Cold & Private Keys within CNTools

Hey Guys,

I wanted to triple-confirm the issue of Cold & Private Keys with a different approach… which keys NEED to be kept on the Live Core-BP server?

(otherwise, I will store everything else on the air-gapped machine).

Can you reference the files below to make it as ‘black & white’ as possible to maybe eliminate future confusion with new SPOs:

/priv/wallet/wallet_name/:
payment.skey
stake.skey
base.addr
payment.addr
reward.addr
stake.vkey
payment.vkey

/priv/wallet/pool_name/:
cold.counter
cold.skey
cold.vkey
hot.skey
hot.vkey
kes.start
op.cert
pool.id
pool.id-bech32
vrf.skey
vrf.vkey

Thanks in advance!!

kes and vrf signing keys and op cert

Thanks!

So, on the Core-BP node will only contain:
/priv/wallet/pool_name/
kes.start
op.cert
vrf.skey

What about the wallet? I plan on signing all transactions from the cold environment, so I would need to keep “payment.skey” and “stake.skey” OFF of the live Core-BP node, right?

If this is the case then the live Core-BP node will contain the following:
/priv/wallet/wallet_name/:
base.addr
payment.addr
reward.addr
stake.vkey
payment.vkey

Let me know if I have this right.

(I apologize for the amateur question…I’m just triple-confirming before going live.)

Question: I just realized within CNTools, you can Encrypt/Decrypt the payment.skey &stake.skey files…is this the way to go without needing to create transactions from an air-gapped machine?

I’m just looking for clarity…how is everyone signing transactions?

Assuming I’ve adapted the security measures:

  • disabling root
  • incorporating google authenticator wherever possible
  • setting up firewall with unique ssh port
  • incorporating Fail2Ban
  • etc.

For fail2ban I configured jail.local and edited it… now it’s working fine (ban all attempts after 3 fails)

With wallet/pool encrypt/decrypt option you will increase your security (will encrypt some files from wallet and pool folder (you will see with .gpg extension). Then you must to decrypt them in order to make transactions or pool modifications). And offcourse remove your cold keys from the server!

Yes, since these are not needed by the node to produce blocks.

The backup and Restore functionality of CNTools allows you to delete keys after backing up, so that you dont manually go around accidentally moving file you dont need to.

(PS: CNTools also offers offline transaction creation mode for air gapped machines - refer to docs for workflow if interested)

So I made the miastake of choosing delete private keys while backing up thinking it was removing them from the backup not the actual disk… Have I lost access to my wallet? I cant find the private keys anywhere. I thought I was backing things up.

What file do u have now in wallet folder?

Deleting keys will only be actioned after you have done a backup, not before. If they’re deleted, it means you’ve already backed up the keys (hence, it was deleted as per recommended practice). You can restore the back up if you want to access your keys again.

The way he said… I think he deleted the key before to backup them…

This specifically says choosing delete private keys while backing up, which is also what menu reads in CNTools. For some reason he thought the keys are being deleted from backup, while the flow is , backup the files and delete from live server (so that keys are not present on a server exposed to internet). The behaviour from CNTools was as documented, what’s possibly missed is that he needs to restore the backup to restore keys again

1 Like

Thanks all. I restored backup and keys are there… the messaging around that is confusing. The documentation says backup w / o keys… so I got a bit confused. I have restored the backup and got my keys back. Whew thanks for your help. Now I understand what’s going on. :grinning:

1 Like