Trezor Hardware Wallet
Installation[edit]
- Non-Qubes-Whonix ™: In Whonix-Workstation ™.
- Qubes-Whonix ™: In
whonix-ws-16
Template.
sudo adduser user plugdev
Install package(s) trezor python3-hid
.
A. Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
B. Install the trezor python3-hid
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
sudo apt install --no-install-recommends trezor python3-hid
C. Done.
The procedure of installing package(s) trezor python3-hid
is complete.
Signing Key Download[edit]
In Whonix-Workstation ™. (Qubes-Whonix ™: anon-whonix
)
Securely download the signing key.
scurl-download https://trezor.io/security/satoshilabs-2021-signing-key.asc
Display the key's fingerprint.
gpg --keyid-format long --import --import-options show-only --with-fingerprint satoshilabs-2021-signing-key.asc
Verify the fingerprint. It should show.
Key fingerprint = EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C
The most important check is confirming the key fingerprint exactly matches the output above. [2]
Add the signing key.
gpg --import satoshilabs-2021-signing-key.asc
Download[edit]
In Whonix-Workstation ™. (Qubes-Whonix ™: anon-whonix
)
Check the latest version number and read the release notes here.
Download bisq.
scurl-download https://suite.trezor.io/web/static/desktop/Trezor-Suite-21.10.2-linux-x86_64.AppImage
Download OpenPGP signature.
scurl-download https://suite.trezor.io/web/static/desktop/Trezor-Suite-21.10.2-linux-x86_64.AppImage.asc
Digital Software Signature Verification[edit]
In Whonix-Workstation ™. (Qubes-Whonix ™: anon-whonix
)
Verify OpenPGP signature.
gpg --verify Trezor-Suite-21.10.2-linux-x86_64.AppImage.asc
If the file is verified successfully, the output will include Good signature
, which is the most important thing to check.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
This message does not alter the validity of the signature related to the downloaded key. Rather, this warning refers to the level of trust placed in the Whonix ™ signing key and the web of trust. To remove this warning, the Whonix ™ signing key must be personally signed with your own key.
Make Executable[edit]
In Whonix-Workstation ™. (Qubes-Whonix ™: anon-whonix
)
Make file Trezor-Suite-21.10.2-linux-x86_64.AppImage
executable.
chmod +x Trezor-Suite-21.10.2-linux-x86_64.AppImage
Usage[edit]
In Whonix-Workstation ™. (Qubes-Whonix ™: anon-whonix
)
Run the following command to start the Trezor Suite.
./Trezor-Suite-21.10.2-linux-x86_64.AppImage
Qubes Issues[edit]
Symptom:
kernel: vhci_hcd: vhci_device speed not set kernel: usb usb1-port1: Cannot enable. Maybe the USB cable is bad
- https://github.com/trezor/trezor-suite/issues/4173
- https://github.com/QubesOS/qubes-issues/issues/4173
- https://github.com/QubesOS/qubes-issues/issues/3778
- https://github.com/trezor/trezor-core/issues/167
- https://marc.info/?l=linux-usb&m=156423432111134
The official instructions by Trezor for Qubes OS https://wiki.trezor.io/Qubes_OS lead to a security degradation because of running third party software inside the USBVM.
Ideas:
- A) Create another
sys-usb
with a USB controller exclusively attached to that App Qubes. A HVM App Qubes with PCI pass-trough. And/or - B) switch off
sys-usb
altogether for example, if the system has only one USB controller and switch between using USBVM and not using USBVM. -> security issue https://github.com/QubesOS/qubes-issues/issues/6368
Footnotes[edit]

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!