copy Copy chevron-down
💡 piARM Ecosystem Overviewchevron-right 🔐 Raspberry Vault⚙️ Setup & Deployment “Deployment should be frictionless, auditable, and secure.”
piARM Cold Vault is a local-first, security-bound vault . It enforces hardware pairing, strict network access, and split-level authentication. Every privileged function — including key access, wallet generation, and transaction approval — requires physical 2FA via USB (or NFC, coming soon) . Unprivileged functions remain available for regular wallet interaction and read-only data retrieval.
⚠️ Important Disclosure
Note: The commands and instructions below will not function until piARM is released to the public . This documentation is for preview and planning purposes only .
📦 One-Command Installation
piARM is installed directly from GitHub source , using secure scripts for:
Linux (incl. Raspberry Pi)
There are no third-party installers , no piarm.io downloads , and everything is fully auditable .
➤ Linux / macOS
Copy bashCopyEditbash <( curl -sSL https://raw.githubusercontent.com/piarm/piarm/vault/install.sh ) ➤ Windows (PowerShell)
Copy powershellCopyEditiwr https: // raw.githubusercontent.com / piarm / piarm / vault / install.ps1 - useb | iex These scripts:
Verify prerequisites (Docker, Python, firewall permissions, etc.)
Set up and lock firewall rules
Configure local-only access
Prompt for mDNS hostname setup (e.g., piarm.local)
🔥 Mandatory Network Lockdown
Security enforcement is non-optional. piARM will not start unless firewall rules are in place.
UFW is installed and configured to only allow local subnet access
Public interfaces are locked down completely
Docker and systemd services are scoped to loopback or private LAN
Custom PowerShell script configures Windows Firewall rules
Blocks all external inbound access
Allows loopback and private IP subnet only
🌐 Accessing piARM
After setup, open your browser and go to:
(or your custom mDNS name set during installation)
The dashboard is hosted entirely locally . No telemetry. No third-party APIs. No cloud dependencies.
🧠 Split-Head Architecture
piARM separates access into two zones:
1️⃣ User Mode (Unprivileged)
Accessible after logging in with your vault password.
You can:
View wallet balances and token metadata
Add EVM tokens manually (or via token discovery)
Customize supported chains (from the default EVM list or manually)
View price charts via CoinGecko /BlueGuava
Connect to dApps via the Hot Wallet extension (read-only or pending)
You cannot access or perform:
2️⃣ Privileged Mode (Secure Engine)
Only unlocked with physical 2FA via USB key (or NFC in future). Unlock is ephemeral per session.
You gain access to:
View or regenerate seed phrase
Approve/send transactions
Rotate or destroy private keys
Enable recovery procedures
🟢 Red/Green Access Indicator
The Vault Home Screen displays current access status:
Secure vault not accessible . USB not inserted, or hardware not authorised.
Vault partially unlocked. User has logged in, but privileged actions locked.
Fully unlocked (password + USB/NFC auth). All features available.
Privileged areas display a padlock until the second factor is confirmed.
🛡️ Hardware-Bound Security
piARM includes device fingerprinting to prevent vault migration:
On first install, a TPM hash (or equivalent system fingerprint) is stored.
On Raspberry Pi or non-TPM hardware, a boot-level device hash is generated instead.
If piARM is copied to another system, it will refuse to run unless the system matches the original identifier.
🔒 Why this matters:
Even if the entire storage is cloned, piARM will not launch unless it’s on the authorized machine .
This ensures physical system identity binding .
🧪 Pseudocode Summary
🔗 Cold ↔ Hot Wallet Interaction
When using DeFi apps:
The Raspberry Hot Wallet extension acts as a bridge
It submits signing requests to the Cold Vault via local IPC
The Cold Vault never exposes private keys
No injected scripts, no browser extension logic inside piARM dashboard
Transactions are only signed after physical USB confirmation on the Vault.
During installation, piARM prompts you to set a custom local hostname via mDNS :
Customisable: e.g., vault.local, mydevice.local
This allows:
Easy access from your browser or extension
Secure local network discovery
Future expansion for home relay coordination
✅ Recap of Key Safeguards
Local-only firewall enforcement (UFW / Windows Firewall)
System-bound vault lock via TPM/device hash
Split privilege logic for regular vs. secure features
Green/Red indicator system for secure module access
mDNS hostname for local discoverability
No third-party dependencies , 100% offline-capable
All critical actions require physical confirmation
🧩 Additional Safeguards
💾 High-level encryption guards vault secrets at rest
🧠 No telemetry , no background sync, no 3rd-party involvement
🔐 All privileged logic is sandboxed behind hardware-level 2FA
💥 Tamper detection will auto-lock vault access if anomalies are detected
⚫ Can be turned off by default, service does not need to run 24/7 as extra safeguard
Remote-initiated USB key authoring (via secure web auth)
Encrypted vault backups to external drives (with optional sharding)
Zero-Trust OS
Last updated 6 months ago
