'Non-networked device + USB drive' vs 'Bootable OS + CD'

Hi all.

I’m looking for comments/ideas here.

I’m thinking of different ways to run programs which generate sensitive data like private keys. For example, the generation of paper wallets.

I’m asking out of interest, because each of these two has a downside, and I don’t know which is worst in terms of security. Which do you think would be the more secure approach?:

  1. Using a device like a netbook which will never again be networked. The downside is that the software is taken to the device on a USB drive which is moved between various devices.

  2. Using a desktop PC, temporarily disconnected from it’s network, booting from a DVD. Then using software from a CD/DVD to generate keys et cetera. The downside here is that the device will go subsequently go online.

I suppose I’m asking which is more likely - a ‘bad’ USB drive, or the threat of sensitive data persisting on the machine will will later be networked (in memory or on drives)?

Would it be worth detaching HDDs and SSDs from the ‘normally networked’ machine during the procedure?
Would it be worth using a new USB drive on the ‘non-networked’ device, then never using the USB drive in another machine?

I am curious to see where you all think the best balance lies…

Make it too complex and you risk making mistakes.

You have to tailor any solution to how you will be using the sensitive data. This really will help define the way you go, since the purpose/use will define how the data needs to moved

If for some private keys

Get one of the <20$ SBCs. Like a RPi or CHIP or similar. Download the software onto it then do all your generation with it disconnected from any network.

And then manually type them into any wallet when the need arises.

1 Like