Today we are discussing about setting up a dedicated workstation to be used for your #Bitcoin business. Here i mean a computer which can be used exclusively to keep all needed for transacting and managing your Bitcoin holdings. This will be your own bank’s counter.

What we are going to create is a Debian install on a full encrypted Luks filesystem, with all needed to manage your Bitcoin. We want something useful to resist to abusive physical access or confiscation, but also so good to be easily managed by someone in your family you will consent the access to, in case you will be not able to do it yourself.

Advantages

• Computer with physical security by full filesystem encryption;

• Having all things in order and in a single place in your home;

• Having no confusion with devices used for different businesses and purposes (work computer, entertainment computer, etc);

What you need

• A desktop computer at least 8GB Ram, SSD disk, USB free port

• A USB stick 16GB at least

• Hardware devices: suggested Bitbox2 (bitcoin only) + Blockstream Jade

Install Debian with Luks FS

• Download debian OS from debian website. At the moment last release is 12.7;

• Flash the image onto the USB stick. You can use balena etcher or any other similar tool;

• Boot the candidate computer from the USB stick and follow install steps;

• Choose Luks filesystem encryption and divide the disk to have a separate /home partition;

• Set Luks passphrase and be sure to have it backupped surely on a paper;

• Complete a minimal Debian install on this computer;

Small things to install

sudo apt update
sudp apt install git wget vim-nox gpg pass tor

Software needed

• Download electrum (appimage) from: https://electrum.org/#download

• Download signatures and key to check them against. Import the key using gpg and verify signatures as you normally do. Then give execution rights with

chmod +x electrum-4.5.5-x86_64.AppImage

• Please note that since first start an hidden directory will be available on your home as .electrum/ and it will contain all data needed for your wallets.

• If you followed previous steps, you will already have the command line password manager “pass”, which uses pgp to manage your password. I suggest this tool in this configuration, because it just works and it is simple and small. But you want something with GUI you can use https://keepassxc.org/

• For using pass you need to install locally your private gpg key. You can export from the computer you have or from a backup or generate a new one if you prefer. Always better to keep a backup of such keys

• Download and verify signatures of Tor Browser: https://www.torproject.org/download/

• Install your VPN (mullvad for example). Mullvad is available to be purchased using Bitcoin Lightning on BitcoinVoucherBot

Then you need

• Blockstream green: https://blockstream.com/green/ to run with jade hardware device. You can find it in Europe here: https://www.satsmobi.com/product-category/hardware/hardware-wallet/

if you have troubles in recognizing your device when connected to the workstation, please refer to this article in the Linux section:

https://help.blockstream.com/hc/en-us/articles/900005443223-Fix-issues-connecting-Jade-via-USB

• For bitbox please checkout this article: https://bitbox.swiss/blog/welcome-series-en-1/

In case you need to create the mnemonic, you can follow your preferred procedure (dices, wallet, or whatever you prefer). But maybe you would be comfortable to install the Papergen tool which can be used to generate deterministic HD bip39 wallets or single wallets from microphone entropy (in that case be sure to be offline and having working mic). This tool can be found here: https://github.com/massmux/Papergen . Infact the single wallet feature can be useful to transfer a little part of your money to an easy-to-move wallet to give someone else.

What data you can add also?

• You can use pass on this computer to have the nostr private key and the unlocking PINs of the devices;

• You can use gpg to store your gpg private key;

• You can store electrum transactions labels on your electrum in order to keep track securely of source of your funds;

Final checks

To be sure all is ok, we suggest to do the following steps:

• Perform several reboots and be sure that luks passphrase is correctly entered and system boots correctly. Try also entering a wrong passphrase to see if the system reacts correctly;

• Open electrum (when already connected to bitbox) to create a message signature, to be sure that the system signs correctly;

• Open Green with jade and be sure to see your liquid and bitcoin holdings correctly;

use Tor to connect with your wallets. If you have a Bitcoin core node, you can connect to your node as well in order to get timechain informations and broadcast your transactions.

I am at disposal in comments for more infos and your opinions.