Ultimate Guide on Using Trezor on Qubes

Original forum link
https://forum.qubes-os.org/t/18310
Original poster
Ursidae
Editors
deeplow, Ursidae
Created at
2023-04-29 20:34:00
Last wiki edit
2023-10-20 06:08:36
Revisions
6 revisions
Posts count
80
Likes count
45

Written by Ursidae: https://ursidaecyber.com

This guide explains how to use Trezor cryptocurrency hardware wallets on Qubes OS. Unfortunately installing Trezor Suite is not as straight forward as installing other software on Qubes is, so we compiled an exhaustive and ultimate guide on the process.

This guide contains two parts: brief instructions and in-depth instructions. Use whichever is suited to your needs. These are the brief instructions. If you require detailed instructions please see my Github.

Step 1: Install Trezor Suite

  1. Install the Trezor Suite .AppImage from the Trezor website along with the signature and signing key in a new Whonix AppVM dedicated to Trezor.

  2. Verify the download.

  3. Execute code:

sudo chmod u+x /Downloads/Trezor-Suite-23.4.2-linux-x86_64.AppImage
  1. Right click on the .AppImage file and press execute to open the application.

Step 2: Port Listening

In Trezor Whonix AppVM:

  1. Execute command:
sudo nano /rw/config/rc.local
  1. Add the following code to the file:
socat TCP-LISTEN:21325,fork EXEC:"qrexec-client-vm sys-usb trezord-service" &
  1. Save and exit.

Step 3: Dom0 Trezor Policy

In Dom0:

  1. Execute:
sudo nano /etc/qubes-rpc/policy/trezord-service
  1. Add this code to the new file:
$anyvm $anyvm allow,user=trezord,target=sys-usb
  1. Save and exit.

Step 4: Fedora Cloning

  1. Clone your current regular fedora-37 template Qube and name it fedora-37-sys.

  2. Clone the fedora-37-dvm Qube and name it fedora-37-sys-dvm.

  3. Set the template for the fedora-37-sys-dvm as fedora-37-sys.

  4. Set sys-usb’s template as fedora-37-sys-dvm.

Step 5: Trezord Service

In fedora-37-sys-dvm:

  1. Execute in terminal:
sudo mkdir /usr/local/etc/qubes-rpc
  1. Execute:
sudo nano /usr/local/etc/qubes-rpc/trezord-service
  1. Add this code to the file:
socat - TCP:localhost:21325

  1. Save and exit.

  2. Execute:

sudo chmod +x /usr/local/etc/qubes-rpc/trezord-service

Step 6: Trezor Bridge

In fedora-37-sys:

Download the Trezor Bridge .rpm file from Trezor.

  1. Execute:
sudo chmod u+x /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm
  1. Then execute:
sudo rpm -i /Downloads/trezor-bridge-2.0.27-1.x86_64.rpm

Step 7: Udev rules

Note on Udev rpm use: Using the Trezor-provided Udev rpm file does not work for Qubes. See in-depth explanation section below. Use the provided Method 1 or 2 here. Use method 1 if comforable with enabling networking in template and method 2 if not.

Method 1: Manual Build

In fedora-37-sys:

  1. Run:
sudo nano /etc/udev/rules.d/51-trezor.rules

Copy and paste this code into the file:

# Trezor

SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"

# Trezor v2

SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl", SYMLINK+="trezor%n"

KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0660", GROUP="plugdev", TAG+="uaccess", TAG+="udev-acl"

  1. Save and exit.

  2. Execute:

sudo chmod +x /etc/udev/rules.d/51-trezor.rules

OR

Method 2: Curl Installation

  1. In fedora-37-sys enable networking.

  2. Install curl:

sudo dnf install curl
  1. Download Udev rules:
sudo curl https://data.trezor.io/udev/51-trezor.rules -o /etc/udev/rules.d/51-trezor.rules
  1. Allow execution:
sudo chmod +x /etc/udev/rules.d/51-trezor.rules
  1. Revoke fedora-37-sys networking permissions.

Step 8: Install Trezor Dependencies

In the Trezor Whonix AppVM:

  1. Install pip:
sudo apt install pip
  1. Execute:
pip3 install --user trezor

AND

In fedora-37-sys:

  1. Allow networking.

  2. Execute:

sudo dnf install trezor-common
  1. Revoke networking permissions in fedora-37-sys.