Key Management¶
Ledger support¶
It is possible and advised to use a hardware wallet to manage your keys, Dune’s client supports Ledger Nano devices provided that you have a Dune app installed. The app is developed by Origin Labs and they provide a comprehensive tutorial on how to install it.
Dune Wallet Mode¶
Now on the client we can import the keys (make sure the device is in the Dune Wallet app):
./dune-client list connected ledgers
You can follow the instructions to import the ledger private key and you can choose between the root or a derived address. We can confirm the addition by listing known addresses.
./dune-client import secret key my_ledger ledger://dn1XXXXXXXXXX
./dune-client list known addresses
Optional: we can check that our ledger signs correctly using the following command and confirming on the device:
dune-client show ledger path ledger://dn1XXXXXXXXXX
The address can now be used as any other with the exception that during an operation the device will prompt you to confirm when it’s time to sign an operation.
Dune Baking Mode¶
There is a Baking Mode app which allows a delegate to sign non-interactively e.g. there is no need to manually sign every block or endorsement. You can switch to it with:
- ::
- dune-client dune ledger becomes baking my_ledger
This mode restricts the application to sign exclusively blocks and endorsement operations; it is not possible to sign for example a transfer. Furthermore the application keeps track of the last level baked and allows only to bake for increasing levels. This prevents signing blocks at levels below the latest block signed.
If you have tried the app on Testnet and want to change network you might need to reset this level with the command:
dune-client set ledger high watermark for ledger://dn1XXXXXXXXXX to 0
Signer¶
Another solution to decouple the node from the signing process is to
use the remote signer.
Among the signing scheme supported by the client, that we can list
with dune-client list signing schemes
, there are unix
,
tcp
, http
and https
.
These schemes send signing requests over their respective
communication channel towards the dune-signer
, which can run on a
different machine that stores the secret key.
In our home server we can generate a new key pair (or import one from a
Ledger) and launch a signer that signs operations using these
keys.
The new keys are store in $HOME/.dune-signer
in the same format
as dune-client
.
On our internet facing vps we can then import a key with the address
of the signer.
home~$ dune-signer gen keys alice
home~$ cat ~/.dune-signer/public_key_hashs
[ { "name": "alice", "value": "dn1abc..." } ]
home~$ dune-signer launch socket signer -a home-ip
vps~$ dune-client import secret key alice tcp://home-ip:7733/dn1abc...
Every time the client on vps needs to sign an operation for alice, it sends a signature request to the remote signer on home. Note that this setup alone is not secure, the signer accepts requests from anybody and happily signs any transaction!
Secure the connection¶
Improving the security of the communication channel can be done at the
system level, setting up a tunnel with ssh
or wireguard
between home and vps, otherwise the signer already provides an
additional protection.
With the option --require-authentication
the signer requires the
client to authenticate before signing any operation.
First we create a new key on the vps and then import it as an
authorized key on home where it is stored under
.dune-signer/authorized_keys
(similarly to ssh
).
Note that this key is only used to authenticate the client to the
signer and it is not used as a Dune account.
vps~$ dune-client gen keys vps
vps~$ cat ~/.dune-client/public_keys
[ { "name": "vps",
"value":
"unencrypted:edpk123456789" } ]
home~$ dune-signer add authorized key edpk123456789 --name vps
home~$ dune-signer --require-authentication launch socket signer -a home-ip
All request are now signed with the vps key thus you are
guaranteed authenticity and integrity.
This set up does not guarantee confidentiality, an evesdropper can
see the transactions that you sign but on a public blockchain this is
less of a concern.
You can still use the https
scheme or the tunnel to encrypt your
traffic.
Activate ICO account - Mainnet¶
If you took part in the Tezos ICO you can activate your account on the Dune Mainnet on https://check.tezos.com/ (even if you have not already activated it on Tezos). This feature is also included in some wallets. If you have any questions or issues, refer to that page or to the Tezos foundation for support.
You may also use dune-client
to activate your account, be
warned that you should have a very good understanding of key
management in Dune and be familiar with the command-line.
The first step is to recover your private key using the following
command which will ask for:
- the email address used during the fundraiser
- the 14 words mnemonic of your paper wallet
- the password used to protect the paper wallet
dune-client import fundraiser key alice
Once you insert all the required information, the client computes your secret key and it asks to create a new password to store your secret key on disk encrypted.
If you haven’t already activated your account on the website, you can use this command with the activation code obtained from the Dune foundation.
dune-client activate fundraiser account alice with <code>
Like explained above, your keys are stored under ~/.dune-client
.
We strongly advice you to first make a backup and then
transfer your tokens to a new pair of keys imported from a ledger (see
Ledger support).
Check the balance with:
dune-client get balance for alice