Thank you all for the input. I think that I have another way to use a cold wallet (or potentially just duplicated what someone with more Chia experience already published).
However, before going there, let me clarify what we are aiming for. To create a new wallet, we need a machine that needs to be disconnected in a broad sense. I guess, that’s the only requirement. We cannot require a non-compromised machine, as most of us don’t have enough experience.
Here are my steps.
- Download Ubuntu installer and created a USB installation stick
- Download Chia installer, and copy it to say /chia folder on that USB stick
- Use a box that doesn’t have any active connections
a. remove Ethernet cable
b. kill WiFi (temporary disable it on your router)
c. …
- Boot from the USB stick, and use “Try It” option (don’t install it on that box)
- Run Chia installer
- Create your new wallet, copy keys/address in a normal way (paper, whatever you feel comfortable)
- Shut down that box
- Remove that USB stick, and keep it with your paper info
In case you need to create a new wallet, just use the same USB stick, and again use Try It option. You will need to install Chia again, as whatever you install is placed in RAM, so goes away when you shut down that box.
We have to assume that the machine on which we will create that USB stick is compromised, as such the installation stick may have malware. We also have to assume that the box we will be using to create a new wallet is compromised, although, although we will not run that box OS during the wallet creation.
The only potential threat that I can see is that the malware on the USB stick will also run when we use Try It option and try all possible ways to store our keys. It will try to save those keys somewhere (writable drives that are in the box, or somewhere on the motherboard). So, yes if someone will require more safety, it would be good to just disconnect the original drives. We would also assume that the malware would need to be really sophisticated to save those keys on the motherboard, so likelihood of that is small (for some time). If you still feel unsafe, such box should be used only for that Ubuntu USB drive, but then you may just want to install OS on it, and keep it powered off (the original suggestion).
The advantage of this method is that we can store that USB drive together with the paper with those keys, and reuse it when needed. The potential threat to capture and store those keys during wallet creation are rather small. If we feel safe (I do), we can use it on any box we have at home (compromised or not - the original OS will not run, so that part of malware will not be active). So, basically it is the same, or close to the “perfect” solution promoted in those how-to writeups. On the other hand, it is much more secure than using VMs, as we don’t have two live and potentially cooperating compromised systems. In addition, it is much easier to use such stick (e.g., for novices / grandmas), than deal with VMs. I do use VMs (actually a bit), and would not feel comfortable using that method.
If you see any other holes, or how that could be improved, please do it, as in my opinion, that may be the easiest method for those less experienced that mix technical religion with practical steps and cannot tell the difference