Ask Siri to help you or when you are too lazy to get up off the couch

In this guide, I briefly describe the use of Shortcuts on iphone to manage my pool, and I also call Siri to help me.

You should have:

  • Customized pool and pool management scripts (In this example, I run a script for a process called rotating the KES keys);
  • iphone with Shortcuts.

Some scripts to manage the pool require cold keys. For quick access to cold keys and other important information I use an encrypted folder. I use a solution called gocryptfs to encrypt the folder.

Work in gocryptfs is as follows:

  1. Installation:
    sudo apt install gocryptfs

  2. Initialization:
    mkdir -pv ~/Encrypted
    gocryptfs -init ~/Encrypted

  3. Create Mount Point:
    mkdir -pv ~/Unencrypted

  4. Mount file system (After mounting, write down the master key that appears on the terminal):
    gocryptfs ~/Encrypted ~/Unencrypted

  5. Move important data to the Unencrypted folder (or create important data in this folder).

  6. Unmount file system:
    fusermount -u ~/Unencrypted

When everything is ready, go to iphone:

  1. Open the standard Shortcuts application, and click “Create Shortcut”.
  2. Click on the ellipsis and set the name of the script. Then Done.
  3. Click “Add Action” and in the search enter “ssh”. Select “Run Script Over SSH”.
  4. Click “Show More” and fill in the parameters. Get something like this:

P.S.: For greater security, use authentication using the ssh key. Do not forget to import the key into the file ~/.ssh/authorized_keys

The “Script” parameter is filled with the necessary commands (separator “;”), in this case:
gocryptfs -q /home/admin/Encrypted /home/admin/Unencrypted -o masterkey=e5737ebf-d7c148e0-38a652ee-883bf29e-770286fd-6d106b9c-938d5557-d4f7aa30; /home/admin/scripts/KESupdate.sh; fusermount -u /home/admin/Unencrypted

Thus, we mount the encrypted folder to the mount point (parameter “q” turns on silent mode), execute the necessary script on the server and unmount.

It remains to press Done and execution Shortcut.

You can execute the script in several ways: from Shortcuts application, using Shortcuts widget or ask Siri to do this (after activating Siri, tell her “Start KESupdate”).

Thanks for reading. I hope this little guide simplifies your work.

1 Like

fantastic. nice job sir. would this work on my raspberry if i manage do it in the end?

If you use ssh, it will work.

1 Like

Interesting idea and I tend to like it. But, this is vulnerable in the small window when the gocryptfs is mounted i.e. leaking cold-keys. That’s why they’re called cold keys: DO NOT STORE on-line especially on pool. The safest I can think of is to have some 24-word mnemonic stored safely for backup.

Then having some air-gaped (no any internet connection) device (raspberryPi is fine) and copy an ARM/ARMv7 based cardano-cli and the genesis file onto that server (through USB).

  • generate cold-key pair based on the 24-word mnemonic (it’s possible and I demonstrated it here)
  • generate initial KES key-pair using cardano-cli
  • generate initial VRF using cardano-cli(just for backup store on the air-gapped device in the case the pool is completely destroyed, though it is not necessary to have the same VRF but you would need to create a new pool cert which means you will loose all delegators)
  • create the initial opscert from the KES period calculated from genesis.
  • initially copy VRF key-pair and the cold VKEY only to an USB
  • copy the new generated KES and new opscert to the USB every time when it’s required (once in a KES period).
  • umount USB and mount it to any semi secure server that has online access and securely copy over to the pool.
  • restart the node or inject (not implemented yet) the opscert and KES keys through some API.

So, this seems to me the safest.

Ofc, the pool cert is a little bit more complicated as it needs transaction signed by owner(s) and the pool’s cold key, but it could be done like in jcli where it seals the tx after everyone individually signed the tx.

1 Like