Pretty safe bitcoin proof-of-concept wallet with keys on a smartcard

What you need:
  • A Linux system (I am using a Ubuntu 14.04 based Linux (This is a Long Term Support (LTS) version)
  • A smartcard that can handle ECC keys with USB reader (or integrated).I use CardContact SmartCard-HSM. The SmartCard-HSM has build-in support for the secp256k1 Elliptic Curve, the cryptographic algorithm used by Bitcoin.
  • OpenSC 0.15. See the special pages for te SmartCard-HSM on
  • A recent Openssl version that supports ECC.I use 1.0.2g. See you have to compile it yourself: at the moment I needed it, it was not in the Ubuntu software-package.
  • Python-Bitcoinlib, you can find it on
  • Python3 and Python3-tk. On my system I have python 2.7 and python 3.4 (called here python3). The smartbtc programm needs python3.
  • Some knowledge of how Bitcoin works. A starting point can be Bitcoin Wiki
  • A Bitcoin picturefile bitcoin64.png (nice to have it in the GUI). Download the bitcoin image from: need to shrink it to 64x64 pixel. Simple with ImageMagick (install it with $sudo apt-get install imagemagick): you need the commandline "$ convert Bitcoin.png -resize 64x64 bitcoin64.png". Make a directory named .smartbtc in your homedirectory and place the bitcoin64.png in it. This directory is also needed for the configuration files.
  • The programm, cut & paste the python code in your favorite editor, look if you have everything from "#!/usr/bin/env python3" till "root.mainloop()". If everything is OK, save it as and make it executable with the commandline "chmod u+x".

A Screenshot of the Pythonprogramm
Screenshot Smart=BTC

The programm uses the standard "Pay To Pubkey Hash" method for bitcoin payments.
For every bitcoinaddress (with of course a corresponding generated key-pair) the programm needs a separate configuration file. These configurationfiles plus one global.conf, are in the .smartbtc directory in the home directory of the user.
When started, it asks for the configuration id (=the file-name, but without its ".conf" ending). It will read its bitcoinaddress and a provider URL from the confgurationfile.
Then it retrieves "the transactions with unspents", that belong to this bitcoinaddress, from the provider-url. It displays the transaction id and the unspended amount normally in green. If it is displayed in red, then it has less than 6 'confirmations' and it is not trustworthy (you should wait some time).
Next you have to give the amount you want to pay (it should be less than the Total Unspent) and the target address (you can paste it with Ctrl-V) for your transaction.
When that is done, you press "Create Transaction" and the amount is distributed over those unspents. It will warn you when there are not enough unspents. If it is a transaction with a lot of used unspents the transactionfee can be 3 times higher then the fee entry in the config file.
If everything looks OK, then you can press "Sign Transaction".
After signing you can send it to the Bitcoin test- or mainnetwork by pressing "Push Transaction to Network". The network will reject unsigned transactions(!). Or you can find your signed transaction (hex formatted) in the file with the name displayed in the field "transaction filename". You can check and push that transaction on a bitcoin provider website at a later moment by hand (cut&paste). The transaction processing by the network will last about 10 minutes, that is normal for bitcoin. You should not do more transactions in that time to prevent "double spend".