Getting Started Transacting Securely in Monero (XMR)


Note: Monero goes through periodical scheduled hard forks for making system upgrades. Check for the latest versions and SHA256 hashes. As of April 2018 the version is (Lithium Luna).

Among the many crypto currencies there are some that seem to be different enough to make a chance to stay around for the long term. Monero (“coin” in Esperanto; plural Moneroj) is one of these. Monero is striving for completely anonymous transactions, leaving the decision whether or not to make it public to the user. Also, the community appears to be focused on quality rather than on marketing, which is a good sign and OK because Monero already is one of the most well known crypto currencies.

In this article we setup a very secure off-line “cold” wallet with an account or address to hold Monero (“XMR”), and a low cost infrastructure to monitor the account without having to run a full node at home. By keeping the cold wallet with its secret spending key off-line, nobody can steal your funds.

[ ] Learn some basics.
[ ] Create an off-line cold wallet, securely.
[ ] Create a full node in the cloud.
[ ] Synchronize the node with the blockchain.
[ ] Create a monero client on a MacOS laptop and connect to the remote node, securely.
[ ] Create a view-only wallet, to watch incoming transactions on the cold wallet.
[ ] Freeze and store the full node with data, and thaw and re-sync when needed.

Some Practical Basics

Many points that apply to Bitcoin apply to Monero. This section will grow as I learn more myself…

  • There are two common address types; standard public address, and an integrated address which is a combination of a standard address and a paymentID.
  • A standard Cryptonote style public address is 95 characters (Base58) and an integrated address is 106 characters long, and both start with a “4”.
  • A standard address is owned and controlled by the person who has control over two private keys, the spending key, and the view key.
  • Wallets are tools to manage address, and private keys, and typically use a mnemonic seed consisting of a sequence of common words from which address and private keys are derived so that you only need to note the mnemonic seed. (But it is good to secure the keys as well, since you might have to rely on a particular implementation of the derivation.)
  • The most secure wallets are created and held in a secure and un-compromised environment, disconnected from any network. Cold storage is keeping the private keys on paper or other medium in a safe.
  • The least secure wallets are managed for you by a website or exchange. This is almost never a good idea as websites disappear, make decisions for you, or block withdrawals.
  • Unlike with Bitcoin, you do not need to use new addresses for each transaction so you will be OK with just one.
  • To stay up to date, read the Monero reddit.

a secure off-line cold wallet

While you could create a wallet on your browser relatively securely, we create a more secure wallet to hold larger amounts. For this purpose we create a secure environment first on a MacBook, and then create and store the wallet in it. We use the excellent Aegis secure key with integrated keypad to unlock and decrypt contents, to keep persistent storage secure but you could use any USB stick as long as you destroy the stick or just keep it safe. Disclaimer: You are responsible to consult with experts to achieve the security levels needed in your particular situation.

[ ] Download the wallet generator, which is simply a web page, onto your laptop. (File is here:
git clone

Secure environment for creation and storage of wallet

We will install Tails OS onto a USB stick bootable on your laptop. You need two USB sticks of 4GB, one of which one could be an encrypted USB stick to hold the final product. In addition you need a computer to perform the procedure. The procedure is explained in full detail here. Below is a summary of major steps, plus additional steps to get to the wallet generator file on your laptop.

[ ] Create a first USB stick (following the instructions)
[ ] Create a second USB stick, create persistent storage (following the instructions), and reboot
[ ] When booting the secure environment, enable admin password
[ ] Mount your laptop disk and copy the wallet generator to the persistent storage of the secure environment.
[ ] Reboot and move the wallet generator into the Tor Browser folder in order to open it.
[ ] Open the file in the Tor browser, and use the page to create a new wallet.
[ ] Write down on paper the mnemonic at least perhaps for storage on another secure site.
[ ] Copy the public address and optionally the view private key for use outside the secure environment.
[ ] Shutdown and store the USB stick with data in a safe.

Create a full node in the cloud

To view or transact in a secure way it is best to own a full node. However, I found it somewhat undesirable to run a node from home, as it invites lots of connections from other nodes. Instead, I now take the approach of using a cloud VM. The cost can be very low, especially when you can store a snapshot of the node and data and store it at no cost or very low cost. is one provider currently still offering free storage of snapshots so we will use a VM. The block chain data size is currently over 25GB so select an instance with more SSD capacity, e.g. 2GB RAM and 40G SSD storage. Expect to use more than 60GB transfer capacity to download and sync the bitchain. It is easy to resize to larger when needed. Note that even with 2GB RAM you will need swap space, so we will create it below. The cost of running the VM just for synchronizing is less than a dollar.

Signing up with Vultr through this link will support this site if you continue using them. ]

[ ] Create an Ubuntu 16.04 VM 
[ ] Create an ssh public/private pair if you do not have it (Google how)
[ ] Paste the public key "ssh-rsa AAA…." portion into the key field, or select an existing one
[ ] Create the in instance and wait until running.
[ ] Login on the instance (using ip address in email) and enter password visible in the control panel and accept the fingerprint.
ssh root@<ipaddress>
[ ] Update your OS 
sudo apt update
sudo apt -y upgrade
[ ] Add user e.g. <youruserid>
adduser <youruserid>
usermod -aG sudo <youruserid>
[ ] on local machine copy public ssh key to clipboard
pbcopy < ~/.ssh/
[ ] on remote machine become the user mbouda
su - mbouda
mkdir ~/.ssh
chmod 700 ~/.ssh
[ ] open editor and paste ssh key into file and save 
vi ~/.ssh/authorized_keys
[i] [Ctrl] [v] [Esc] [:] [w] [q]
[ ] logout from the session to enable passwordless ssh login.
[ ] login again
ssh <youruserid>@<ipaddress>
[ ] Optionally for better security disable login using root, making PermitRootLogin to no
sudo vi /etc/ssh/sshd_config
[ ] restart ssh deamon
sudo service sshd restart
[ ] Make sure port 18080 is open using one of the following:
sudo ufw allow 18080
sudo iptables -A INPUT -p tcp --dport 18080 -j ACCEPT
[ ] Install screen
sudo apt install screen
[ ] Download using one of the following
[ ] Create a directory monero
mkdir -p monero
[ ] Extract the binaries with appropriate one of the following
tar -xjvf linux64 -C monero
tar -xjvf monero-linux-x64-v0.12.0.0.tar.bz2 -C monero
[ ] Create swap space on the SSD
sudo touch /var/swap.img
sudo chmod 600 /var/swap.img
sudo dd if=/dev/zero of=/var/swap.img bs=2048k count=1000
sudo mkswap /var/swap.img
sudo swapon /var/swap.img
[ ] Enable swap space permanently across reboots
sudo echo "/var/swap.img none swap sw 0 0" >> /etc/fstab
[ ] Run the monerod daemon (in the directory corresponding to the latest version)
screen -dmS xmrdaemon ~/monero/monero-v0.12.0.0/monerod
[ ] you can connect to the screen with screen -r monerod or disconnect with <Ctrl><a><d>
[ ] You can log out and deamon will continue to run.

screen lets you log off without interrupting the process that is running. Wait until the synchronization is complete.

Install a Monero Client

Next we install a monero client, and create an ssh connection to the full node to connect. You will need to make changes to use the latest version.

[ ] Download the client for MacOS from
[ ] download binary
[ ] check the SHA hash
sha256sum monero-linux-x64-v0.12.0.0.tar.bz2
[ ] unpack
tar -vxjf monero-linux-x64-v0.12.0.0.tar.bz2

There also is a client/GUI for MacOS X, which can open your wallet you just created. Get it from here:, and unpack the app: tar -xvf monero-gui-mac-x64-v0.10.3.1.tar.bz2. Then move the .app within the moner-gui folder to Applications folder.

To connect the client to the remote full node, establish an ssh connection. You need to do this before using the client every time. The client or GUI connects to the remote daemon by connecting to a local port 18081 on your laptop, which is connected to the remote daemon. The local wallet will synchronize with the remote daemon.

[ ] Create the connection from your laptop
ssh -N -f -L 18081: <userid>@<address-of-node>

Do not let the GUI start a local monerod daemon, unless you intend to. Under Settings you can select Connect, to connect to the remote daemon. Daemon address should be “localhost” and the port number to the right of this box should be 18081. Also note that when closing the client, clicking on stop daemon will stop the remote daemon.

Create a View-Only Wallet

The wallet can be configured to be view-only, that is not contain the spend key. Note that the balance calculated by the wallet will not include any outgoing transactions though! But it is a good way to protect funds in a cold wallet. The wallet name you choose can be anything.

[ ] Create a view-only wallet using private view-key and public address.
cd monero-v0.10.3.1
./monero-wallet-cli --generate-from-view-key <walletname>
[ ] Enter the standard public wallet address.
[ ] Enter the private view key.
[ ] Enter a password to protect the newly created wallet.

After creation the wallet syncs using the remote node. Make sure you did not miss creating the ssh connection to the node, in previous section.

Freeze and Store the Full Node

Once synchronized, “freeze” and store your full node as an instance.

[ ] Shut-down the VM
[ ] Create a snapshot
[ ] Destroy the VM

To restore, re-create your VM from the snapshot; select location, then server type – snapshot, and [Deploy Now]. Once up and running, login, start the daemon (./monerod) and let it synchronize to catch up with the block chain since you created the snapshot.

You could also make a copy of the created data files which you now trust, and store them on your laptop or on-premise server. The data is by default on Linux in directory $HOME/.bitmonero (a hidden directory.) You can point the daemon to a different one using –data-dir option when launching monerod. The data can be easily copied to another host using  scp -r .bitmonero <userid>:<ipaddress>:/home/<userid>/ .

That’s it! Leave a comment on where some more refinement would be useful.

updated: 20170909, 20171119, 20171228; 20180405

Leave a Reply

Your email address will not be published. Required fields are marked *