I’m setting up an air gap core node. I’d like to make sure I understood it correctly. Would appreciate any feedback I could get. Thanks!
- The Cold + KES keys can be generated directly from the air gap core node.
- The Air Gap Core Node would have the same Payment + Stake keys as the relay node.
- The Stake Pool Registration Certificate + Delegation Certificate can be generated directly from the air gap core node.
If the above 3 points are correct, I presume the Delegation Certificate would be transferred to the hot code node to build the transaction and then the tx.raw file would be transferred back to the air gap core node to sign before transferring it back to the hot core node to submit.
Hope I understood the process correctly?
Remove your payment and stake keys from all hot nodes (make sure you have them backed up). The entire transaction process, with the exception of submitting the signed transaction file, can be performed offline on your cold node. Build and sign cold => move to hot to submit the tx.signed. To prepare for this, simply bring the necessary utxo query information for the payment address over to the cold machine.
You will need to transfer over kes.skey, vrf.skey and the pool opcert to run your block production node - that’s it.
Also, there should be no keys whatsoever on your relay nodes.
Which leads to an interesting operational conundrum : how to output from the cold machine without plugging anything (e.g. USB stick) that has seen a hot machine before ?
It pushes the paranoia a bit, but imagine an infected USB stick used to go back and forth from the cold machine. How long will it take from the secrets to leak out ?
This is a great point - I would even be so paranoid as to not trust my own perception as to whether or not a USB stick has ever been hot (bugged out of the box)
I shred my local cold files as precaution after signing and before bringing a stick over to pull files, but it still is a potential attack vector.
It sounds strange and old fashioned: I use an external CD/DVD burner for this. If have quite some blank CD-Rs laying around and finally got some use for them .
Another way could be printing the tx.signed in large font size and scan + OCR the result on the hot machine
Just note: There is no absolute security!
Community being awesome in on-boarding new stake operators as always!
Should be encouraging and motivating for anyone reading this… Thanks guys.