-
Notifications
You must be signed in to change notification settings - Fork 125
Concept: Commandline wallet with decent security
Currently the main purpose of the substrate-api-client is to use it as a library from within another software component. Specifically it assumes, that the storage of the keys (used for the transactions) is taken care of in the software using the api-client. For certain usecases this is insufficient, especially when the command-line-interface (CLI) is used to make transactions. We want to extend the current implementation by adding the possibility to use keys, that are stored with encryption, and in a second step also two-factor-authentication.
##Current situation The api client offers a keystore that stores the keypair into an object and to write that object to a file. The users have to handle the file themselves. The integritee worker for example (https://github.com/integritee-network/worker) makes use of it. However, other users should have the possibility to store their keypair in a more convenient way.
Currently the user has to set the private key which is stored in the application state and loaded from there for signing the extrinsic:
We want a wallet that stores the keys in a file and takes over the file handling and encryption.
In a first step we store a password protected private key in a file. The ssh private key works as an example.
In a second step we enhance the password protection of the private key by a second factor from the Yubikey. There is a library for RUST: https://crates.io/crates/yubico.
There are 2 possibilities:
For the encryption we use substrate's primitives in crypto.rs. The protected key will be stored in a file. The plan is to use the same encryption algorithm, as currently.
If we keep the private key in the state of the software, it could be read from the RAM by a local attacker. To prevent this, we use the Rust library Secret to manage the key from within our software.