How to create your own cold hardware wallet

Today, the usage of public hardware wallets is really unsafe. Hackers can get access to your money when you update software, download the wallet on your PC, they can even duplicate your private key. We investigate solutions that can help you to avoid hacking and store your money safely.

Do you use hardware wallets and truly believe that you can safely store cryptocurrencies there? Trezor, Ledger, Keepkey – the list of wallets is endless, but the question arises: Have you ever wondered why there are so many companies eager to organize a “safe” storage of your funds?

Perhaps this article will make you think hard about how safely you are storing your own cryptocurrency savings and open your eyes to proprietary hardware wallets.

What is a hardware wallet?

A hardware wallet is a portable device that allows you to secure the cold storage of your cryptocurrency savings, i.e. Store private keys on a device that doesn’t interact with the Internet, thus eliminating the possibility of compromising and leaking keys. In this case, the data on the device must be stored in encrypted form, so that even if you physically lose the device, no one will be able to get access to it.

When working with proprietary wallets, you expose yourself to the following risks:

  1. Software update. You can never be truly sure, even if you do an accurate code review of each new firmware update, that there won’t be any malicious components that secretly leaked your private keys.
  2. Not all the wallet’s firmware has the open source code. And even if the firmware is in open source, there is no way to verify that this exact firmware is installed on the wallet. Also, some people generally buy used wallets on eBay and other resources, and they don’t figure out what kind of firmware is installed in the wallet.
  3. Installing the wallet’s software on your computer. To interact with the device, you’re required to install software on your computer. This software can not only leak private keys from the hardware wallet, but it can also  leak other information and keys from your computer.
  4. It is not known how the seed and private keys are generated. The private key must be generated through a random process and it should be impossible to generate a particular key more than once. However, there are many cases when these processes are not random – at times,.They can be pseudorandom. That means that  the initial state and the generator algorithm are allowed to create a key more than once. For this reason,wallet manufacturers can lay a seed generator of phrases that will generate pseudorandom keys which can be selected with a non-zero probability, knowing the generation algorithm.

Someday BTH will cost so much that it would be more profitable for hardware wallet manufacturers to create firmware that steals money from wallets of users and then just disappear, rather than trying to earn more money by manufacturing more hardware wallets. The creation of your non-proprietary hardware wallet will protect you against issues like this because you control all the manipulations in firmware and software.

Now I bet you’re wondering,“how can I ensure the cold storage of my cryptocurrency?”? The answer is very simple, you should make your own hardware wallet. It’s not as difficult as it sounds.

Here’s how to create your own hardware wallet

First, we’ll need  a flash drive and an OS Linux configuration –  Ubuntu 16.04, which you can download from the official site

After downloading the configuration, you should check if it’s the file published in the official Ubuntu repository. You can check this by following the official guide from

As an additional measure of protection, we advise you use flash media with hardware encryption.

Install on a flash drive a full-fledged Linux OS, which can go on any computer and will never have access to the Internet. This has three levels of encryption:

  1. Hardware information encryption (flash drive with a chip)
  2. Software encryption partition with OS Linux
  3. Software encryption of a file with private keys

To install, we need two flash drives (8GB), one of which is bootable, and the second has a fully installed operating system.

Look at the list of all connected drives with the command:

diskutil list

and look for the diskN number of one of our flash drives at 8 GB.

Format the USB flash drive, which should be bootable so that it has a partition table of type GPT and a partition type of HFS +

diskutil partitionDisk / dev / diskN 1 GPT HFS + LinuxForMac R

Next make this USB flash drive bootable according to the instruction here:–cms-21253.

Reload the Mac, holding down the “Alt” key. The device selection screen for downloading should appear. Choose the type of UEFI.

After starting from the boot flash drive stick our future crypto flash drive. And begin the installation of Ubuntu. You need to run the installer via the console without installing the bootloader: ubiquity –no-bootloader, otherwise the installer will overwrite our OsX loader:

Choose the item “something else”:

Find the test drive and click “New partition table”.

Next,, create two partitions, the first 100MB, which has the type “EFI System Partition” with gpt for loading, and the second one 7000mb with the mount point “/” and the ext4 file system for the operating system and all other data.

The  flash drive will have the following structure:

We use the minimum number of partitions for more optimal use of the site, without taking to separate / home and / boot partitions. Then, at the remaining space you can create a partition with any convenient file system. For example, you can create hfsplus for access from the poppy and Ubuntu at the same time.

Then, click “install now”. Don’t worry about no swap partition – it’s not necessary.

When you reach the creation of the user account, do not forget to check the box “Encrypt my home folder”. This is one of the levels of encryption and, accordingly, the protection of our private keys.

Click ‘Next’ and wait until the installation is complete.Then reload the PC and press Alt when the computer starts to get to the boot menu. There, select “Efi boot”, i.e. our boot flash drive. The idea is to use the grub bootloader from this flash drive but to boot from the newly created one, because we did not install the bootloader on a crypto drive. When loading, immediately start pressing “c” and get into the console grub:


Then, we need to select a new root partition. Look for our crypto flash drive:

grub> ls

(memdisk) (hd0) (hd1) (hd1,gpt3) (hd1, gpt2) (hd1,gpt1) …

You can check if it’s the required flash drive by looking at the contents/home because we remember the name of our user:

grub> ls (hd2,gpt2)/home


If there are several sections like this, then look here:

grub> ls (hd2,gpt2)/boot/grub

unicode.pf2 …

We should see this on a crypto flash drive. Remember the name of the partition and point the bootloader at this  root partition:

grub> set root=(hd2,gpt2)

Look at the UUID of our section:

grub> ls -l (hd2,gpt2)

     Partition hd2,gpt2: Filesystem type ext* 〈…snip…〉 UUID e86c20b9-83e1-447d-a3be-d1ddaad6c4c6 – Partition start at […]

And specify it in the kernel options (the kernel version is not known in advance so use the auto completion by pressing Tab):

grub> linux /boot/vmlinuz<нажимаем tab>.efi.signed root=UUID=(specify the UUID from the previous command, without brackets)

Similarly, specify initrd:

grub> initrd /boot/initrd〈press tab〉

And start:

grub> boot

After the first successful boot, using the grub boot drive, we need to install the bootloader on the crypto drive. To do this, change the type of efi partition to apple / hfs +, format it in HFS +, and install the bootloader directly.

We prepared a script that automates the entire process. It is enough to create the file and copy the text of the script into it using any text editor, for example, nano

#Define the name of the flash drive by the name rootfs

DISK=df -h | grep \ /$| awk '{print $1}' | cut -d/ -f3 | grep -o "[a-z]*"

echo “your disk is $DISK”

#Add the repository and install the necessary utilities

add-apt-repository ppa:detly/mactel-utils -y || exit 1

apt-get update

apt-get install -y –force-yes mactel-boot hfsprogs gdisk grub-efi-amd64

# After downloading the / boot / efi partition is mounted from the boot flash drive, unmount it

umount /boot/efi

# change the file system type of the partition to apple / hfsplus

echo -e “t\n1\nAF00\nw\ny” | gdisk /dev/$DISK

# create a partition from the entire remaining empty space:

echo -e “n\n\n\n\nAF00\nw\ny” | gdisk /dev/$DISK

# re-read the partition table


apt-get install -y hfsprogs

#format partitions

mkfs.hfsplus /dev/”$DISK”1

mkfs.hfsplus /dev/”$DISK”3

# change /etc/fstab UUID of the /boot/efi  on new

blkid | grep /dev/”$DISK”1 | grep -o “UUID.*” | cut -d\” -f2 | while read name;


   sed -i “s/UUID.*\/boot\/efi/UUID=$name\t\/boot\/efi/g” /etc/fstab


sed -i “s/vfat/auto/g” /etc/fstab

mount -a

mkdir -p “/boot/efi/EFI/$(lsb_release -ds)/”

# Without the files it won’t work, it’s the limitation of Mac

echo “This file is required for booting” > “/boot/efi/EFI/$(lsb_release -ds)/mach_kernel”

echo “This file is required for booting” > /boot/efi/mach_kernel

# install the boot loader

grub-install –target x86_64-efi –boot-directory=/boot –efi-directory=/boot/efi –bootloader-id=”$(lsb_release -ds)”

hfs-bless “/boot/efi/EFI/$(lsb_release -ds)/System/Library/CoreServices/boot.efi”

sed -i ‘s/GRUB_HIDDEN/#GRUB_HIDDEN/g’ /etc/default/grub

sed -i ‘s/GRUB_TIMEOUT=10/GRUB_TIMEOUT=0.1/’ /etc/default/grub

grub-mkconfig -o /boot/grub/grub.cfg

apt-get install mactel-boot-logo -y

cp /usr/share/mactel-boot-logo/ubuntu.icns /boot/efi/.VolumeIcon.icns -v

Now you need to start the script with the command:

sudo Bash

In case of successful execution of the script, the sections of our crypto flash drive will have the following form:

The boot partition will be installed on the flash drive. It will allow you to run Ubuntu from any Macbook.

Like this article? Take a second to support us on Patreon!