No offline boot mode for generating wallets and private keys?

Support
1

Right then, before I get started, I ought to acknowledge that soft blocking isn’t quite as foolproof as proper air-gapping (removing wireless cards and the like). That might be straightforward enough on older hardware, mind you, but a fair few newer commercial laptops have their WiFi modules soldered directly onto the board. Just like RAM, I’m afraid so removing them is rather a blunder and not worth the bother for most users.

Now then, when I was setting up a new BTC view only wallet, I couldn’t for the life of me find a sensible way to disable networking without first booting into sysmaint to switch it off, which is a bit of a nuisance, to say the least. I had to install rfkill to manage it, as it isn’t included by default.

You can disable networking for Electrum when creating wallets from the command line with electrum --offline and -w to point where you’d like the wallet created, though I shan’t go into all that part. Electrum offline isn’t quite enough, you see, when the rest of the computer can still have a wag with the network stack.

On Windows 11/10, safe mode quite deliberately doesn’t load network adapter drivers, the Wi-Fi stack, or networking services, which effectively software air-gaps the computer from any local network or internet connection.

TailsOS, for its part, offers an additional option for booting with all networking disabled:

Qubes has its Vault qubes, which disable networking entirely—rather perfect for generating wallets and GPG split or private keys.

So my question is why on earth does Kicksecure not offer something similar for an easy workflow and a bit of adaptability for those of us mates on limited, non-legacy hardware?

2

Qubes OS is a VM host. So that doesn’t directly compare.

When using a Kicksecure VM, you can disable the VM network adapter in the virtualizer settings.

Tails is a Live OS, doesn’t allow persistent package installation. Hence Tails comes with a guaranteed network interface backend selected by Tails developers at ISO build time.

Network backends are for example ifupdown, NetworkManager, systemd-networkd or netplan.

Kicksecure is a general-purpose operating system. Users can set up any network backend as they wish.

An offline boot mode doesn’t exist due to technical challenges.

Kicksecure cannot enumerate all network backends, configure, test each if them. And even if it could, we may not be able to do that in perpetuity because it increases maintenance effort. (Maintainability)

If a feature cannot be implemented reliably, it’s not implemented at all.

Network backends are implemented by “upstream”. Due to the organizational structure, no directive can be issued to all network backends to prioritize implementation of an easy to enable radio silence feature. More about the organizational structure here:

Addionally, the Kicksecure boot menu is already huge. Adding yet more options would make it more complicated.

Currently the 4 “main” boot menu entries (ignoring recovery mode) are:

  • Persistent User
  • Persistent Sysmaint
  • Live User
  • Live Sysmaint

With offline mode, the number of “main” boot menu entries would double to 8.

  • Persistent Online User
  • Persistent Online Sysmaint
  • Persistent Offline User
  • Persistent Offline Sysmaint
  • Live Online User
  • Live Online Sysmaint
  • Live Offline User
  • Live Offline Sysmaint

Last but not least:
Community Feedback

1 Like
3

Addionally, the Kicksecure boot menu is already huge. Adding yet more options would make it more complicated.

GRUB 2 does have built-in submenu support, though I’m not entirely certain how far it has progressed regarding custom submenus. Might that be worth exploring or considering, so as to reduce the clutter? Is it utter rubbish?

Network backends are for example ifupdown, NetworkManager, systemd-networkd or netplan.

Dracut’s networking module only requires network-manager, systemd-networkd, connman, and network-legacy, does it not?

Network backends are implemented by “upstream”. Due to the organizational structure, no directive can be issued to all network backends to prioritize implementation of an easy to enable radio silence feature.

Yeah mate I was having a look over yonder at dracut and how it initialises the network via github, and I was wondering whether simply omitting (dracut --force --omit) 40network (network) along with any modules that depend upon it would prove an efficient and plausible approach. The other notion I had was rd.neednet=0 ip=off, though the network modules would still be present all the same.

4

Rather difficult to use. Would require use to hard fork files in /etc/grub.d or make them more configurable upstream.

Unrelated to dracut.

dracut as far as I know does not control NetworkManager. I’ve had systems with no connecvity in a virtual console (or during dracut) but during the “main” GUI system.

Having networking functional inside dracut can be useful for unrelated purposes but not relevant for this.

This is referring to systemd multi-user target (but also unrelated to systemd), or for lack for better term “main” / “final” / “fully booted” system.