Jan 26, 2023 29 min read GUIDES

The Ultimate Bitcoin Quest

This quest for sovereignty covers going from nothing to having a secure Bitcoin environment that's safe for spending privately.

Let us start off by stating that this quest is daunting, and is certainly not for everyone, especially those who are not tech savvy. It will be a long quest, and it will include several optional side-quests that could lead you down many different rabbit holes, but they are not required to complete the main quest. Ultimately what this quest hopes to accomplish is allowing you, either with existing knowledge and ownership of Bitcoin, or someone entirely new to Bitcoin, the ability to go from absolutely nothing to having a secure Bitcoin environment in a way that doesn't flag your intentions or interest in Bitcoin.

The ability to hide in a crowd is extremely powerful for anonymity and beneficial to Bitcoin users. Signing up with a KYC exchange immediately shines a light on you, revealing your interest in Bitcoin and "separating money and state". If you've already signed up for KYC exchanges, simply stop using them. Get your funds off them if you haven't already, and close your account. This can, at a minimum, signal that you're no longer interested in Bitcoin, and the longer you go without verifiably renewing that interest, the stronger that argument becomes. Buying a hardware wallet, or even Bitcoin merchandise, with your credit card could also signal your interest in Bitcoin.

Hardware

The hardware required for this setup includes 2 laptops, and if you want to include a computer that you use for browsing the internet, shitposting, and the like, then 3, but that last one isn't the focus of this guide. It's also preferred to use laptops for the minimum 2 uses since they can be easily stored away in a more secure location and if necessary, can travel with you more easily (and less suspiciously) than even a small-format desktop PC.

It's likely you already have some old laptop laying around that can be used for the purpose of this quest. You'll be surprised as to how little computing power you actually need, so don't assume that old laptop that's been sitting in your closet for years can't do the job. You'll need at least one laptop to be completely airgapped. You'll install the operating system (OS) on it and it will never connect to the internet. Another laptop is specific to using Bitcoin ONLY. It will be connected to the internet, but you should never use it for general web browsing, installing games or other (non-Bitcoin) applications.

Acquiring Laptop 1: Airgapped

This laptop will be used mainly for storing secrets and using some basic tools. It can be the least powerful laptop of the pair and still work perfectly fine with what we're intending to use it for. If you don't already have an old laptop laying around, head to Ebay and search for ThinkPads (T-series and X-series, non-Yoga) under $100. More advanced users will be able to buy a laptop without a hard drive, but for the main quest, we'll be setting up an operating system on the airgapped laptop, so find one that includes an OS drive, preferably a solid-state drive (SSD). The OS that the laptop comes with doesn't matter at all, since we'll be wiping the drive and installing a different OS in a later section.

Acquiring Laptop 2: Bitcoin Only

This laptop will be connected to the internet, but should only be used for Bitcoin purposes. You shouldn't use this machine for any other personal reasons. Again if you don't already have a suitable machine laying around, go to Ebay and search for ThinkPads (T-series and X-series, non-Yoga) under around $100, maybe you can go a hair over if you want, but it's not necessary.

One thing to look out for here is if you don't have a separate dedicated machine for running Bitcoin Core and some associated applications, which is what a Dojo does, then this will be the machine to do so. If that's the case, you can opt to get one without a hard drive and purchase a separate 1TB SSD to install for ~$50-$80.

Side Quest: DIY Signing Device

Another component on the hardware side that you'll need down the road is a signing device. In this quest, you should build a SeedSigner from scratch (not a pre-assembled one), by purchasing the hardware essentials separately. Take note that you don't need a Pi Zero 1.3 if you absolutely cannot find one, and that other Pi models (2/3/4/Zero2) are supported but you may need to do modifications to take out WiFi and Bluetooth. You also don't need to know how to solder, since you can buy a "GPIO hammer" which basically turns assembling a SeedSigner into such a simple task that even a child can do it.

Side Quest: Dedicated Node

It's very beneficial to have a dedicated node that will remain on 24/7 so that you can use it from your phone, like with Samourai Wallet. The two best options for a dedicated node are RoninDojo and Nodl. Both are free software (explained below) and both allow you to purchase pre-configured boxes. However, the RoninDojo can be custom built with compatible hardware components, which may interest followers of the main quest.

Side Quest: 3d Printer

When building some of the components, you'll likely find the need to obtain some 3d printed pieces. There are online stores that you can buy them with bitcoin and ship them to a PO box (or equivalent) to protect your privacy, however, you could also print them yourself. The Prusa MINI+ is a very good beginner-friendly printer that you can get semi-assembled from the factory.

Owning a 3d printer gives you the freedom to try out different enclosures for the SeedSigner or a custom-built Dojo node at very little cost. You'll also find sites like Printables that have cool and useful things that you can print at home. Additionally, you could set up another Raspberry Pi to run OctoPi, which can help you manage your printer.

Some other sites where you can find prints:

Side Quest: Personal Mail Box

A personal mail box (PMB) can help protect your privacy when receiving items purchased online. This is especially useful when ordering things from Ebay or Bitcoin merchandise shops, where you don't want them to know your physical address. The most common method of getting a PMB is through The UPS Store. You may also be able to find a local mom-and-pop style store that offers it as well.

When setting up a PMB, you will need to provide your ID, and they'll likely make a photocopy of it. Ask the store owner what they do with it before signing up. Chances are, they're only required to keep them on-file in case law enforcement requires it. This is still a significant improvement to your privacy compared to sharing your residential address with every store you buy from because your ID isn't shared out with any external organization without the legal process being followed.

You should also ask the store owner if it's okay to use an alias, or your initials when receiving packages. Asking about using an alias may raise some eyebrows though, use your judgement accordingly. Usually initials are fine to use even without asking.

Setting Up The Environment

With the hardware received and assembled, it's time to install operating systems and necessary applications. The software that you need to use Bitcoin needs to respect the absolute freedom of the user that they own the software and can do whatever they want with it, including reselling for commercial purposes. Therefore, wallet and node software recommendations are limited to free software.

On your normal web-browsing machine, you'll want to download the latest Ubuntu desktop LTS release and verify it. It will download as an ISO file, which should be under 4GB. You'll want to get a USB thumb drive and download balena Etcher to easily write the Ubuntu ISO file to the USB drive. You'll use this same USB drive for installing on both the airgapped and Bitcoin only laptops.

Side Quest: Free Software and Bitcoin

“Free software” means software that respects users' freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer.” We sometimes call it “libre software,” borrowing the French or Spanish word for “free” as in freedom, to show we do not mean the software is gratis.

You may have paid money to get copies of a free program, or you may have obtained copies at no charge. But regardless of how you got your copies, you always have the freedom to copy and change the software, even to sell copies.

https://www.gnu.org/philosophy/free-sw.html

To learn more about free software and how it relates to Bitcoin, check out this article:

Side Quest: coreboot/libreboot

Also on the topic of free software, coreboot and libreboot replace the proprietary non-free BIOS software on your computer with one that is free software. It also provides better security, faster boot speeds, and the ability to change out your WiFi card with an updated, faster one, which your stock BIOS will usually not allow.

Side Quest: Home Network

It makes sense when thinking about the ultimate quest for Bitcoin sovereignty to also mention how these computers are connecting to the internet. Chances are, you're running a proprietary router supplied by your ISP, and likely a proprietary access point for your WiFi, or they could be the same device. Check out this guide setting up a simple home network using free software:

Install Laptop 1: Airgapped (Part 1)

You'll first take your USB drive with Ubuntu LTS written to it and boot your airgapped laptop from it. It will prompt you what you want to do and you'll select you want to Install/Try Ubuntu. This will boot into a live environment and a window will display where you can Install Ubuntu to the system drive. The install here is very straightforward, the only things to take note of is to not connect to the internet during setup and ensure that you set up full disk encryption with LUKS, which may be behind an advanced page when selecting the install drive. You'll want to choose a strong password that you ideally won't forget.

When you boot into the installed OS, be sure to disable WiFi and Bluetooth. You can also go the extra step and disable the Network Manager entirely. That's all for now on the airgapped laptop, but we'll revisit it in a later section after installing the Bitcoin Only laptop.

Side Quest: Tails

It's possible to avoid having to do anything to your airgapped laptop at all, even leaving it without a hard drive. As noted in the guide Sparrow Wallet and Tails below, you can install Sparrow Wallet in the persistent storage and encrypt everything stored there so that you can still access that data after rebooting. If you go this route, take note of the additional applications used by the airgapped laptop to retain the same functionality.

Install Laptop 2: Bitcoin Only

You'll use the same USB drive that you used to install Ubuntu on the airgapped laptop. Follow the same setup procedures by setting up full disk encryption, ideally with a different password, but this time you can connect to the internet during setup to download updates. Still when you first log into the machine, disable Bluetooth, but you can keep WiFi enabled on this machine.

The first thing you're going to want to do is get connect to a new VPN. You shouldn't use the same VPN subscription as you would for your normal browsing, so make a new account at Mullvad, fund it (which you can do by paying with Bitcoin), download (and verify) the VPN client, and use the new account. Within Mullvad's settings, ensure that it runs at startup (minimized so that it's not annoying), auto-connects (to a different region than you would normally use), enable local network sharing, block ads, trackers, malware, and enable the kill-switch. You shouldn't need to touch anything else, just keep it updated and your account topped up.

If you don't have a separate dedicated machine for running Bitcoin 24/7, you'll then want to install (and verify) Bitcoin Core (or see the side quest Vanilla Dojo). Setting up Core is very easy, you'll select where the data should reside, and the default is perfectly fine, and if you have enough space, you should not enable pruning. That's basically it, it will take a day or two to sync and then it'll be ready to use.

Next, you should download (and verify) Sparrow Wallet. Sparrow wallet is a simple-but-powerful desktop wallet that also implements the same privacy tools enabled by Samourai Wallet. For now, all you need to do is connect it to your local Bitcoin Core instance, or external machine, if you have one. If you have any existing hardware wallets, feel free to connect them and add them to Sparrow at this point.

Then, you're going to want to download (but not install) KeePassXC's AppImage to your Downloads folder. An AppImage is a portable program that can easily be transferred to the airgapped laptop. However, we'll also need one library so that Ubuntu can run the application. So open up your terminal and type the following:

cd ~/Downloads
apt download libfuse2

Now you can take that USB drive that you used to install Ubuntu on both laptops, insert it into your Bitcoin-only laptop and it should show up in the file manager's side-bar. Right click it and select Format. For the volume name, you can provide anything (like "Backup"), there's no need to overwrite existing data, but select the type to be "Internal disk for use with Linux systems only (Ext4)" and check "Password protect volume (LUKS)". On the next page, choose a good password for the drive and continue on. This USB drive will be used to transfer applications and data over to your airgapped laptop as well as store the wallet backup files from Sparrow.

When the USB drive is formatted (it shouldn't take long), you can drag and drop the KeePassXC AppImage and the downloaded libfuse2 package (it should end with .deb) over to it.

Next you're going to want to get the latest Seed Tool. Click the Download button and select the Backup USB volume as the location to save it.

Side Quest: Vanilla Dojo

Without a dedicated machine to run 24/7, this Bitcoin-only laptop can still fulfill the role of a Dojo node, allowing your phone to use it for connecting Samourai and Sentinel (described below), by installing vanilla Dojo.

Side Quest: Import Samourai Accounts Into Sparrow

If you've already been using Samourai Wallet on your phone, you'll want to import that wallet to Sparrow running on your Bitcoin-only machine. This is because we're going to set up a master seed later on, which will allow us to derive new seeds which can be imported into Samourai Wallet to be used when spending, instead of either mixing to a different cold storage seed. Follow the guide below to import your Samourai Wallet accounts into Sparrow wallet.

Install Laptop 1: Airgapped (Part 2)

With the backups and tools on the USB thumb drive, you can insert it into your airgapped laptop. You should be prompted to enter your decryption password, after which you'll be able to open it in the File Manager (if you get prompted multiple times, even though you know you typed the right password, hit cancel, this is a bug and the decrypted directory will be accessible). Drag-and-drop the KeePassXC AppImage and the libfuse2 deb file to your Desktop or another directory, then open a terminal in that directory (you can do this easily by right-clicking and selecting Open in Terminal). There are two commands that you'll need to run:

sudo dpkg -i libfuse2<tab>
chmod +x KeePassXC<tab>

Hit the Tab button when <tab> shows up in the command, since it will auto-complete the file name

The first command installs the required library for AppImages to work on Ubuntu, and the second command marks the KeePassXC AppImage as executable. Now you can close the Terminal and double-click on the KeePassXC AppImage to run it. On its first run, it will ask if you want it to check for updates, select No.

You'll select Create new Database, give it a name, and continue through the prompts (the defaults are fine). Give it a strong encryption password that you'll remember, ideally different than the password you used for the full-disk encryption, and select Done. Some things you'll want to store in the local password manager:

Your Bitcoin-only laptop's Mullvad account number
Seed passphrases
Derived seed paths (explained later)
Wallet encryption passwords

The last thing to do from the USB drive for now is to copy the index.html file of the Seed Tool into the Home directory. This can be done by simply dragging and dropping it from the "Backup" drive, to the "Home" directory on the side bar of the File Manager. When complete, hit the Eject button next to the Backup drive and remove it from the USB port. Keep it stored in a relatively safe place, but understand that the drive is encrypted so you data is protected.

Side Quest: Install Phone Applications

At a minimum, there are only two applications that you would need for spending and receiving on your phone: Samourai Wallet and Sentinel. Both of these applications require an Android phone. If you don't already have one, you can buy a used one at Swappa. It's recommended to buy a Pixel due to the security features that come with those devices, regardless of how you feel about Google as a company (see the side quest below for installing GrapheneOS).

Installing these two applications is very simple, and doesn't require much of a guide. When setting up for the first time, you'll be asked if you want to enable Tor (which you always should, unless your phone VPNs into your home network), and if you want to connect to your own Dojo node, which you should do.

Side Quest: GrapheneOS

GrapheneOS is an open source operating system with a focus on security and privacy. It does not include Google Play Services, requiring the user to install them themselves if they choose to use them. It also has great compatibility with almost all existing Android applications. Compared to its competitor, CalyxOS, it provides several security-related and usability improvements that make it the best choice to put on your Pixel phone.

One of the main reasons why Ubuntu was chosen as the OS to install on the Bitcoin-only laptop is for its support with installing GrapheneOS. After trying (and failing) to use Fedora with both the web and command-line installers, I was able to successfully install GrapheneOS on my pixel the first try with the web installer on a fresh Ubuntu machine. Using the Bitcoin-only laptop for installing GrapheneOS may be the only acceptable reason to break the "Bitcoin-only" rule for that machine.

Using The Airgapped Laptop

The main uses for the airgapped laptop will be for its local password manager and Seed Tool. Open the Seed Tool by double-clicking on the index.html file you copied over from the USB drive. Firefox should automatically open and it may prompt you about collecting data (turn all that off in the settings, it can't do anything anyway).

BIP85

BIP85 is a way to deterministically generate seed words based on a master seed, so that you only need to back up a single seed phrase which can be used to recover wallets created with any derived seed. More info about how it works can be found here and here.

We're going to use the Seed Tool on the airgapped laptop to generate child seeds for any wallet that we create. If you've already been using Bitcoin, you can even use your existing seed phrase as the master seed, since we can assume you already have a backup of this seed phrase.

If you want to start fresh, you can always generate a new seed phrase using the Seed Tool, and this is perfectly acceptable. You can also type in (remember, only do this on your airgapped laptop) your seed phrase and load the seed.

You'll also want to type in your (or a new) passphrase for you master seed. This is another layer of security, but is also very important to understand with regards to BIP85, because a different passphrase will derive completely different child seeds.

Now navigate a little further down to "BIP85: Deterministic Entropy" and expand the section. A child key at the first index (0) will be generated for you. Using the same mnemonic and passphrase from the example master seed above, you can test this yourself to see that you get the same BIP85 child key.

This is how you will create seed phrases for any wallet that supports importing or restoring from seed words. Any time you do this, create an entry in your KeyPassXC database to note the application and BIP85 index.

SeedXOR

SeedXOR is a way of deterministicly splitting your master seed that allows the master seed to be recreated when the splits are XORed together. Using the same "toddler stick" phrase from above, we can split the seed into 3 parts.

Take note of the "Seed 2 of 3", "Seed 3 of 3", and the "XOR Result" above. These are the seed phrases that you'll want physical backups of (detailed below in the next section) to be able to recover your master seed phrase.

Recovery can be tested by entering the "XOR Result" into the "BIP39 Mnemonic" field and the "Seed 2 of 3" and "Seed 3 of 3" phrases into their respective fields. Hit the Recalculate button the the XOR Result will be your master seed.

Notice we didn't use the passphrase when splitting the seed. The SeedXOR process doesn't use the passphrase, but if you do make use of a passphrase (which you should), you'll still need to know it in order to access your main and derived seeds and wallets.

Steel Backups

Steel backups are the most durable way to store your master seed phrase. There are plenty of sites which offer templated steel plates that you can use a straight punch and a hammer to stamp in your phrase. If you do use one of these sites, be sure to pay with a post-mix output and making use of a privacy-preserving post-mix spending tool available in Samourai and Sparrow wallet.

This quest recommends an option which is more hands-on and makes use of general hardware tools: stamping the seed phrase into stainless steel washers. Here is a detailed guide with specific sizes and makes use of a 3d-printed jig. However, you can still do this without a jig and just buy larger (wider) washers to account for the slight inaccuracy of not having a guide to hold the stamps in place.

Keep in mind that you'll be backing up several seed phrases, and NOT your master seed since it can be recreated with SeedXOR in the Seed Tool. You'll also want to back up your passphrase in the same manner. Here is the strategy that we're going for with a multi-location backup. With a master seed split to 3 parts, keep two parts with you, and a combination of 2 parts at 2 separate locations. You should (depending on the complexity and likelyhood of you forgetting) also also keep a copy of your passphrase at each location.

Copying directly from the guide, this looks like:

Packages for a 2-of-3 setup:
  Location 1:
    - Seed1
    - Seed2
  Location 2:
    - Seed2
    - Seed3
  Location 3:
    - Seed1
    - Seed3

https://github.com/openoms/bitcoin-tutorials/blob/master/backups/seedxor.md

In order to restore your master seed, you need all parts of the SeedXOR and to get access to your funds, you also need to know your passphrase to your master seed. Further security is added to child seeds by applying a separate passphrase on them as well. However, those probably don't need a steel backup created for them, since storing them in the KeePassXC database on the airgapped laptop is fine. This setup allows one location to be inaccesible and you can still restore your master seed, but any individual location cannot restore your master seed alone. It should also be noted that two locations could work together to restore your seed without you, so choose these locations wisely!

Digital Backup

Only perform a digital backup from your airgapped laptop!

Having to use the physical steel backup should only happen as a last resort. It is intentionally difficult to restore from a multi-location backup to make it harder for an adversary to get access to your funds without your knowledge. However, having a digital backup can add some convenience to be able to load the seed quickly which may be necessary whenever you need to derive a new child seed from your master seed.

Just like how we formatted and encrypted the USB thumb drive, we'll do the same to a fresh SD (or microSD) card. Ideally we should use an industrial grade SD card, so that it doesn't unexpectedly fail too soon, but understand that it will fail eventually. Use a strong, new password to encrypt this card, and once formatted, you can access its (empty) contents.

In the bottom-left corner of Ubuntu's interface, click on Show Applications, then type "Text Editor" and select what should be the only option there. You'll want to put your seed words into this editor. If you had already typed, or are using seed words from the Seed Tool, feel free to copy and paste from there. Click the Save button near the top-right of the window and choose the encrypted card as the location, name it seed.txt, and select Save. Once the text file is created, you can easily double-click on it to edit. You should check that copying from the text file to the Seed Tool, along with your passphrase, generates the same BIP85 child key. You can also take note of the BIP32 Root Fingerprint and store that in KeePassXC (this doesn't give access to any funds, but only works as a way to ensure you're working with the same wallet).

You should also back up your KeePassXC database to the encrypted SD card in case the airgapped laptop fails (it's probably old, after all). Make a habit of updating this backup whenever you create an entry for a new BIP85 index.

Buying Bitcoin Without KYC

We'll focus on two main KYC-free services for buying bitcoin: Bisq and RoboSats. There are plenty of other options to use as well. Unless specifically called out, we'll assume everything is performed on the Bitcoin-only laptop.

Bisq

Download and verify Bisq by getting the .deb file and PGP Signature on the Debian/Ubuntu line. Follow the instructions on the Verification line by clicking PGP Signatures to be brought to the latest release. Once verified, run the following command to install:

sudo dpkg -i Bisq<tab>

Hit the Tab button when <tab> shows up in the command, since it will auto-complete the file name

This will install Bisq and add it to the global menu so you can find it in the Applications. The first time running Bisq, it may take a while to connect and sync. Once that completes, you can go to the settings and connect to your Bitcoin node.

Then go to the Account tab and some seed words will be generated for you. However, we want to use a seed derived from our BIP85 master seed, so ignore the existing wallet seed words that are presented to you. In the Seed Tool on your airgapped laptop, go down to the BIP85: Deterministic Entropy section and use the first (index 0) BIP85 Child Key from there. All the defaults (BIP39 application, 12 words, index 0) should be set. Type the 12 words in the "Restore wallets from seed words" section and use today's date (you haven't used this seed phrase before), and select Restore Wallets.

Bisq will prompt you about backing up your seed words and it will close when you confirm. If it doesn't automatically reopen, run it manually after a few minutes. Once it opens, go back to the Account tab and verify the same seed words from your child seed are present. Make a new entry in KeyPassXC on the airgapped laptop to note the index used "BIP85 Index: Bisq" and write "BIP39, 12 words, index 0" in the Notes section. Now you don't need to make a new backup for Bisq's seed words.

RoboSats

RoboSats requires the Tor Browser to use anonymously. Download the Tor Browser for Linux, which will have you save an archive file (.tar.xz). Navigate to your Downloads directory, right click the archive, select "Extract Here". It will take a few seconds to extract, then navigate into the newly-created directory, and the tor-browser directory within that. Right click in a blank space within the directory and select Open in Terminal. Run the following command:

./start-tor-browser.desktop --register-app

This will add the Tor Browser to your global applications so you can find it easily and pin it to your Favorites. With the Tor Browser installed, you can now follow the Quick Start Guide to start trading on RoboSats using the Tor site.

Using Sparrow

On your Bitcoin-only laptop, we still haven't created a wallet. We're going to go through a very similar process that we did for Bisq by using the BIP85 Deterministic Entropy section to create a new child seed. We're going to make a hot Whirlpool account by following the instructions here. However for the seed, we're going to use another BIP85 12-word child seed derived from the master seed.

Back in Seed Tool on the airgapped laptop, increase the index to 1, and leave the other settings to BIP39 for the application, and 12 for the length. Then type the words into the prompt for entering a mnemonic in Sparrow and you must create a passphrase that doesn't use any spaces to be compatible with Samourai Wallet. Leave the Derivation path the default (m/84'/0'/0') and select Import Keystore. Following the guide from Sparrow wallet, you'll add the Whirlpool accounts in the wallet's settings. It's a good idea to back up that passphrase in KeePassXC on the airgapped laptop. You'll also need to add an entry to take note of the BIP85 index used ("BIP85 Index: Whirlpool" and write "BIP39, 12 words, index 1" in the Notes section).

The Whirlpool wallet in Sparrow on your Bitcoin-only laptop should be your main entry-point for receiving funds. You can create a PayNym from this wallet and share that with others. Any funds that you receive in the Deposit account should be mixed before spending in order to give you the necessary forward-facing privacy. As long as Sparrow is open on the Bitcoin-only laptop, it will continue remixing.

Cold Samourai

We're going to take advantage of Sparrow's mixing to cold storage and BIP85 to actually mix to new wallets that will be imported into Samourai Wallet at a later date, but will be cold storage until then. These funds will still retain all the benefits of the postmix account.

In the Seed Tool on the airgapped computer, set the BIP85 index to your Whirlpool account, select Load Child. This will load the child seed as if it were your master seed. Use the same passphrase you entered in Sparrow for the Whirlpool wallet in the Seed Tool.

Now for the tricky part, we're going to use child seeds from this child seed to create Samourai Wallet accounts. So go back to the "BIP85: Deterministic Entropy" section and ensure the application is set to BIP39, mnemonic length is set to 12, and the index is 0, and select Load Child. Here's how this looks:

- Master Seed
    0 Bisq 
    1 Whirlpool
        0 Samourai

You can set a new passphrase and keep it in KeePassXC on the airgapped laptop. Go down to the "Derived Addresses" section and copy the "Account Extended Public Key" and the "BIP32 Derivation Path" (should be m/84'/0'/2147483646'/0) to your encrypted USB thumb drive in a text file. We only need the public key since we're keeping this as a cold wallet for now, until you complete the "Installing Phone Applications" side quest.

Once copied over to the USB drive, eject it from the airgapped laptop and plug it into the Bitcoin-only laptop. Enter the decryption password and open the text file containing the public key. In Sparrow, go to File > New Wallet, name it "Samourai-0" (or similar), then select "xPub / Watch Only Wallet". Copy and paste the Derivation Path into the blank Derivation field, and the BIP32 Extended Public Key in the blank xpub field, and select Apply. Sparrow will ask for a password, which you don't need to set since it's watch only, and this is different than the seed passphrase. Check that the addresses match what is in the Seed Tool. If they don't, you probably copied the "BIP32 Extended Public Key" instead of the "Account Extended Public Key".

In the future it should be possible to scan a SeedQR displayed on the Seed Tool from your SeedSigner, then you can set the custom derivation path and add the wallet as an airgapped signing device in Sparrow. This will eliminate the back-and-forth process with the USB drive. Keep an eye on Seed Tool's development for when SeedQRs are supported.

You can now use this new wallet as a target in the "Mix to..." setting on the UTXOs tab of the Whirlpool wallet in Sparrow. Use the Index range of Full as long as Sparrow is the only client mixing with the Whirlpool wallet. Repeat the process of creating a new Child Seed from the Whirlpool seed to make multiple smaller wallets of mixed outputs that can independently be imported into Samourai Wallet when you need and still retain free remixes when you bring them online and post-mix spending tools will be available.

Side Quest: Obtaining Your First Bitcoin

If you don't already have some bitcoin from before starting this quest, you'll need to acquire some in order to make use of Bisq or RoboSats. These services require users to already have some bitcoin in order to discourage abuse. This helps makes trades safe because both parties (buyers and sellers) don't want to lose their deposits. However, it makes it more difficult for new users to participate without having bitcoin already in the first place.

The easiest way to obtain your first bitcoin is to find a Bitcoin ATM around you. You can use Coin ATM Radar to find ATMs in your area, but be sure to also check out the limits and KYC requirements, since that is becoming more common.

Another way, similar to ATMs, but uses vendors selling bitcoin directly to customers is Azteco. Find a vendor near you, and if they have a storefront, you should be able to go there and buy a voucher with cash, then you can go back to your home and redeem it to receive your bitcoin.

You can also find a local Bitcoin meetup, where there are usually people buying and selling bitcoin for cash. Bring a small (<$200) amount of cash with you, and you're more than likely going to find someone that will happily sell you some bitcoin.

If all else fails, check out this page for getting your first bitcoin. With this, you can join a specific Matrix chat room to perform a trade with someone with very small amounts. This is because first-time users are high risk since they don't have any history or account signing on Bisq.

Side Quest: Mining At Home

Another way to obtain KYC-free bitcoin is to mine it. Most people are scared off about mining because they think that they need lots of equipment and room and something to do with the excess heat, but really it can be as small of a scale as you like. For more information on home mining, check out the articles and podcasts related to Pleb Miner Month on Ungovernable Misfits.

An easy way to start is to head back to Ebay and search for "antminer s9" and find something that the seller states is in good working condition and that includes the power supply. Research the seller's account to make sure they're not a scammer that's going to send you a box of bricks and you shouldn't be paying much more than $200. You could probably find much better deals on Telegram, particularly with Kaboomracks.

You'll want either an S9, S9i, or S9j for compatibility with Braiins OS. This will allow you to limit the power of the miner so that it doesn't use as much electricity, doesn't create as much noise, or as much heat. You can see this data from CryptoCloaks on different configurations, as well as some better fans that you can replace the stock S9 fans with. They have a complete guide on how to replace the fans here.

Side Quest: Multisig

It's also possible to do multisig with this setup by making use of BIP85 to derive multiple seeds which will make up the cosigners. This may be considered an odd trade-off, since the master seed could recreate all the seeds of the multisig. However, if your concern for singlesig are attacks that affect a single signing device, using BIP85 derived seeds and restoring hardware wallets from separate manufacturers offers a clean solution while only having to back up a single seed.

Keep in mind though, that using multisig does not give you the privacy that this quest focuses on and details in the Cold Samourai section. If you "Mix to..." your multisig, it is obvious to an observer that those outputs are no longer part of the Whirlpool remixing pool. It also means that when you want to spend, you won't be able to utilize post-mix spending tools like Stonewall to preserve an amount of uncertainty of coin ownership.

Conclusion

That was a lot, especially if you completed all of the side quests! Be sure to practice with the Seed Tool on your airgapped laptop, using your digital backup, and recovering from your physical steel backups before destroying any old methods that you're already using.

Let's review what your environment looks like, at a minimum:

A Bitcoin-only laptop that's connected to the internet
An airgapped laptop that's not connected to the internet
An encrypted USB drive for transferring files from the Bitcoin-only laptop to the airgapped laptop
An encrypted SD card that contains your master seed and was created on and is only intended for use on the airgapped laptop
2 copies of all 3 parts (6 total) of your SeedXORed master seed, stamped in steel
3 copies of your passphrase, stamped in steel

Your Sparrow Wallet on your Bitcoin-only laptop should be used for receiving funds and spending only after mixing in Whirlpool for the post-mix spending tools. You can mix to cold storage to prevent the Bitcoin-only laptop from having all your funds in a hot wallet, while also setting yourself up for success when it comes time to spend those funds since they'll be easy to import into Samourai Wallet or Sparrow again as a separate Whirlpool wallet.

Your steel backups should be geographically separated as much as it makes sense for you, while you use your encrypted digital backup whenever you need to make a new wallet. Your passwords and any secrets specific to this setup should only be stored in the KeePassXC password manager on the airgapped laptop.

🧡

Found this post helpful? Consider sending the author a tip