Build Coldstar
Everything you need to install, build from source, or deploy to an air-gapped machine.
Prerequisites
Coldstar has two required dependencies and one optional one:
Python Dependencies
These are installed automatically via pip install -r local_requirements.txt:
- rich & questionary — Powers the terminal UI (menus, colors, progress bars)
- solana & solders — Talks to the Solana network and builds transactions
- pynacl — Fallback signer if Rust isn't installed (Ed25519 in Python)
- argon2-cffi — Derives encryption keys from your passphrase (memory-hard, brute-force resistant)
- httpx — Makes RPC calls to Solana validators
Quick Install
Get up and running in four commands. Pick your platform:
# Clone the repository
git clone https://github.com/devsyrem/coldstar.git
cd coldstar
# Install Rust and Python (if not already installed)
brew install rust
brew install python
# Install dependencies
pip3 install -r local_requirements.txt
# Launch Coldstar
python3 main.pyFour commands to a running cold wallet. Coldstar detects your USB drive and walks you through wallet setup. If Rust is installed, the secure signer compiles automatically on first launch — otherwise, the Python fallback signer is used (functional but without memory-locked key handling).
On macOS/Linux, you can also use ./install.sh which handles venv creation, dependency install, and Rust signer compilation in one step.
Build from Source (Manual)
If you want more control over the setup — for example, using a virtual environment or building the Rust signer yourself — follow these steps:
git clone https://github.com/devsyrem/coldstar
cd coldstar# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install dependencies
pip install -r local_requirements.txtcd secure_signer
cargo build --release
cd ..Without Rust, Coldstar uses a Python fallback signer (PyNaCl). It works, but Python can't lock memory or guarantee key cleanup — so for real funds, the Rust signer is strongly recommended.
# Interactive chain picker (Solana or Base)
python main.py
# Or launch directly into a specific chain
python main.py --solana
python main.py --baseRust Secure Signer
This is the security-critical component of Coldstar. The Rust signer handles all private key operations in isolated, locked memory — your key never touches Python, never gets swapped to disk, and is wiped even if the process crashes. It's a standalone Rust crate (coldstar_secure_signer v1.1.0).
Build the Signer
cd secure_signer
# Build release binary + shared library
cargo build --release
# Run tests
cargo testThis produces two files:
target/release/coldstar-signer— Standalone CLI you can use to sign transactions directlytarget/release/libcoldstar_secure_signer.{so,dylib}— Shared library that Python loads automatically via FFI
What each Rust file does
| File | Purpose |
|---|---|
crypto.rs |
All cryptography — encrypts/decrypts keys (AES-256-GCM), derives passphrase keys (Argon2id), signs transactions (Ed25519 for Solana, secp256k1 for Base) |
secure_buffer.rs |
Locked memory buffers — prevents the OS from swapping key material to disk, overwrites with zeros on cleanup |
ffi.rs |
The bridge between Python and Rust — Python calls these C-compatible functions to encrypt, decrypt, and sign |
main.rs |
Standalone CLI — lets you sign, verify, and generate keys without Python |
error.rs |
Error handling — structured error types so failures are clear, not panics |
lib.rs |
Library root — wires everything together, controls feature flags (FFI mode vs subprocess mode) |
Release Profile
The release build is optimized for both speed and small binary size:
- LTO — Link-time optimization merges all code into one unit for maximum dead-code elimination
- codegen-units = 1 — Trades compile time for better runtime performance
- panic = abort — No unwinding overhead, smaller binary (zeroization still happens via
Drop)
Docker
If you don't want to install Python and Rust on your host machine, run Coldstar in a container. The included Dockerfile sets up everything automatically.
# Build the Docker image
docker build -t coldstar .
# Run interactively
docker run -it --rm coldstarUSB Device Passthrough (Linux only)
Coldstar needs access to your USB drive. On Linux, pass the device directly into the container:
docker run -it --rm \
--privileged \
--device=/dev/sdb:/dev/sdb \
coldstarDocker Desktop on macOS and Windows runs inside a VM, so it can't access USB devices directly. Instead, mount your USB drive's contents as a volume: docker run -it --rm -v /path/to/usb:/mnt/usb coldstar
Project Structure
Here's how the codebase is organized. The Python layer handles the UI, wallet management, and network calls. The Rust layer handles all private key operations.
Configuration
All settings live in config.py. You can edit this file to change RPC endpoints, directory paths, or the default chain. No environment variables or external config files needed.
| Setting | Default | What it does |
|---|---|---|
ACTIVE_CHAIN |
"solana" |
Which blockchain to use — set automatically by the chain picker on launch |
SOLANA_RPC_URL |
devnet | Solana RPC endpoint — change to a mainnet URL when ready for real funds |
BASE_RPC_URL |
mainnet.base.org | Base L2 RPC endpoint for Coinbase's Ethereum L2 |
WALLET_DIR |
/wallet |
Where encrypted wallet files are stored on your USB drive |
INBOX_DIR |
/inbox |
Drop unsigned transactions here for air-gapped signing |
OUTBOX_DIR |
/outbox |
Signed transactions appear here, ready to broadcast from an online machine |
Air-Gapped Setup
For maximum security, run Coldstar on a dedicated machine that has never been connected to the internet. This eliminates the main weakness in Coldstar's threat model (OS compromise during signing) because there's no network for an attacker to reach through.
Coldstar enforces this with a kernel module whitelist — only USB storage, filesystem, and keyboard/mouse drivers are allowed to load. All network drivers (WiFi, Ethernet, Bluetooth) are blocked by default.
On an online machine, clone the repo and all dependencies to a USB drive.
# Clone and download all dependencies offline
git clone https://github.com/devsyrem/coldstar /media/usb/coldstar
cd /media/usb/coldstar
pip download -r local_requirements.txt -d ./packages/Transfer the USB to the offline machine and install from local packages.
cd /media/usb/coldstar
python3 -m venv .venv
source .venv/bin/activate
pip install --no-index --find-links=./packages/ -r local_requirements.txtUse the USB drive to shuttle transactions between your online and air-gapped machines:
- Build the transaction on your online machine (Coldstar creates an unsigned TX file)
- Save it to the USB drive's
/inboxdirectory - Move the USB to your air-gapped machine
- Sign the transaction — Coldstar reads from
/inbox, signs it, and writes the result to/outbox - Move the USB back to your online machine
- Broadcast the signed transaction to the Solana network
Your private key never touches a machine with internet access. The only data that moves between machines is the unsigned transaction (public) and the signature (public). The private key stays on the air-gapped machine, encrypted on the USB, decrypted only for microseconds during signing.
USB ISO Builder
Don't have a spare computer for air-gapped signing? Coldstar can build a bootable USB that turns any machine into a dedicated signing device. Plug it in, boot from USB, and you have an air-gapped Coldstar environment — no hard drive, no network, no other software.
- Alpine Linux minirootfs — tiny operating system with minimal attack surface (no desktop, no browser, no extras)
- Kernel module whitelist — only allows USB storage, filesystem, and keyboard/mouse drivers to load
- All network drivers blocked — WiFi, Ethernet, and Bluetooth are denied at the kernel level, not just disabled
- Boots directly into Coldstar — no login screen, no shell, just the wallet TUI
Creating the ISO and writing it to USB requires root/admin privileges. The included flash_usb.py script handles device detection and safe writing — it won't let you accidentally overwrite the wrong drive.