Trezor Hardware Wallet

From Kicksecure
Jump to navigation Jump to search

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

Installation[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure-17 Template.

sudo adduser user plugdev

[1]

Install package(s) trezor python3-hid following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the system The Web Archive Onion Version .

sudo apt update && sudo apt full-upgrade

3 Install the trezor python3-hid package(s).

Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

sudo apt install --no-install-recommends trezor python3-hid

4 Platform specific notice.

5 Done.

The procedure of installing package(s) trezor python3-hid is complete.

Signing Key Download[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure App Qube.

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Kicksecure, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

Securely download the signing key.

scurl-download https://trezor.io/security/satoshilabs-2021-signing-key.asc

Display the key's fingerprint.

gpg --keyid-format long --import --import-options show-only --with-fingerprint satoshilabs-2021-signing-key.asc

Verify the fingerprint. It should show.

Note: Key fingerprints provided on the Kicksecure website are for convenience only. The Kicksecure project does not have the authorization or the resources to function as a certificate authority, and therefore cannot verify the identity or authenticity of key fingerprints. The ultimate responsibility for verifying the authenticity of the key fingerprint and correctness of the verification instructions rests with the user.

Key fingerprint = EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C

The most important check is confirming the key fingerprint exactly matches the output above. [2]

warning Warning:

Do not continue if the fingerprint does not match! This risks using infected or erroneous files! The whole point of verification is to confirm file integrity.

Add the signing key.

gpg --import satoshilabs-2021-signing-key.asc

Download[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure App Qube.

Check the latest version number and read the release notes herearchive.org.

Download the Trezor Suite AppImage.

scurl-download https://suite.trezor.io/web/static/desktop/Trezor-Suite-21.10.2-linux-x86_64.AppImage

Download OpenPGP signature.

scurl-download https://suite.trezor.io/web/static/desktop/Trezor-Suite-21.10.2-linux-x86_64.AppImage.asc

Digital Software Signature Verification[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure App Qube.

Verify OpenPGP signature.

gpg --verify Trezor-Suite-21.10.2-linux-x86_64.AppImage.asc

If the file is verified successfully, the output will include Good signature, which is the most important thing to check. 

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Kicksecure signing key and the web of trust. To remove this warning, the Kicksecure signing key must be personally signed with your own key.

Make Executable[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure App Qube.

Make file Trezor-Suite-21.10.2-linux-x86_64.AppImage executable.

chmod +x Trezor-Suite-21.10.2-linux-x86_64.AppImage

Usage[edit]

Platform specific.

  • Kicksecure: No special notice.
  • Kicksecure for Qubes: In kicksecure App Qube.

Run the following command to start the Trezor Suite.

./Trezor-Suite-21.10.2-linux-x86_64.AppImage

Qubes Issues[edit]

Symptom: 

kernel: vhci_hcd: vhci_device speed not set
kernel: usb usb1-port1: Cannot enable. Maybe the USB cable is bad

The official instructions by Trezor for Qubes OS https://wiki.trezor.io/Qubes_OSarchive.org lead to a security degradation because of running third party software inside the USBVM.

Ideas:

  • A) Create another sys-usb with a USB controller exclusively attached to that App Qubes. A HVM App Qubes with PCI pass-trough. And/or
  • B) switch off sys-usb altogether for example, if the system has only one USB controller and switch between using USBVM and not using USBVM. -> security issue https://github.com/QubesOS/qubes-issues/issues/6368archive.org

Footnotes[edit]

  1. Required, otherwise Trezor Suite will show would show error "Trezor Bridge is not running". Maybe python3-hid is superfluous in some use cases. Package trezor Recommends: it.
  2. Minor changes in the output such as new uids (email addresses) or newer expiration dates are inconsequential.
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Trezor_Hardware_Wallet&oldid=92249"