Setting up a Ledger Nano X with Debian 11

Bad photo of a closed Ledger Nano X on a light wood desk

As part of moving from an iPhone to something else (currently a OnePlus 6T running /e/), I needed to move my on-iPhone Bitcoin wallet somewhere. So I thought it was a good opportunity to try a hardware cryptocurrency wallet.

I don’t have much cryptocurrency, and I view it as an experiment, and a learning exercise for me, rather than as a viable alternative to fiat at the moment, and this exercise too was interesting.

Ledger Nano X

A friend recommended a Ledger Nano X. It was readily available, and seemed to offer what I need now and what I might need in future.

via Amazon

I bought it via Amazon, and it was the first time I’d experienced Amazon insisting I provide a PIN code to the driver, before they would deliver the package.

I checked that the packaging was sealed (although I doubt it would take a criminal mastermind to reseal a package…).

Charging the Ledger

The Ledger has a USB-C interface. It comes with a USB-A to USB-C cable. It arrived with about 45% charge, so I just popped it on charge while I installed the software.

Installing the Ledger Live software

I installed the Ledger Live software, from the official website.

A positive note is that it supports Linux. No need for an unofficial client, or someone else’s repackaging.

The less positive note is that it’s an AppImage, rather than a .deb. I’m not a fan of AppImage executables, if only because they’re a pain to integrate with a desktop environment (unless that just means I don’t know how to do it).

But it worked.

Setup worked

The setup process was well documented, and the on-screen guide was clear.

The Ledger’s two-button interface works better than I had expected. Sure, it’s a bit of a faff entering your PIN, but it’s far from terrible and, given the form of the device, I’m not sure what a better solution might look like. The random nature of the initial number for each PIN character slot is a good touch, to make it harder for someone to guess your PIN by observation.

There was a slight hurdle when the software wanted to validate that my device was genuine, but the error message linked to a help screen, and that offered the solution: udev rules.

The bit I didn’t like? The solution was this:

wget -q -O - | sudo bash

Perhaps I’m paranoid, but grabbing a script from Github and then piping it to a shell with administrative privileges? Sounds like a potential recipe for disaster if that script gets compromised.

I understand why, for ease of use, Ledger did it this way, but I’m sceptical that encouraging people to do this in connection with a hardware security device is a brilliant approach.

That said, I reviewed the script and decided I was comfortable with it.

For future-proofing - in case it disappears from Github - the script is simply:

cat <<EOF > /etc/udev/rules.d/20-hw1.rules
# HW.1 / Nano
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="1b7c|2b7c|3b7c|4b7c", TAG+="uaccess", TAG+="udev-acl"
# Blue
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0000|0000|0001|0002|0003|0004|0005|0006|0007|0008|0009|000a|000b|000c|000d|000e|000f|0010|0011|0012|0013|0014|0015|0016|0017|0018|0019|001a|001b|001c|001d|001e|001f", TAG+="uaccess", TAG+="udev-acl"
# Nano S
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|1000|1001|1002|1003|1004|1005|1006|1007|1008|1009|100a|100b|100c|100d|100e|100f|1010|1011|1012|1013|1014|1015|1016|1017|1018|1019|101a|101b|101c|101d|101e|101f", TAG+="uaccess", TAG+="udev-acl"
# Aramis
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0002|2000|2001|2002|2003|2004|2005|2006|2007|2008|2009|200a|200b|200c|200d|200e|200f|2010|2011|2012|2013|2014|2015|2016|2017|2018|2019|201a|201b|201c|201d|201e|201f", TAG+="uaccess", TAG+="udev-acl"
# HW2
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0003|3000|3001|3002|3003|3004|3005|3006|3007|3008|3009|300a|300b|300c|300d|300e|300f|3010|3011|3012|3013|3014|3015|3016|3017|3018|3019|301a|301b|301c|301d|301e|301f", TAG+="uaccess", TAG+="udev-acl"
# Nano X
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0004|4000|4001|4002|4003|4004|4005|4006|4007|4008|4009|400a|400b|400c|400d|400e|400f|4010|4011|4012|4013|4014|4015|4016|4017|4018|4019|401a|401b|401c|401d|401e|401f", TAG+="uaccess", TAG+="udev-acl"
# Nano SP
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0005|5000|5001|5002|5003|5004|5005|5006|5007|5008|5009|500a|500b|500c|500d|500e|500f|5010|5011|5012|5013|5014|5015|5016|5017|5018|5019|501a|501b|501c|501d|501e|501f", TAG+="uaccess", TAG+="udev-acl"
# Ledger Stax
SUBSYSTEMS=="usb", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="6011", TAG+="uaccess", TAG+="udev-acl"

udevadm trigger
udevadm control --reload-rules

After I’d run it, the Ledger connected correctly, and was validated.

I’ve only got Bitcoin, so that was the only software I installed on the Ledger. That means I could create a Bitcoin wallet in Ledger Live, and store the private keys on the Ledger.

Transferring my Bitcoin from my iOS wallet to my new wallet

Transferring is easy: you click the “Receive” button in Ledger Live, to show your wallet’s address or - far easier - to show a QR code.

On my iPhone, I used the QR code to input my new wallet’s address, and then I tested a transfer with a tiny amount. It worked.

I then tried sending an even smaller amount (thanks to fees) back to my iPhone wallet.

Once I was comfortable that it worked as I expected, I transferred the remainder from my iPhone to the Ledger wallet. And, a few moments later, the transfer showed up.

Setting up Bluetooth

The Ledger Nano X has Bluetooth, and pairing it with my Surface Pro 6 running Debian 11 was easy.

I simply selected the wallet’s name in Debian’s Bluetooth settings, and confirmed the code on the Ledger and the laptop. Job done.

That said, I’ve not yet used it over Bluetooth.

Are all my eggs in one basket?

I like the idea of a hardware wallet, to keep my (meagre amount of) cryptocurrency more secure.

But if I had anything like a significant amount, I think I’d be nervous about entrusting my private key to one specific hardware device. What happens if it dies? Or when support for it ends?

For the amount I have, it’s not worth much thought, but perhaps I’d want to have multiple wallets, each secured by a private key on a different Ledger. But that is obviously not a cheap solution as the Nano X is currently about £110, nor a convenient solution, with multiple hardware devices to manage.

Now I just need to find somewhere safe to store it.