[Howto] Securing your Owner key while using your funds

[xeroc]

one small error in your tutorial: in point 4, the code snippet ends with "owner_key", I think you meant "active_key" there

Thx .. fixed in the post .. gonna fix wiki tomorrow

[wackou]

one small error in your tutorial: in point 4, the code snippet ends with "owner_key", I think you meant "active_key" there

[wackou]

 

I think this is very important, along with your tutorial for changing the signing key of delegates. I believe both of them should be put on the bitshares wiki to be accessible by everyone, not only people reading the forums, as it allows you to have and keep a much more secure account. This allows to keep your identity super-safe (your owner key, in cold storage) while using your active key or signing key in a more dangerous environment (on a VPS, etc.). If ever something happens to one of your keys, you can always revoke it using your owner key, which is very nice.

As for the tutorial, I could follow easily (already have my devshares delegates like that), but I'm used to using the command-line client. Ultimately, I think this should be integrated in the UI in an intuitive way, but I can see why it's not a priority for now (although having it for 1.0 would be nice)

[xeroc]

My friends,
please tell me if that tutorial is too long* or to complicated* to read .. because this feature is big imho

[xeroc]

I'm unclear as to what the benefits are to doing this. Can you give a real-world example of this helping someone, and a side-by-side comparison of doing this vs. not doing this for a situation where this would save somebody from an attack?

• Imagine your create a new (sub) account for your mobilephone ... but you don't want to risk when lossing it that someone can crack your pin and gain access to the account .. at most you want an attacker to gain access to the faunds
• Imagine me having a corporation with a billing address "income.company" and I'd like to let others do the books without risking they might compromise the account itself .. but maybe just the funds

[fluxer555]

I'm unclear as to what the benefits are to doing this. Can you give a real-world example of this helping someone, and a side-by-side comparison of doing this vs. not doing this for a situation where this would save somebody from an attack?

[xeroc]

Hey friends,

TL;DR;:
 - secure the owner key of your registered account
 - continue using your account by means of the active_key

this quick tutorial is meant for people that want to put their account name's private key on ice.
This is not a cold storage solution for your funds but for the account
which is registered on the blockchain.
Note that open market orders are not recoverable from the new keys. So
please close your open orders before doing this.

Background:
The blockchain differenciates between at least two pub/priv keys:

owner_key
- 'owns' the account on the blockchain.
- it's like the master of everything.
- all keys are derived from this. Comparable with the seed of HD wallets from Bitcoin.
- can NOT be updated/changed on the blockchain

active_key
- derived from owner_key
- used for (TITAN and non-TITAN) transaction to a registered account name
- used to derive market keys .. (at least that's my understanding)
- can be updated/changed on the blockchain

signing_key (delegates only)
- used to sign blocks (different chapter, different howto)

Howto secure your account's owner key:
1) Make a backup of your wallet

Code: [Select]

wallet_backup_create

2) set a new active key

Code: [Select]

wallet_account_update_active_key <accountname> <payingAccountName>
with <accountname> denoting the account name for which you want to
update to a new active key and [t]<payingAccountName>[/tt] is the account which
is funded and pays the transaction fee. The client itself derives a new
active_key (deterministically from the owner key) and sends an update
transaction to the network. You current wallet will still be able to receive
new funds.

3) wait for one or two blocks

4) Dump the new active key

Code: [Select]

wallet_dump_account_private_key <accountname> active_key

5) create new wallet

6) import private key from above into new wallet

Code: [Select]

wallet_import_private_key <wif> "" false false
The "" tells the client to figure out the account name automatically and
"false false" tells the client to not 'create' but import an existing account
and not rescan the blockchain (which we will do manually because we have some
more accounts to secure )

7) Repeat 2) to 6)

8 ) Rescan

Code: [Select]

rescan

Done. Your funds should all appear again. Even those that have been traded on the blockchain.

For the brave guys in the community: I wrote a python script to do the above
steps for all accounts (it worked here )
   https://github.com/xeroc/bitshares-pytools/blob/master/user-tonewactivekey/main.py
Sample output:

Code: [Select]

# Reading accounts                                                                                                                                                                                                 
                                                                                                                                                                                                                   
                                                                                                                                                                                                                   
## setting new active keys                                                                                                                                                                                         
-     a.delegate.xeroc
-     b.delegate.xeroc
-     c.delegate.xeroc
-     d.delegate.xeroc
-       delegate.xeroc
-     e.delegate.xeroc
Error changing active key for exchange.xeroc. Probably not able to pay. Please fund account.
-       exchange.xeroc
Error changing active key for exchange.xeroc. Probably not able to pay. Please fund account.
-     f.delegate.xeroc
-        payouts.xeroc
-     xeroc-delegate-1
-     xeroc-delegate-2
-     xeroc-delegate-3
-     xeroc-delegate-4
-     xeroc-delegate-5
-     xeroc-delegate-6
-     xeroc-delegate-7
-     xeroc-delegate-8
-     xeroc-delegate-9


## waiting two blocks to confirm


## moving funds to new active keys
--       exchange.xeroc : sending XXXXXXXX BTC
--       exchange.xeroc : sending XXXXXXXX EUR
--        payouts.xeroc : sending XXXXXXXX EUR
--        payouts.xeroc : sending XXXXXXXX USD
--     xeroc-delegate-1 : sending XXXXXXXX EUR
--     xeroc-delegate-1 : sending XXXXXXXX USD


## waiting two blocks to confirm

## new active keys
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wallet_import_private_key 5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

DISCLAIMER:

THE TUTORIAL IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.