Disclaimer

Please be aware that the information and procedures described herein are provided "as is" and without any warranty, express or implied. I assume no liability for any potential damages or issues that may arise from applying these contents. Any action you take upon the information is strictly at your own risk.

The output and results you experience may differ depending on the specific Linux distribution and version you are using.

It is strongly recommended that you test all procedures and commands in a virtual machine or an isolated test environment before applying them to any production or critical systems.

No warranty for damages.
Application of content at own risk.
Author used a virtual machine with a Linux Debian server as host.
Output may vary for the reader based on their Linux version.
Strong recommendation to test in a virtual machine.

Author	Nejat Hakan
Date	2025-09-30
License	CC BY-SA 4.0
eMail	nejat.hakan@outlook.de
PayPal Me	https://paypal.me/nejathakan

The Sovereign Stack: A Complete Guide to Bitcoin Core Full Nodes

Foreword: The Final Step in the Bitcoin Journey

You've read about Bitcoin. You may have even bought some. You understand the concepts of decentralization and sound money. But you still rely on others—exchanges, web wallets, block explorers—to tell you what is true on the Bitcoin network. You are a guest in the system.

This book is your guide to taking the final, most important step: becoming a first-class, sovereign citizen of the Bitcoin network. It is a journey from being a passive user to an active participant, from trusting to verifying, from being a consumer of data to a guardian of the protocol.

This guide is opinionated. It is uncompromising. I will not present a menu of "good, better, best" options that allow you to choose your level of risk. There is only one path to true, resilient sovereignty, and it demands excellence at every step. That path involves dedicated, low-power, isolated hardware for every critical function, maintained with rigorous discipline. I will show you that path and that path alone.

Welcome to the Sovereign Stack.

Part 1: The Foundation - The Why and What

Chapter 1: The Case for Sovereignty

The Bitcoin network's core ethos is encapsulated in the phrase "Don't trust, verify." It's a system designed to eliminate the need for trusted third parties. When you run your own full node, you embody this principle. You are not trusting a bank, an exchange, or a block explorer's website to tell you your balance; you are verifying it yourself against the raw, immutable data of the blockchain. This provides ultimate privacy, censorship resistance, and strengthens the entire network by adding another honest validator.

Chapter 2: The Anatomy of a Full Node

A full node is a program that fully validates all transactions and blocks against Bitcoin's consensus rules. It performs three critical functions:

Validation (The Guardian):
It independently checks every transaction and block against Bitcoin's rules, rejecting any invalid data.
Propagation (The Town Crier):
It relays valid information to other nodes, helping data spread across the network.
Auditing (The Historian):
It maintains a complete copy of the blockchain, allowing its operator to be their own source of truth for any transaction or balance. It also maintains a Mempool, a waiting room for valid transactions yet to be confirmed in a block.

Chapter 3: Bitcoin Core: The Reference Implementation

Bitcoin Core is the direct descendant of Satoshi Nakamoto's original software. It is the most widely used, reviewed, and secure implementation of the Bitcoin protocol. It consists of bitcoind (the background daemon), bitcoin-qt (the GUI), and bitcoin-cli (the command-line tool). Running Bitcoin Core means you are running the gold standard.

Part 2: The Blueprint - The Hardware Stack

Chapter 4: The Fortress Model - The Principle of Isolation

The foundation of a sovereign stack is isolation. Every component that performs a critical function must be physically separate from your general-purpose computers. Any other approach invites malware and unacceptable risk. Our stack will therefore consist of two dedicated, single-purpose machines.

Chapter 5: The Dual Citadel Architecture

The only professional way to build your stack is with two dedicated devices:

The Node Server:
An always-on, headless (no monitor/keyboard) machine that runs Bitcoin Core. Its only job is to sync and validate the blockchain.
The Client Citadel:
A normally-offline, air-gapped machine with a desktop interface. Its only job is to run your wallet software and sign transactions securely. It should only be powered on when needed.

The most efficient, cost-effective, and philosophically pure hardware for both of these roles is the Raspberry Pi.

Chapter 6: Hardware for Your Sovereign Stack

You are building two distinct machines. The shopping list for each machine is as follows:

Computer:
Raspberry Pi 5 (8GB) OR Raspberry Pi 4 (4GB/8GB).
Power Supply:
The Official Power Supply for the corresponding Pi model.
Case:
A case appropriate for the Pi model (e.g., Flirc or a heatsink case for the server, an official case for the client).
Storage (microSD Card):
A high-endurance 32GB microSD card.

And the following items, specific to each machine's role:

For the Node Server:
- A 1TB or 2TB 2.5-inch SATA SSD with a powered USB 3.0 enclosure.
- An Ethernet cable.
For the Client Citadel:
- A monitor with an HDMI input.
- A USB keyboard and mouse.
- A second, smaller microSD card (8-16GB) for transferring transaction files (the "sneakernet drive").

Part 3: The Build - The Node Server

Chapter 7: System Setup for the Node Server

This chapter details the complete process for setting up the headless Node Server:

Using Raspberry Pi Imager to flash Raspberry Pi OS Lite (64-bit).
Pre-configuring a strong password and enabling SSH for remote access.
Assembling the hardware and booting up.
Connecting via SSH and performing initial system updates (sudo apt update && sudo apt full-upgrade -y).

Chapter 8: Installing and Verifying Bitcoin Core

This chapter provides a complete workshop on downloading the Bitcoin Core binaries and signature files, using GPG to cryptographically verify their authenticity against the developers' public keys, and installing the software into the system path. This step is mandatory and ensures you are not running compromised software.

Chapter 9: Configuration and Automation

This chapter details formatting the SSD, creating a secure bitcoin.conf file (with txindex=1 and disablewallet=1), and creating a systemd service to ensure bitcoind starts automatically on boot and restarts on failure. This creates a resilient, "set-it-and-forget-it" Node Server.

Part 4: The Citadel - The Wallet Client

Chapter 10: System Setup for the Client Citadel

The Client Citadel requires a graphical desktop environment. It must be kept offline ("air-gapped") as its default state.

Flash the OS: Use Raspberry Pi Imager to flash Raspberry Pi OS with Desktop (64-bit) onto the second Pi's microSD card.
Assemble and Boot: Assemble the Client Pi, but do not connect an Ethernet cable. Connect the monitor, keyboard, and mouse, then power it on.
Initial Configuration: Follow the on-screen prompts to set your country, language, and a new, strong password. Skip the Wi-Fi setup step. When prompted to update software, select "Skip."

Chapter 11: Workshop - The Initial Secure Installation

This workshop requires a brief, controlled online period to get the necessary software. After this, the Citadel will return to its default offline state.

The Controlled Online Period: Connect an Ethernet cable. Open a terminal.
Perform System Updates: First, secure the base OS. sudo apt update && sudo apt full-upgrade -y.
Install GPG: sudo apt install gpg -y.
Download Sparrow and Signatures: Open the web browser, navigate to sparrowwallet.com, and download the .deb installer for "Debian or Ubuntu (ARM64)", the manifest file, and the signature file.
Verify Sparrow's Authenticity:
- Import the developer's PGP key.
- Verify the manifest file's signature with GPG. It must show "Good signature".
- Verify the .deb installer's checksum against the trusted manifest. It must show OK.
Install Sparrow: sudo apt install ./sparrow_VERSION_arm64.deb.
Begin Air-Gapped Life: Shut down the Client Citadel. Disconnect the Ethernet cable. Reboot. Your Client Citadel is now a secure, offline signing device. Its default state is, and must always be, offline.

Part 5: The Workflow - Sovereign Operations

Chapter 12: The Air-Gapped PSBT Workflow

This professional workflow ensures that your private keys (managed by your hardware wallet on the Client Citadel) never come into contact with an online machine. Information is transferred using Partially Signed Bitcoin Transactions (PSBTs) on a "sneakernet" microSD card.

12.1 The Roles of Your Devices

Your Daily Driver PC: A convenient but untrusted "dumb terminal" for viewing information and creating unsigned transactions.
Your Node Server Pi: The trusted source of blockchain data.
Your Client Citadel Pi: The trusted, offline environment for signing.
Your Hardware Wallet: The ultimate vault for your keys.

12.2 Workshop: Your First Air-Gapped Transaction

Create a Watch-Only Wallet (on your Daily Driver PC):
- Install Sparrow on your daily driver PC.
- Connect this Sparrow instance to your Node Server Pi over your local network using its IP address and RPC cookie.
- Create a new wallet by importing the extended public key (xpub) from your hardware wallet.
Create the Unsigned Transaction (on your Daily Driver PC):
- In your watch-only Sparrow, prepare the transaction.
- Save the unsigned PSBT file to your sneakernet microSD card.
Sign the Transaction (on your Offline Client Citadel):
- Move the microSD card to your Client Citadel.
- Open the PSBT file in Sparrow.
- Connect your hardware wallet and sign, meticulously verifying the address and amount on the hardware wallet's trusted screen.
- Save the signed transaction file back to the sneakernet microSD card.
Broadcast the Transaction (from your Daily Driver PC):
- Move the microSD card back to your daily driver PC.
- Load the signed transaction in your watch-only Sparrow and broadcast it through your private node.

Part 6: Lifecycle Operations and Maintenance

Chapter 13: Personal Blockchain Explorer

This chapter provides a full workshop on using bitcoin-cli on the Node Server to act as your own private, trusted block explorer, eliminating the need to use public websites and leak your financial privacy.

Chapter 14: The Foundation for Lightning

This chapter provides a workshop on installing and configuring a Lightning Network implementation (like LND or Core Lightning) on your Node Server, using your bitcoind instance as its secure foundation.

Chapter 15: Secure Remote Access via Tor

This chapter provides a workshop on setting up a Tor hidden service on your Node Server. This allows your online watch-only wallet (on a laptop or mobile phone) to connect securely and privately to your node from anywhere in the world, without exposing your home IP address.

Chapter 16: Backup and Recovery

This chapter details a robust backup strategy:

Keys (Most Important): Securing your hardware wallet's 24-word seed phrase is paramount. This should be stored physically, never digitally, in multiple secure locations.
Node Configuration: Periodically backing up the bitcoin.conf, systemd service, and Tor hostname files from your Node Server.
Blockchain Data: The blockchain data on the SSD should never be backed up. It can always be re-synced from the network.

Chapter 17: Workshop - The Secure Update Ritual

Your excellent question, "How do you update an offline machine?", is one of the most important in operational security. A machine that is never updated becomes a stale liability. This chapter defines the disciplined, ritualized process for securely updating your Client Citadel. This should be performed periodically (e.g., every 3-6 months, or immediately if a critical vulnerability is announced).

Goal: To update the OS and Sparrow Wallet on the Client Citadel with minimal risk.
The Ritual:
1. Preparation (Offline): Power on the Client Citadel. Have your password ready. Have a list of the commands you will run (sudo apt update && sudo apt full-upgrade -y, etc.). Be prepared to work quickly and precisely.
2. The Controlled Online Period: Connect the Ethernet cable.
3. Execute (Online): Immediately open a terminal.
  - Run sudo apt update && sudo apt full-upgrade -y. This updates the operating system.
  - If a new version of Sparrow is needed, follow the verification and installation steps from Chapter 11 to download and install the new .deb file.
4. DO NOTHING ELSE. Do not open a web browser for general surfing. Do not check email. Do not perform any other task. The online window is exclusively for trusted package updates.
5. Return to Air-Gapped State: Once the updates are complete, immediately shut down the Client Citadel. Disconnect the Ethernet cable.
6. Reboot: Power the machine back on. It is now updated and has returned to its secure, air-gapped state.

This ritual ensures that the machine remains secure over its entire lifecycle, balancing the purity of the air gap with the necessity of patching vulnerabilities.

Conclusion: A Guardian of the Network

Congratulations. You have journeyed from a passive Bitcoin user to a sovereign, first-class citizen of the network. You have not taken any shortcuts. You have built a truly resilient, uncompromising, dual-device security system based on low-power, dedicated hardware. You understand and have executed a professional, air-gapped workflow, and you now possess the discipline to maintain it securely for its entire lifecycle. Your stack is the gold standard. You are no longer just a spectator; you are a guardian of the network.

Appendices

Appendix A: Glossary of Terms

Air Gap: A security measure where a computer is physically isolated from any network connections.
PSBT: Partially Signed Bitcoin Transaction, a standard for transferring unsigned transactions between wallets and signers.
SBC: Single-Board Computer, like a Raspberry Pi.
Sneakernet: The manual transfer of electronic information by physically moving media like a USB drive or microSD card.

Appendix B: Essential `bitcoin-cli` Commands

getblockchaininfo
getnetworkinfo
getmempoolinfo
getblock <hash>
getrawtransaction <txid> true

Appendix C: Further Resources

Official Documentation: bitcoincore.org, sparrowwallet.com
Community & Support: Bitcoin Stack Exchange (bitcoin.stackexchange.com)