CNTOOLS offline workflow -step by step guide

I put this guide together with the troubleshooting help from both

Alexd1985 [CHRTY}Charity Pool & Dostrelith[Eden]Pool,

please consider moving some delegations to these guys :slight_smile:

they have been extremely helpful on my stake pool journey!


0.0 OBJECTIVE: get things ready.

0.1 on the offline cold/gap computer
install cntools on offline pc, update ubuntu, be sure versions are correct.

0.2 mount USB:
sudo fdisk -l
** sudo chmod 666 /dev/{device assignment for USB :sdb2,sdY etc…use “df” command in cli}**

0.3 Lets start cntools:
./ -o #offline mode

     cut and past displayed permission code into cli.
     should look something like this:
     **echo "gap ALL=NOPASSWD /usr/bin/chattr" | sudo tee /etc/sudoers.d/cntools"**

      you should now be error free and into cntools GUI

“built transaction”: refers to the file (.json) created by cntools, whether it’s a transaction for sending funds, registering pool / wallet, withdrawing rewards

IF the file is successfully submitted to the blockchain…its immutable! …you may say [Y] to delete prompt.
This will help reduce file bloat.

Cntools will prompt you for filepath…so i just opened Ubuntu File manager: tmp/cnode/cntools/offline/offline01234567.json.

Right Click on “properties”, copy and paste file path THEN also copy and paste json file name.


“building a transaction”: involves choosing “hybrid” in cntools
“signing”: same for all. Transaction=>>sign (cntools)
“submitting”: similar for all Transaction=>>submit (cntools)

The file is built then transferred to USB…then it REMAINS on the USB. Is then “signed by the offline computer” via filepath and "submitted by the online server (live node or BLOCKPRODUCER) via file path.

1.0 OBJECTIVE: cold generation of pool/wallet/op.cert
1.1 create new wallet
1.2 create new pool
1.3 rotate keys and generate op.cert
1.4 create backup on USB with “not private keys option”
" i received an ERROR: “lsattr: Operation not supported While reading flags on /media/usb/poolsig”
however it said successfully encrypted AND backup successfully created.
so i will just ignore that…assuming USB wont allow pc to check attributes?
(this is probably due to the USB not being of ext4 format.)

unmount or eject USB!

1.5 UNMOUNT/Eject USB and move to online server (blockproducer)

2.0 OBJECTIVE: to reveal cold generated address to online computer to fund/register to blockchain.

   mount USB drive as before:
     sudo fdisk -l
     sudo chmod 666 /dev/{device assignment for USB :sdb2,sdY etc.....use "df"

command in cli

    recover from backup (i can confirm this does not overwrite existing folders,

just adds additional) decrypt for use (and you should encrypt local archive, or move it offline)

2.1 fund wallet with 510 ADA
2.2 once funds are received…wallet will be able to pay for wallet registration on blockchain. 1min

2.5 After generating partially signed transaction: Its time to move it back to OFFLINE:
this will be found in /tmp/cnode/cntools/offline_tx_1234567890.json

move to USB.

UNMOUNT USB from Online server(BP) and move USB back to OFFLINE /COLD computer.
(remember you set a time limit and this transaction will be void if you dont complete in time)

Move this file to offline Gapped computer. (sign it with source wallet payment.skey)

3.1 start Cntools in offline mode (./ -o)
Transaction>>Sign: “with payment key from wallet”

    you dont have to move files....they can be signed whilst on USB.
    enter  file path  /media/usb/etc/partiallysignedFILENAME.json
   UNMOUNT and move back to online server.

3.5 Transfer signed transaction back to ONLINE node.

4.1 transaction==> submit to blockchain (from USB)
4.2 register pool in hybrid mode.

4.5 Repeat for additional transactions/pools
5.1 same
5.5 same

dont forget to:

 rotate keys
 encrypt wallet/pool 
 backup your Gap Computer (offline) cold keys 
to a drive that "never touches" wifi or ethernet.
 restart node after pool modification.


if you registered pool in online mode and dont want to retire or give up your ticker for 2 weeks…and risk loosing it then use this workflow to secure your wallet and pool offline.

  1. create a new wallet offline: sign/submit/fund.
  2. modify pool (online) in hybrid modify pledge and source/rewards wallet.
  3. you will have to grab pool cold key over with you as well as the signing .json
  4. bring back to offline and sign. [Y] to 2 wallet and 1 pool file.
    5 back to online and submit.

check pools website to confirm address is correct.

If required:
Moving from online workflow to offline hybrid workflow: {thx to [AHLNET]}

1 Create backup on online server choosing to backup all files incl signing keys (preferrably encrypting backup).

2 Move backup to offline server and restore within cntools.

3 Once you have verified that all files are safely moved to offline server, including signins files for wallets and pool. Feel free to remove signing files from online server.

edits ongoing through april /2023 as i discover process.
if anyone wants so suggest edits, errors, workarounds, or better ways… please let me know!

is this for when using an airgapped machine holding your hot keys?

1 Like

yes sir, that is correct

Can we get this for people using Mac M1?