Difference between revisions of "ICP custody with seed phrase and air-gapped machine"

Revision as of 01:44, 10 November 2021

Getting your hardware and software ready

What you will need:

air-gapped computer (not connected to the internet)
networked smartphone

You will need to install the following into your air-gapped computer:

keysmith
1. https://github.com/dfinity/keysmith keysmith
2. You will use this to generate important artifacts like `seed phrase` and `private key`
openSSSL
1. https://wiki.openssl.org/index.php/Binaries
2. required by quill`
quill
1. https://github.com/dfinity/quill
2. you will use this to craft messages like "create neuron" for the Internet Computer
3. You can install it by downloading the binary for your operating system or by cloning and compiling the code
4. note that once installed, the command to execute is `target/release/quill`
qrencode
1. https://github.com/fukuchi/libqrencode
2. Generates QR codes for bridging the air gap
3. Tip: if you have Homebrew, you can install via `brew install qrencode`
jq
1. https://github.com/stedolan/jq
2. Required for creating multiple QR codes
3. Tip: if you have Homebrew, you can install via `brew install jq`
Copy and paste the following bash script into a file named `quill-qr.sh`:

Warning: Only tested on MacOSX and Linux.

   bash
   #!/usr/bin/env bash
   URL=https://p5deo-6aaaa-aaaab-aaaxq-cai.raw.ic0.app
   IFS=$'\n' read -r -d  -a messages < <( cat - | jq -M 'if . | type != "array" then [.] else . end' | jq -rcM .[] && printf '\0' )
   for message in "${messages[@]}"
   do
       echo "$URL/?msg=$(echo "$message" | gzip -c | base64 | tr -d '\n' | sed -e 's/+/%2B/g' -e 's/\//%2F/g' -e 's/=/%3D/g')" | qrencode > qr.png
       open qr.png
       echo ENTER TO CONTINUE...
       read < /dev/tty
       clear
   done

Because an air-gapped computer is not connected to the internet, it can be a bit awkward to install these. The most common way to do it is to download them to a networked computer and transfer the files to the air-gapped computer via CD or USB drive. Others install these on a networked computer *and then* air-gap it.

Generate a private key

Everything in this section occurs within your air-gapped computer.

Once you have `keysmith` and `quill` installed **air-gapped computer** ready, you are ready to start.

Use `keysmith` to generate a seed phrase

On the **air-gapped computer**: ```bash $ keysmith generate -o seed.txt ```

* *

Use `keysmith` to create a private key and store it in `private.pem` file

On the **air-gapped computer**:

```bash $ keysmith private-key -o private.pem ```

* *

4.1.3 Use `keysmith` to display a `ledger account number`

This command will display a long string which is your `ledger account number`. Below, I provide an example of what this may look like.

On the **air-gapped computer**:

```bash $ keysmith account > 77b5eb9a465f4ce6f4da494ee2bfedeefe0b52d106e0272556c1ad991f99e3da ```

You should write the `ledger account number` down so you can use in he next chapter in step **4.2.1.**

* *

Secure your `seed phrase` properly

Now that you have generated your `seed phrase` and your keys, you need to write down and store your seed phrase so that you could recover your private key in case you lost it.

To properly store your `seed phrase` see [where to store your seed phrase](../docs/4-maximum-control-staking-option#1-where-to-store-your-seed-phrase)

- - NOTE: Do not go to step 4.1.5 until you properly store it.***

* *

Remove your `seed phrase` from your air-gapped computer

Now that the `seed phrase` is properly stored. You should delete it from your computer before moving forward so no one can use it to recreate your private key.

Remove it with the following command:

On the **air-gapped computer**:

```bash $ rm -vf seed.txt ```

Outcome

In this section, we did a few things, so let’s recap what we did and where we should be before moving forward.

- If you do not end up with a table that looks like the one below, do not continue**. Try again, check out support, or submit a question to support.

| Artifact | Example1 | Security| Final outcome| Storage | | :------------- | :------------- | :------------- | :------------- | :------------- | | `seed phrase` | `stove reject elder top dentist car suit license grid uncle ape wash`| • If someone has this, they can take your tokens.
• If you lose it, you can lose access to your ICP.
• You must store it in a safe and secure place in order to be able to regenerate your private key | • You created this via `keysmith` in this section in 4.1.1
• You will have properly stored in 4.1.4
• You deleted this from your computer in 4.1.5| on paper or [Billfodl](https://privacypros.io/products/the-billfodl/), possibly kept in a safe | | `private key` | ```-----BEGIN EC PARAMETERS----- ``` (and continues...) | • If someone has this, they can take your tokens.
• If you lose it, you can recreate from seed phrase
| • You created this via `keysmith` in this section in 4.1.2. | to remain on air-gapped computer | | `ledger account number` | `77b5eb9a465f4ce6f4da494ee2bfedeefe0b52d106e0272556c1ad991f99e3da`| • If someone has this, they can view your token balance.
• If you lose it, you can go through steps to get it back with your private key. | • You generate this in 4.1.3. This can be stored anywhere. | wherever you like |

@@ Line 11: / Line 11: @@
 #'''keysmith'''
 ##https://github.com/dfinity/keysmith keysmith
-##You will use this to generate important artifacts like `seed phrase` and `private key`s
+##You will use this to generate important artifacts like `seed phrase` and `private key`
 #'''openSSSL'''
 ##https://wiki.openssl.org/index.php/Binaries
@@ Line 47: / Line 47: @@
 Because an '''air-gapped computer''' is not connected to the internet, it can be a bit awkward to install these. The most common way to do it is to download them to a '''networked computer''' and transfer the files to the '''air-gapped computer''' via CD or USB drive. Others install these on a networked computer *and then* air-gap it.
 ==Generate a private key==