This short article and video tutorial describes how to generate (extremely) secure monero addresses, for the paranoid people out there 😉
I feel I don’t really need to argue this point: let’s not generate our monero address on a windows machine which is basically NSA spyware. It’s better to generate it on an open source OS and Linux is the obvious choice. Linux may scare some people, but nowadays it’s pretty user friendly. The only issue for most people is installing it.
Which hardware should I use?
We should avoid as much complicated steps as possible. Complication is a hurdle for people actually DOING the thing they want to do. You can use a normal windows machine to install Linux, but that’s not always easy (you need to mess around with UEFI settings etc).
Secondly, if we install Linux on a laptop, we should ask ourselves what we will do with the hardware after we generated the monero address. It doesn’t sound smart to reuse a laptop which you used for generating your seeds, let alone plugging in a USB stick or connecting it to the internet. But it’s maybe not justifiable to buy a new laptop for every monero address you want to create either.
A third issue issue with using an existing computer is the fact that the hardware isn’t “open source”. It’s entirely possible that backdoors exist in the hardware. So even if you use Linux, there is still a possibility you are being spied upon.
These issues can be solved by using a Raspberry Pi. This is a very small computer that runs on Linux. The OS is very quick and easy to install (check here for instructions). Although the hardware isn’t completely open source, it contains very few components, so the chance that it has backdoors is very small.
The Pi costs around 40 USD and you won’t need to throw away your device after you’ve generated an address: The whole memory of the Raspberry Pi is located on a SD card. After you’ve generated addresses, you take the SD card out, mark it and never bring it online again. You can reuse this specific SD card for generating more addresses in the future. By installing the OS on a new SD card, you can use your Raspberry Pi for other applications without worrying that your generated keys will leak.
Note: I purchased a PiTop which is basically a laptop with a Raspberry Pi inside. It’s very convenient because you don’t need to fiddle with cables for screen, keyboard and mouse and you can use it “on the go” (the PiTop has a battery).
Is random really random?
Random can’t be generated by a computer because a computer is a deterministic device. What computers do to create pseudorandom numbers is using user input, sensor inputs, timestamps, etc to generate numbers that appear to be random. In reality they aren’t though.
A normal PC has a lot of inputs so the pseudorandom created by the device is pretty reliable (if we ignore the possibility for backdoors). The problem is that a raspberry Pi has very little “intrinsic sources of random”. It’s a very basic device, certainly right after a clean install of the Operating System.
You can read more about pseudorandomness here.
To solve this issue, we dismiss the random created by the device entirely, and we will generate the random ourselves by using hexadecimal dice. These dice have 16 sides with the 16 hex chars present (0, 1, …, 9, a, b, …, f).
A monero seed is 256 bits (zeroes and ones). A hexadecimal number is 4 bits so a monero seed is 64 hexadecimal numbers. This means you will need to throw 64 times with a hexadecimal dice to generate a completely random monero seed.
The video below shows the whole process on how to download the needed tool, how to generate the monero seed offline and how to export the address and viewkey without using a USB stick or mailing it to yourself. A big thanks to Luigi1111 for providing the needed tool to generate a monero address based on a hexadecimal seed!
1) get yourself some hexadecimal dice
2) get yourself a Raspberry Pi (or PiTop)
3) Install Linux on SD card
4) Connect screen, keyboard and mouse to the Pi
5) Follow the Instructions in the video to generate the addresses
6) Store the addresses and viewkeys somewhere secure, or create a view-only wallet
7) Take SD card out and mark it. Never connect the contents of this SD card to the internet or plug a USB stick in the Pi after you’ve generated the addresses. If you want, you can reuse it to generate more addresses