Build Bitcoin-Core from Sources

In this article, we'll walk you through the steps to build bitcoin-core from sources on an Ubuntu machine.

Install dependencies

First, you'll need to install dependencies required to build bitcoind:

sudo apt update
sudo apt upgrade
sudo apt install -y nano git 
sudo apt install -y build-essential libtool autotools-dev automake pkg-config
sudo apt install -y libevent-dev libboost-dev libsqlite3-dev
sudo apt install -y libminiupnpc-dev libnatpmp-dev libzmq3-dev systemtap-sdt-dev

This will update the Ubuntu package list and install the necessary packages for building Bitcoin Core.

Clone Bitcoin repo

Next, clone the Bitcoin Core repository from GitHub by entering the following commands:

cd 
git clone https://github.com/bitcoin/bitcoin.git
cd bitcoin
git checkout tags/v27.0

This will download the Bitcoin Core source code and switch to the v27.0 tag.

Build Bitcoin

Now we can build Bitcoin Core from sources. Run the following commands in the terminal:

cd ~/bitcoin
./autogen.sh
./configure 
make -s -j8

The -j option with a number following it (in this case, -j8) is used to specify the number of cores to use during the compilation process. In this case, make (the program used to compile Bitcoin Core) is being instructed to use 8 cores (-j8) to speed up the compilation process.

This may take some time to complete, depending on your system's processing power.

Firewall setting

The Bitcoin network operates on a peer-to-peer basis, which means that nodes in the network need to communicate with each other in order to propagate transactions and blocks.

Port 8332 is used for the JSON-RPC interface, which allows programs to communicate with the Bitcoin daemon using the Remote Procedure Call (RPC) protocol. The JSON-RPC interface is used by wallets and other applications to query the Bitcoin node for information about the blockchain, to send and receive transactions, and to perform other operations, it is not recomended to open this port to the public, but some people can decide to acces it from their local network.

In addition to private Bitcoin nodes, there are also public Bitcoin nodes that are designed to be accessible by anyone on the internet. These nodes are typically run by individuals or organizations that want to contribute to the decentralization and security of the Bitcoin network by providing a publicly accessible node for other users to connect to.

Public Bitcoin nodes typically have port 8333 open in order to allow other nodes on the network to connect to them. By providing a publicly accessible node, these users help to ensure that the Bitcoin network remains robust and resistant to attacks, as the more nodes there are on the network, the more difficult it becomes for an attacker to compromise a significant portion of the network.

Port 8333 is used for the Bitcoin peer-to-peer network protocol. This protocol is used by Bitcoin nodes to discover and connect to other nodes in the network, to propagate transactions and blocks, and to synchronize their copies of the blockchain with other nodes.

If you want to allow incoming connections to the Bitcoin Core daemon through the firewall, run the following commands in the terminal:

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw allow 8332
sudo ufw allow 8333

Overall, running a public Bitcoin node is a valuable contribution to the health and security of the Bitcoin network, and can be a rewarding experience for those with the technical expertise to do so. However, it's important to take appropriate security measures to protect the node from attack, and to be aware of the potential risks and challenges involved in running a public node.

Install bitcoind service

Now that we have built Bitcoin Core, we can install it as a systemd service. Run the following commands in the terminal:

Copy binaries to /usr/bin/:

cd src
sudo cp bitcoin{d,-cli} /usr/bin/

The command cd src is used to navigate to the src directory within the cloned Bitcoin repository . The src directory contains the source code for the Bitcoin Core client.

The command sudo cp bitcoin{d,-cli} /usr/bin/ is used to copy the compiled binaries for the Bitcoin daemon (bitcoind) and command line interface (bitcoin-cli) to the /usr/bin/ directory, which is a system-wide directory for executable programs. The {d,-cli} syntax is a shorthand way of copying both the bitcoind and bitcoin-cli binaries in a single command.

Generate RPCAuth credentials:

cd ~/bitcoin/share/rpcauth
python3 rpcauth.py <username>

where is the username you want to connect to the rpc with

you should get something like this returned:

String to be appended to bitcoin.conf:
rpcauth=pyth:cd777c0850a95831afe1a1ff6df7caf8$0af73fe7ca1f689c225c01bb6bacc0fac57fca32be1f13173718501b2575637c
Your password:
EATDQY_25tUoyJEXvdEkuyCFaEiOzbjX02-6_FLzo7k

save this, you'll have to use soon

now lets prepare the configuration file:

cd
mkdir .bitcoin && cd .bitcoin
nano bitcoin.conf

The command cd is used to navigate back to the user's home directory, and the command mkdir .bitcoin && cd .bitcoin is used to create a new directory called .bitcoin in the home directory, and then navigate into that directory.

Finally, the command nano bitcoin.conf is used to create and open a new file called bitcoin.conf in the .bitcoin directory using the Nano text editor. This file is used to configure the settings for the Bitcoin Core client, such as network and wallet settings, and is necessary for the client to run properly. The user can add and edit settings in this file as needed:

listen=1

rpcauth=pyth:cd777c0850a95831afe1a1ff6df7caf8$0af73fe7ca1f689c225c01bb6bacc0fac57fca32be1f13173718501b2575637c
rpcallowip=0.0.0.0/0
rpcbind=0.0.0.0

Save the file and exit the editor.

Here's an explanation of each of the settings in the bitcoin.conf file, you can :

listen=1: This setting allows the Bitcoin Core client to listen for incoming connections from other nodes on the network. By default, Bitcoin Core clients only connect to a small number of other nodes for security reasons, but enabling listening allows other nodes to connect to your client as well, making it a more active participant in the network.

rpcauth= ... define the username and password for remote procedure calls (RPC) to the client, it's the credential you generate using rpcauth.py previously. RPC is a protocol used for communication between different applications, and it's used by many Bitcoin applications to communicate with the client. The username and password are used to authenticate the connection and ensure that only authorized applications can access the client's data. By default bitcoin core will use cookie authentication instead.

rpcallowip=0.0.0.0/0: This setting allows RPC connections to come from any IP address. This is a potentially risky setting because it opens up the client to connections from any machine on the internet, so it should only be used if you trust all of the machines that might connect to the client.

rpcbind=0.0.0.0: This setting specifies the IP address on which the client should listen for incoming RPC connections. 0.0.0.0 means that the client should listen on all available network interfaces. This is necessary if you want to allow remote connections to the client from other machines.

These are only few example of the possible settings of bitcoin core, you can find more details about all the possible settings for Bitcoin Core in the official documentation available on the Bitcoin Core website.

The documentation provides a comprehensive list of all configuration options, including their purpose and syntax. It also includes recommendations and best practices for setting up a Bitcoin node.

You can get user documentation into your cli using the bitcoind --help command or on the official documentation

Next, create a systemd service file by running the following command:

sudo nano /etc/systemd/system/bitcoind.service

Copy and paste the following text into the file:

[Unit]
Description=Bitcoin daemon
After=network.target

[Service]
ExecStart=/usr/bin/bitcoind -daemon -datadir=/home/pythcoiner/.bitcoin 
RuntimeDirectory=bitcoind
User=pythcoiner
Type=forking
PIDFile=/home/pythcoiner/.bitcoin/bitcoind.pid
Restart=on-failure
RestartSec=3

PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true

[Install]
WantedBy=multi-user.target

(here you should replace pythcoiner with the linux username that will run bitcoind) After creating the service file, the next step is to reload the systemd daemon and enable and start the Bitcoin Core service:

sudo systemctl daemon-reload
sudo systemctl enable --now bitcoind.service

The daemon-reload command reloads the systemd daemon to read the new configuration file for the bitcoind service.

The enable command enables the bitcoind service to start automatically at boot time, and the --now option starts the service immediately.

With these steps complete, your Bitcoin Core node is up and running on your Ubuntu machine. You can now check your node is running well with this command:

bitcoin-cli -getinfo

You can also have a look at this video.

Bitcoin core rpc reference

The bitcoin-core rpc reference can be found here.

It have been automatically generated using this tool

Build Liana from sources on MacOS

Rust toolchain

If you visit rust website you will find the commands for install rust on your system:

terminal

You should open a terminal:

terminal

Copy the command into the terminal and hit enter:

terminal

Select 1) Proceed with standard installation or press enter

terminal

Rust is now installed you can enter this command and check cargo is well installed:

. "$HOME/.cargo/env"

then

cargo --version

terminal

Liana source code

Download the liana repository (source code):

git clone https://github.com/wizardsardine/liana.git

Note: if git is not yet installed on your system, you'll be prompted to accept to install it, then you should re-run the command for clone the Liana repository.

terminal

Then cd into the liana repository:

cd liana/gui

and build Liana:

terminal

cargo build --release

if the prompt ends up with this you are good:

terminal

you can now run liana w/ this command:

./target/release/liana-gui

terminal

Build Liana from sources on Windows 10

Rust toolchain

If you visit rust website you will find the method for install rust on your system:

rust

Download rust installer for your platform, its likely 64-bits one.

rust

Execute it and choose the first option.

rust

You'll be asked to install visual studio installer, do it and follow its install process.

rust

At this step, close visual studio.

rust

Choose the first option.

rust

At this step in enter to close terminal.

Install Git

rust

Go to git website in order to download its installer.

rust

Then start installer.

rust

and follow the installer step w/ defaults options.

rust

right click + open git gui

rust

select "Clone Existing Repository"

rust

ENter liana repository address (https://github.com/wizardsardine/liana.git) and your target directory ther click Clone.

rust

After download has finnish close Git Gui

open liana/gui folder

rust

right click + open Git Bash

rust

Type cargo build --release and hit enter.

rust

If you get this at the end of the build you are good, and can close the terminal!

rust

Then go to target/release directory and execute liana-gui

rust

PGP with your Ledger Nano S

Using PGP with your Ledger Nano S, a physical device that stores a user’s private keys, which are used to access their digital assets. Usually they are used for store private keys related to cryptocurrencies like Bitcoin, in this article, we will discuss the benefits of using a hardware wallet to store PGP private keys, and why it is a better option than software-based storage solutions. We will provide a step-by-step guide on how to set up and use a Ledger Nano S for storing PGP private keys, and will explain why this method of storage is essential for anyone looking to secure their key with an easy to use hardware solution.

Install OpenPGP App on your Ledger Nano S

This article have been made under Ubuntu 22.04 LTS but might be reproducible with Ledger Nano S Plus and Ledger Nano X and with other Linux distro.

First you need to install OpenPGP App on your ledger:

  • Connect your Ledger Nano and input your PIN
  • Start Ledger Live
  • Go to settings

ledger_live

  • Go to experimental features and enable Developer Mode

ledger_live

  • Go to My Ledger
  • Install OPenPGP app

ledger_live

You can now start OpenPGP on your Ledger Hardware and follow the next steps.

Install PGP smartcards tools

pythcoiner@pythcoiner:~$ sudo apt install scdaemon pcscd pcsc-tools
pythcoiner@pythcoiner:~$ sudo systemctl enable pcscd
pythcoiner@pythcoiner:~$ sudo systemctl restart pcscd
  • You can now launch OpenPGP app on your ledger Device
  • Check the connection with the Ledger Nano S:
pythcoiner@pythcoiner:~$ pcsc_scan -r
0: Ledger Nano S [Nano S] (0001) 00 00
  • Check the status
pythcoiner@pythcoiner:~$ gpg --card-status
Reader ...........: Ledger Nano S [Nano S] (0001) 00 00
Application ID ...: D2760001240103032C97EE1XXXX0000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: EE1XXXX6
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

NOTE: If you got this issue:

pythcoiner@pythcoiner:~$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such dev

or this one:

pythcoiner@pythcoiner:~$ pcsc_scan -r
SCardEstablishContext: Service not available.

you can try to restart pcscd

pythcoiner@pythcoiner:~$ sudo systemctl restart pcscd

NOTE2:

Since gpg v2.4 you should add disable-ccid option in scdaemon.conf (https://dev.gnupg.org/T6871)

NOTE3:

I experienced an issue (Ubuntu Server 22.04) where Nano S were detected but not NANO SP (Nano S+)

Looking at this issue and Ledger documentation i solve it by updating Ledger entries in /etc/libccid_Info.plist:

/etc/libccid_Info.plist details:

...

        <key>ifdVendorID</key>
        <array>

...

                <string>0x2C97</string>
                <string>0x2C97</string>
                <string>0x2C97</string>
                <string>0x2C97</string>
                <string>0x2C97</string>
                <string>0x2C97</string>

...

        </array>

        <key>ifdProductID</key>
        <array>

...

                <string>0x0001</string>
                <string>0x0004</string>
                <string>0x0005</string>
                <string>0x1009</string>
                <string>0x4009</string>
                <string>0x5009</string>

...

       </array>

        <key>ifdFriendlyName</key>
        <array>

...

                <string>Ledger Nano S</string>
                <string>Ledger Nano X</string>
                <string>Ledger Nano SP</string>
                <string>Ledger Nano S</string>
                <string>Ledger Nano X</string>
                <string>Ledger Nano S Plus</string>

...

    </array>

        <key>Copyright</key>

...

Configure your ledger

  • You can edit the card data by this way:
pythcoiner@pythcoiner:~$ gpg --edit-card

Reader ...........: Ledger Nano S [Nano S] (0001) 00 00
Application ID ...: D2760001240103032C97EEXXXX0000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: EE1XXXX6
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> admin
Admin commands are allowed
  • You can get the commands for edit:
gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
name           change card holder's name
url            change URL to retrieve key
fetch          fetch the key specified in the card URL
login          change the login name
lang           change the language preferences
salutation     change card holder's salutation
cafpr          change a CA fingerprint
forcesig       toggle the signature force PIN flag
generate       generate new keys
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
factory-reset  destroy all keys and data
kdf-setup      setup KDF for PIN authentication
key-attr       change the key attribute
  • There is 2 pin access level, user(123456) and admin(12345678) lets first change its for obvious safety reasons:
gpg/card> passwd
gpg: OpenPGP card no. D27600XXXXXXXX032C97EE1XXXXX0000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 1
  • Then fill in the old user password(123456) and choose a new one

ledger_live

ledger_live

ledger_live

  • You can do the same for admin pin:
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
  • Then you can change the name:
gpg/card> name
Cardholder's surname: maximalist
Cardholder's given name: Pythcoiner

gpg/card> list

Reader ...........: Ledger Nano S [Nano S] (0001) 00 00
Application ID ...: D2760001240103032C97EE1XXXXX0000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: unknown
Serial number ....: EE1XXXX6
Name of cardholder: Pythcoiner maximalist
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 12 12 12
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> quit
pythcoiner@pythcoiner:~$

Generate your PGP primary key and subkeys

For security reasons it is better to generate and keep you secret keys backup from a server not connected to the internet, and then only import the pubkeys on laptop you using on daily basis.

  • It’s now time to generate your primary key from your secret server:
pythcoiner@pythcoiner:~$ gpg --quick-gen-key 'Pyhtcoiner <pythcoiner@proton.me>' rsa2048 cert 0y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
  • Then you might to enter a passphrase:

ledger_live

gpg: revocation certificate stored as '/home/pythcoiner/.gnupg/openpgp-revocs.d/EB2FCD69E87A45A382E24E1A8FC419102C31FDC8.rev'
public and secret key created and signed.

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
pub   rsa2048 2023-01-30 [C]
      EB2FCD69E87A45A382E24E1A8FC419102C31FDC8
uid                      Pyhtcoiner <pythcoiner@pyth.dev>
  • You can list your keys:
pythcoiner@pythcoiner:~$ gpg -k
/home/pythcoiner/.gnupg/pubring.kbx
----------------------------
pub   rsa2048 2023-01-30 [C]
     EB2FCD69E87A45A382E24E1A8FC419102C31FDC8
uid           [ultimate] Pyhtcoiner <pythcoiner@proton.me>

This primary key have the certification function only, we need to generate subkeys with sign and encrypt functions:

  • First generate the sign key, you might replace the pubkey (EB2FCD69E87A45A382E24E1A8FC419102C31FDC8) by yours:
pythcoiner@pythcoiner:~$ gpg --quick-addkey EB2FCD69E87A45A382E24E1A8FC419102C31FDC8 rsa2048 sign 0y

Enter your passphrase:

ledger_live

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
  • Then generate encryption key, you might replace the pubkey (EB2FCD69E87A45A382E24E1A8FC419102C31FDC8) by yours:
pythcoiner@pythcoiner:~$ gpg --quick-addkey EB2FCD69E87A45A382E24E1A8FC419102C31FDC8 rsa2048 encr 0y

Enter your passphrase:

ledger_live

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Backup your keys

This is a the most important part, you might to backup the keys to a safe place (a server not connected to the internet , ideally you generate the keys from this server and load it to your Ledger Nano, then only export the public key to the laptop you will use on daily basis) to recover them in case of loss or failure of your hardware device.

  • First backup the master key:
pythcoiner@pythcoiner:~/.gpg_backup$ gpg -a --export-secret-keys pythcoiner@proton.me > secret_keys.gpg

Enter your passphrase

ledger_live

  • Then backup subkeys:
pythcoiner@pythcoiner:~/.gpg_backup$ gpg -a --export-secret-subkeys pythcoiner@proton.me > secret_subkeys.gpg

Enter your passphrase again

ledger_live

Finally export your pubkey:

pythcoiner@pythcoiner:~/.gpg_backup$ gpg -a --export pythcoiner@proton.me > pubkey.gpg

Load your keys to your Ledger

  • First go to the edit menu:
pythcoiner@pythcoiner:~$ gpg --edit-key pythcoiner@proton.me
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
[ unknown] (1). Pyhtcoiner <pythcoiner@proton.me>
  • Select the first subkey:
gpg> key 1

sec  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb* rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
[ unknown] (1). Pyhtcoiner <pythcoiner@proton.me>
  • Load into SmartCard:
gpg> keytocard
Please select where to store the key:
  (1) Signature key
  (3) Authentication key
Your selection? 1

Enter you passphrase

ledger_live

sec  rsa2048/8FC419102C31FDC8
     created: 2023-01-30  expires: never       usage: C   
     trust: unknown       validity: unknown
ssb* rsa2048/6D8FEF95C7869709
     created: 2023-01-30  expires: never       usage: S   
ssb  rsa2048/8D7887D25E242C88
     created: 2023-01-30  expires: never       usage: E   
[ unknown] (1). Pyhtcoiner <pythcoiner@proton.me>
  • Unselect first subkey
gpg> key 1

sec  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
[ unknown] (1). Pyhtcoiner <pythcoiner@proton.me>
  • Select second subkey
gpg> key 2

sec  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
ssb* rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
[ unknown] (1). Pyhtcoiner <pythcoiner@proton.me>
  • Load into SmartCard:
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
  • Enter passphrase

ledger_live

  • then save
gpg> save

If you have generate your keys from your laptop or an unsecured pc, you might to transfer the backup to the secure location then delete the secret keys from your unsecured device:

pythcoiner@pythcoiner:~$ gpg --delete-secret-key pythcoiner@pyth.dev
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  rsa2048/8FC419102C31FDC8 2023-01-30 Pyhtcoiner <pythcoiner@pyth.dev>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

Then valid on the pop-up window

ledger_live

Import PGP Pubkey on your laptop

  • First move the backup of your public key and import it:
pythcoiner@pythcoiner:~$ gpg --import pubkey.gpg 
gpg: key 8FC419102C31FDC8: public key "Pyhtcoiner <pythcoiner@proton.me>" imported
gpg: Total number processed: 1
gpg:               imported: 1
  • Fetch your card data:
pythcoiner@pythcoiner:~$ gpg --card-edit
gpg/card> fetch
gpg/card> quit
  • Then trust your key:
pythcoiner@pythcoiner:~$ gpg --edit-key pythcoiner@pyth.dev
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret subkeys are available.

pub  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
    card-no: 2C97 EE1XXXX6
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
    card-no: 2C97 EE1XXXX6
[ unknown] (1). Pyhtcoiner <pythcoiner@pyth.dev>

gpg> trust
pub  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: unknown       validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
    card-no: 2C97 EE1XXXX6
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
    card-no: 2C97 EE1XXXX6
[ unknown] (1). Pyhtcoiner <pythcoiner@pyth.dev>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

 1 = I don't know or won't say
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  rsa2048/8FC419102C31FDC8
    created: 2023-01-30  expires: never       usage: C   
    trust: ultimate      validity: unknown
ssb  rsa2048/6D8FEF95C7869709
    created: 2023-01-30  expires: never       usage: S   
    card-no: 2C97 EE1XXXX6
ssb  rsa2048/8D7887D25E242C88
    created: 2023-01-30  expires: never       usage: E   
    card-no: 2C97 EE1XXXX6
[ unknown] (1). Pyhtcoiner <pythcoiner@pyth.dev>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit
  • You can now try to sign a file with GPG and your key stored on your Ledger Nano S:
pythcoiner@pythcoiner:~$ gpg --detach-sign file.txt
  • This window might pop-up and ask you unlock the card

ledger_live

  • Now deconnect your Ledger Nano S from your laptop, then retry sign:
pythcoiner@pythcoiner:~$ gpg --detach-sign file.txt

This window might pop up and signature fail

ledger_live

You now know how touse pgp with your ledger, then you can learn how to use a password Manager with PGP!

This article have been made with help of this sources:

  • Using your Ledger Nano to authenticate you SSH connections | Ledger Blog link
  • GPG : comment créer une paire de clefs presque parfaite link
  • Clefs GPG : comment les stocker et les utiliser via une clef USB OpenPGP Card ? link

Using your password manager with PGP

Why use a password manager with PGP?

Managing multiple today can be a daunting task, especially with the increasing number of online accounts. It is challenging to remember all these passwords, and this is where password managers come in handy. Your password managerwith PGP securely stores all your passwords in one location. It allow you to access them easily . This makes it much easier and more convenient to manage your online accounts, while also enhancing your security.

However, if you simply store your passwords directly in a browser is not a safe method of password management. Browsers are vulnerable to various security threats, such as malware, phishing attacks, and hacking. If a hacker gains access to your computer, they can easily retrieve your stored passwords, putting your online accounts at risk of being compromised. This can lead to identity theft and financial loss. In addition, if your computer is lost or stolen, your passwords are easily accessible to whoever got it.

How to improve?

This is where PGP (Pretty Good Privacy) encryption comes in. PGP is a widely used encryption standard for secure communication and data storage. By combining the use of a password manager with PGP encryption, you can ensure that your passwords are protected against unauthorized access. In the last article, we dig into how to use PGP encryption and store the keys on an Ledger Nano Hardware Wallet. Now we will take it a step further by using an password manager with the previous setup. We will add an additional layer of security as it ensures that even if your computer is compromised, the password are still safe, your passwords cannot be decrypted without physical access to the hardware device.

Whether you are new to password managers or simply looking to upgrade your security, we will provide you with all the information you need to get started with PGP-secured password management using hardware storage. By following these steps, you can rest assured that your passwords are safe and secure.

We made this article under Ubuntu 22.04 LTS but might be reproducible with other Linux distro.

Using PASS

PASS is a standard Unix password manager that is used to securely store passwords, secrets, and other sensitive information. It ‘s open-source software, which means that anyone can check the source code. PASS is a password manager with PGP encryption to ensure that all stored information is secure and can only be accessed with a passphrase. Pass used Git for remote backups. The software is easy to use and offers a simple command-line interface that makes it easy to manage passwords . You can learn more about PASS here.

Why Choosing PASS

  • Open Source: Pass is an Open Source project, followed by a huge community.
  • Stable project: First Pass release from 2012, actively maintained.
  • Migration tools: A bunch of migration tools are available for migrate from many other password managers.
  • Cross-Platform: Pass is available on all the main platforms, Linux, MAC, Windows.
  • Unix Philosophy: Pass follow the Keep It Simple paradigm.
  • GUI Client: Many GUI client available for all desktop and mobile platforms.

Install PASS

Prior to install pass, you might have git installed:

pythcoiner@pythcoiner:~$ sudo apt install -y git

Then you can install pass:

pythcoiner@pythcoiner:~$ sudo apt install -y p

Configure PASS

Prior to configure pass, you need to get your PGP pubkey:

pythcoiner@pythcoiner:~$ gpg -K
/home/pythcoiner/.gnupg/pubring.kbx
-----------------------------------
sec   rsa2048 2023-02-05 [C]
      37833B5FC36137944ACCF1FD89197BAEF074F4F2
uid           [ultimate] Pythcoiner <pythcoiner@proton.me>
ssb   rsa2048 2023-02-05 [S]
ssb   rsa2048 2023-02-05 [E]

Now you can initialize pass:

pythcoiner@pythcoiner:~$ pass init "37833B5FC36137944ACCF1FD89197BAEF074F4F2"
mkdir: created directory '/home/pythcoiner/.password-store/'
Password store initialized for 37833B5FC36137944ACCF1FD89197BAEF074F4F

pass as made a new directory for store our encrypted password at /home/pythcoiner/.password-store/

Lets have a look there

pythcoiner@pythcoiner:~$ cd  /home/pythcoiner/.password-store/
pythcoiner@pythcoiner:~/.password-store$ ls -a
.  ..  .gpg-id
pythcoiner@pythcoiner:~/.password-store$ cat .gpg-id 
37833B5FC36137944ACCF1FD89197BAEF074F4F2
pythcoiner@pythcoiner:~/.password-store$

We can now init the git repo if you plan to use the remote backup function:

First of all if you not yet configure git , define name and email that will be supplied on git commits:

pythcoiner@pythcoiner:~$ git config --global user.email "pythcoiner@pyth.dev"
pythcoiner@pythcoiner:~$ git config --global user.name "pythcoiner"

Then init the git repo with pass

pythcoiner@pythcoiner:~/.password-store$ pass git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /home/pythcoiner/.password-store/.git/
[master (root-commit) 9145223] Add current contents of password store.
 2 files changed, 2 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gpg-id
pythcoiner@pythcoiner:~/.password-store$

Now edit git repo config file at ~/.password-store/.git/config:

pluma

and add remote server data:

pluma

Using QtPass as Graphical User Interface for PASS:

We will now show you how to use pass with QtPass GUI Client, QtPass is a cross-platform client, have a simple GUI interface and can handle several profiles using different pubkeys, with that, you can easily manage both your private and professional passwords with the same tool! You can learn more about QtPass here.

pluma

First of all lets install QtPass:

pythcoiner@pythcoiner:~/.password-store/.git$ sudo apt install -y qtpass

Then you can run QtPass by using this command:

pythcoiner@pythcoiner:~/.password-store/.git$ qtpass

pluma

You can now use the right click or the GUI buttons for add folders or passwords (each password is stored in a separate encrypted file)

pluma

You can also set several profiles (each profile can use a different pubkey. Then just need to copy the empty initial .password-store/ folder then edit ./git/config and .pgp-id files for fill your new git server backup location and new pubkey!o

pluma

It is then quite easy to switch between profiles:

pluma

MacOS Vm on Proxmox server

I agree it sucks that (too much) people use closed source secure-advertised-only (trust me bro) OSs, but in the end, we build software for users, so we have to make it work on the platform they use, and it means also testing properly on the platform they use.

Proxmox

Proxmox is a Virtual Machine manager implementation, a minimal Debian OS with an admin interface to spawn VMs. This post will show you a step-by-step flow to build a MacOS VM for Proxmox.

What you need

  • A KVM-OpenCore *.iso image, you can get the latest here
  • A MacOS *.iso image
  • An already running proxmox server, I'll assume here that you are familliar managing a Proxmox server.

You should first upload OpenCore and you MacOS image to your Proxmox Server.

Install KVM-OpenCore

KVM OpenCore is a virtualized implementation of the OpenCore bootloader, typically used to run macOS on Linux-based systems via KVM (Kernel-based Virtual Machine). This setup enables users to create a macOS virtual machine with near-native performance, leveraging OpenCore to manage the macOS boot process in a virtual environment.

General Tab

general

  • Choose a name for the VM.

  • The VM ID is not very important here, it should just be unique.

OS Tab

OS

  • Select the Opencore image you have previously installed
  • Set Guest OS type to Other

System Tab

system

  • Graphic card: VMware compatible
  • Machine: q35
  • BIOS: OVMF (UEFI)
  • Check Add EFI disk
  • Select a storage
  • Uncheck Pre-Enroll keys
  • SCSI: VirtIO SCSI

Disks Tab

disks

  • Bus/Device: VirtIO Block
  • Disk Size: at least 60 GiB
  • Cache: Write back (unsafe)

CPU Tab

cpu

  • Cores: at least 4
  • Type: host

Memory Tab

memory

Memory: at least 8192 GiB

Network tab

network

Model: VMware vmxnet3

Then create the VM

Setup MacOS *.iso in drive

add_drive

Select the created Vm => Hardware => Add => CD/DVD Drive

add_drive

  • Storage: ISOs
  • ISO image: your macos *.iso image uploaded previously

Configure VM via host terminal

add_drive

Click on your server name => Shell

then open the config file:

nano /etc/pve/qemu-server/1400.conf

here you should replace 1400 by your VM Id.

then add this line on top of *.conf file:

args: -device isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" -smbios type=2 -device qemu-xhci -device usb-kbd -device usb-tablet -global nec-usb-xhci.msi=off -global ICH9-LPC.acpi-pci-hotplug-with-bridge-support=off -cpu host,vendor=GenuineIntel,+invtsc,+hypervisor,kvm=on,vmware-cpuid-freq=on

config_vm

on lines starting with ide_ replace media=cdrom by cache=unsafe

Install MacOS on the VM

Now start the VM.

start

Select UEFI Shell using arrows and enter.

boot

Enter this cmmands to launch boot.efi

fs0:

System\Library\CoreServices\boot.efi

disk_utility

click Disk utility and continue

disk_utility

select the VirtIO media block then Erase

disk_utility

Choose a new name for the media and click Erase

disk_utility

Click Done and close utility.

install

Now click Installl MacOS ... & Continue Then follow the install process.

install

Select the disk you have previously erased (MacOS here) and continue the insatll process.

install

Several time during install process you'll have to select macOS Installer w/ arrow & enter

Follow the notmal macOS install process

Let macOS boot w/o OpenCore

Open a terminal and:

git clone https://github.com/corpnewt/MountEFI
cd MountEFI
chmod +x MountEFI.command
./MountEFI.command

if you are prompted to install git, do so and retry clone the repo.

install

you should now land there, enter B to mount the EFI, you'll be asked to enter your password.

then you should land here:

install

Download OpenCoreEFIFolder-vxx.zip from the github repo

Unzip it and copy EFI folder to the root of the EFI partition

You can now stop the VM

install

Back to Proxmox admin panel, you should detach both *.iso images from the VM

Yout VM install is now finalized!

Some screenshots and the general flow comes from this video