ICP custody with seed phrase and air-gapped machine

From Internet Computer Wiki
Revision as of 02:00, 10 November 2021 by Diego.prats (talk | contribs) (→‎Outcome)
Jump to: navigation, search

Getting your hardware and software ready

What you will need:

  1. air-gapped computer (not connected to the internet)
  2. networked smartphone

You will need to install the following into your air-gapped computer:

  1. keysmith
    1. https://github.com/dfinity/keysmith keysmith
    2. You will use this to generate important artifacts like `seed phrase` and `private key`
  2. openSSSL
    1. https://wiki.openssl.org/index.php/Binaries
    2. required by quill`
  3. quill
    1. https://github.com/dfinity/quill
    2. you will use this to craft messages like "create neuron" for the Internet Computer
    3. You can install it by downloading the binary for your operating system or by cloning and compiling the code
    4. note that once installed, the command to execute is `target/release/quill`
  4. qrencode
    1. https://github.com/fukuchi/libqrencode
    2. Generates QR codes for bridging the air gap
    3. Tip: if you have Homebrew, you can install via `brew install qrencode`
  5. jq
    1. https://github.com/stedolan/jq
    2. Required for creating multiple QR codes
    3. Tip: if you have Homebrew, you can install via `brew install jq`
  6. Copy and paste the following bash script into a file named `quill-qr.sh`:

Warning: Only tested on MacOSX and Linux. 

   bash
   #!/usr/bin/env bash
   URL=https://p5deo-6aaaa-aaaab-aaaxq-cai.raw.ic0.app
   IFS=$'\n' read -r -d  -a messages < <( cat - | jq -M 'if . | type != "array" then [.] else . end' | jq -rcM .[] && printf '\0' )
   for message in "${messages[@]}"
   do
       echo "$URL/?msg=$(echo "$message" | gzip -c | base64 | tr -d '\n' | sed -e 's/+/%2B/g' -e 's/\//%2F/g' -e 's/=/%3D/g')" | qrencode > qr.png
       open qr.png
       echo ENTER TO CONTINUE...
       read < /dev/tty
       clear
   done


Because an air-gapped computer is not connected to the internet, it can be a bit awkward to install these. The most common way to do it is to download them to a networked computer and transfer the files to the air-gapped computer via CD or USB drive. Others install these on a networked computer *and then* air-gap it.

Generate seed phrase and private key

Everything in this section occurs within your air-gapped computer.

air gapped computer


Once you have `keysmith` and `quill` installed air-gapped computer ready, you are ready to start.


Use keysmith to generate a seed phrase

On the air-gapped computer: 


   $ keysmith generate -o seed.txt

Use `keysmith` to create a private key and store it in `private.pem` file

On the air-gapped computer: 

   $ keysmith private-key -o private.pem

Generate a ledger account number

Use `keysmith` to display a `ledger account number`

This command will display a long string which is your `ledger account number`. Below, I provide an example of what this may look like.

On the air-gapped computer: 


   $ keysmith account
   > 77b5eb9a465f4ce6f4da494ee2bfedeefe0b52d106e0272556c1ad991f99e3da


You should write the `ledger account number`

Secure your `seed phrase` properly

Properly store seed phrase

Now that you have generated your `seed phrase` and your keys, you need to write down and store your seed phrase so that you could recover your private key in case you lost it.

To properly store your `seed phrase` see options to store seed phrases.


NOTE: Do not go to next step until you properly store it.

Remove your `seed phrase` from your air-gapped computer

Now that the `seed phrase` is properly stored. You should delete it from your computer before moving forward so no one can use it to recreate your private key.

Remove it with the following command:

On the air-gapped computer: 


   $ rm -vf seed.txt

Outcome

In this section, we did a few things, so let’s recap what we did and where we should be before moving forward.

If you do not end up with a table that looks like the one below, do not continue. Try again.

Artifact Example Security Final outcome
seed phrase W X Y
private key ROW2/COL2
ledger account number ROW2/COL2


| Artifact | Example1 | Security| Final outcome| Storage | | :------------- | :------------- | :------------- | :------------- | :------------- | | `seed phrase` | `stove reject elder top dentist car suit license grid uncle ape wash`| • If someone has this, they can take your tokens. 
• If you lose it, you can lose access to your ICP.
• You must store it in a safe and secure place in order to be able to regenerate your private key | • You created this via `keysmith` in this section in 4.1.1  
• You will have properly stored in 4.1.4
• You deleted this from your computer in 4.1.5| on paper or [Billfodl](https://privacypros.io/products/the-billfodl/), possibly kept in a safe | | `private key` | ```-----BEGIN EC PARAMETERS----- ``` (and continues...) | • If someone has this, they can take your tokens. 
• If you lose it, you can recreate from seed phrase
| • You created this via `keysmith` in this section in 4.1.2. | to remain on air-gapped computer | | `ledger account number` | `77b5eb9a465f4ce6f4da494ee2bfedeefe0b52d106e0272556c1ad991f99e3da`| • If someone has this, they can view your token balance.
• If you lose it, you can go through steps to get it back with your private key. | • You generate this in 4.1.3. This can be stored anywhere. | wherever you like |

Retrieved from "https://wiki.internetcomputer.org/w/index.php?title=ICP_custody_with_seed_phrase_and_air-gapped_machine&oldid=360"