Best practises to store cold keys (cold.vkey, cold.skey)

Hi all,

I have a question regarding how we should store cold keys while creating/managing a stake pool.

The below image is taken from the guide here: https://docs.cardano.org/projects/cardano-node/en/latest/stake-pool-operations/node_keys.html

The guide suggests that we should store the cold keys in a computer that is not connected to the Internet and only upload the kes and vrf keys to the servers that run the nodes.
But when we register a stake pool, we need both “cold.vkey” and “cold.skey”, and this made me very confused. In the end, I had to upload the cold keys to the server and then deleted it after registering the stake pool.

Can anyone suggest what would be the best practises in managing these cold keys?

2 Likes

Hi Trung.

You want a cold machine with cardano-node and cardano-cli installed (best to have a machine that has never touched the internet). You don’t need to run the node, but you use cardano-cli to build and sign all transactions offline, and then move those signed transaction files to a hot node for submission to the chain. How you store your keys is up to you - encrypted on disk, encrypted usb, fireproof safe or buried and boobytrapped in the wilderness will work - but make sure neither your cold keys or private keys ever touch a hot node.

That’s how I roll.

Your friend, FROG

8 Likes

This information is extremely helpful @ADAfrog. Thank you very much.

I didn’t know we could sign transactions offline. This info should be made available in the guide.

Cheers. All the best to you @ADAfrog

3 Likes

Hi! I’d like to chime in here with silly question. How do I install cardano-node and cli on machine without connecting online?

Hi Morgan,

You can compile on a hot machine and move the binaries over. You will need to do this for libsodium as well

Your friend, FROG

1 Like

Oh cool, thanks FROG!

To make sure I understood this correctly,

In order to transfer the binaries from hot to core, and the signed transactions from core to hot machine, you use a hard / usb drive?

Once again, thank you!

Hi Morgan,

Yes, but keep in mind there is risk either the USB drive or one of your machines may be infected with malware. So in this regard I recommend not storing your keys on your cold machine whatsoever, and only bringing them over to your cold machine via separate encrypted USB to perform transaction signing, and then shred the keys on your cold machine when you are done (make sure you have your keys backed up in multiple places to avoid destroying your only copy). After the keys are no longer on your cold machine, then you can move the signed transaction files over to your hot node using a separate USB

I like to operate under the assumption my machines are compromised.

Also, signed transaction files are not sensitive

Your friend, FROG

2 Likes

Sounds pretty secure to me. Thanks!

Is there a type/ encrypted/ secure usb device that you’d recommend/ prefer? Any thing you would suggest that I should be aware of when choosing a USB for storing the keys and transferring the respective files between machines etc?

Flash data retention is limited, so having a couple USB drives and rotating them out every few years is recommended. SLC NAND is more robust than MLC (been out of semiconductor business a while so there may be newer tech but I think this might just be limited to die stacking).

I would recommend purchasing a USB drive made by a reputable flash manufacturer such as Samsung as you know the flash chips will likely be better quality and the devices will likely undergo better testing.

Your friend, FROG

1 Like

Noted, and thank you!

So here’s where I’m confused…

The Block Producing Core Node should have the IP address of the Relay node in its topology file and needs to run in order to connect with the Relay node and for the Relay node to connect to the Block Producing Core Node with it’s respective address in the topology file.

So how are we keeping the Block Producing Core node ‘cold’ and not connected to the internet?

Have I misunderstood something here, FROG?

Hi Morgan,

A cold machine is completely separate (strictly for key management), and not part of your stake pool cluster architecture. Your block producer is indeed a hot node.

Please let me know if I can clarify.

Your friend, FROG

1 Like

Hi FROG,

So the cold machine is only to sign transactions… and the block producer instance and relay instance would have the nodes being run with 99.999% up time.

To make sure I got this right… to be a Stake Pool operator we should have:

  • one block producer (VPS)
  • at least one Relay (VPS)
  • Cold Machine (Secure Signing of Transactions)
  • USBs / Encrypted drives to store cold keys and transfer the same temporarily and binaries to Cold machine etc.

Please let me know if I’m missing something?

HI Morgan,

I can only guide you - you will have to understand best security practices and why each component is important. How you store your keys is up to you, as there are many methods.

I also recommend more than one relay - if a relay goes down in a single-relay architecture, then so does your block producer

Your friend, FROG

For sure FROG, I understand.

You bring a whole lot of smart points that I’m happy to have learned from you. Just picking your brain here so that I understand what I’m doing and get good at it.

I will continue with the course with the testnet and things should be more clear to me.

Thank you.

1 Like