction.