How to secure IOTA wallet
What is IOTA
IOTA is a transactional and data transfer layer aiming at the Internet of Things. It uses a distributed ledger called Tangle which scales better than Blockchain - the more it is used the more efficient it gets.
The tangle ledger is based on something called DAG (directed acyclic graph). Each transaction forms its own “block” and is essentially verified by itself. In order to put your transaction through you have to verify two other randomly chosen older transactions in the network. This is done with help of a very simple version of proof-of-work but the needed Proof-of-work is so cheap that the transaction cost is still essentially zero.
Thanks to this, through IOTA people can transfer money without any fees. This means that even tiny nanopayments can be made with IOTA - ideal for automated transactions in the IoT.
Currently you are only able to trade IOTA on Bitfinex and the Australian CoinSpot. The deposits and withdrawals on Bitfinex are a bit janky and there have been some concerns if Bitfinex is trusted at all considering the Tether controversy - read more about Bitfinex here. Recently new exchanges with IOTA integration were promised though.
Download IOTA wallet
There is no selection of full vs light clients like you might know from BTC and blockchain based altcoins. The official IOTA wallet interface is simply a GUI for your seed. Currently the seed is not generated for you - you need to do it yourself. IOTA seed is a string of 81 characters consisting only of uppercase latin letters and 9’s.
Download your IOTA wallet from the release section of the iotaledger github only:
The IOTA wallet is available for Windows, Mac and Linux (both as deb and rpm).
Generate IOTA seed
The seed string can be absolutely anything, as long as it’s 81 characters of uppercase latin letters and 9s. There are websites that generate the seed for you but in this way you are depending on their good will of not snooping on you, so this way of seed generation shouldn’t be encouraged.
I wanted to create a short program to show that this type of password is also insecure. Using Python with a few simple libraries, I created this script that generates a password list based on a given artist. Discovering someone’s favorite band is pretty easy… that sort of thing is plastered all over social media, and it’s usually something people will provide when asked by anyone. (via privsec.blog, includes the python code)
On Linux and Mac, hands down the best option is to open up the terminal and generate a random string like this:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 | head -n 1
If you want to store your seed on paper, simply write it down now and you are done here.
If you want to store your IOTA seed on a computer you need to encrypt it. The best way is to encrypt the seed right after its generation, without having had the plaintext seed on your laptop at all:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 \ | head -n 1 | openssl enc -aes-256-cbc -salt -out paranoia.enc
The command above will ask you for password - choose something strong. You can verify the file is encrypted by trying
cat paranoia.enc. If you want a different cipher check what’s available with
openssl list-cipher-algorithms. Allegedly the 256bit AES is still what the US government uses to encrypt information at the Top Secret level. Salt (
-salt) adds strength to the encryption and makes it harder to do a dictionary attack.
Decrypting the file on Mac goes like this:
openssl enc -d -aes-256-cbc -in paranoia.enc | pbcopy
The first part before the pipe is the decrypting,
pbcopy is a command that will dump the seed into your clipboard so that the seed won’t get printed out into your terminal’s display. You should have
pbcopy by default on Mac. When you open your IOTA wallet and press
Cmd+V it will be the first time you are ever seeing your IOTA seed.
This way the seed will be decrypted without creating a file on the disk for it - it will only be in the memory for a short while. It is far from bulletproof but it is better than generating a plaintext file with the seed on your hard drive and then trying to securely remove it.
The above is also a better way rather than writing the string into a file and then encrypt it which brings up the problem with secure removal of files:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 | head -n 1 >> testfilename openssl enc -aes-256-cbc -salt -in testfilename -out file.enc
Copying into clipboard on a Linux laptop:
On Linux (with display) you will need the
xclip package. To get to the clipboard available from
CTRL+V do this:
openssl enc -d -aes-256-cbc -in paranoia.enc | xclip -sel clip
IOTA cold storage
The previous paragraph can be upgraded into a cold storage solution if it’s done on an air-gapped laptop or a Raspberry Pi: a clean, secure device that is not connected to the internet and when it has ever been, it was to download packages from official repos and sync blockchains - not to watch hentai from dodgy servers with malware in ads.
IOTA GUI: Generating receiving address online
You do need an internet to install the IOTA wallet (the GUI) and to login and see your receiving address but the seed generation via command line doesn’t need internet at all. If you have a separate device for coins and go offline for the generation, then open your wallet and copy your address in the Receive tab and move that address only to your computer for normal daily use, and only connect to the internet on your storage computer to check balances when withdrawing, that’s reasonably safe.
Colder version: Generating receiving address offline
There is also this offline tool for IOTA paper wallet generation by /u/mothermole1 on Github. You’ll need an online computer that can run nodejs apps to download the zip from Github. After unzipping generate the offline app - for Linux and Mac:
cd IOTA-Paper-Wallet rm out/* npm install npm run build
Now for the work on your offline device:
- Safely transfer the generated
outdirectory into your offline machine that has a display and a web browser.
- With the offline app generation there was also a sha256 checksum generated into
checksum.mdinto the root of your repo on your online computer. On your offline machine you should check the integrity of the transferred zip file now. On Linux,
sha256sum offline-build.zip. If you are posh enough to have an offline Mac it goes
shasum -a 256 offline-build.zip.
- Unzip the offline build and enter the directory.
- Open index.html in a web browser.
- If you haven’t already, generate your encrypted seed and decrypt it into your clipboard now - as described above.
- Paste your seed into the input field in the web app and click “Generate” to collect your receiving address or print your paper wallet.
Image: IOTA paper wallet - Your seed is in the left & upper parts, your receiving address in the right & bottom parts.
The receiving address is public and it’s the only information that has to leave your offline device. You can use it to check your balance from an online machine via an address explorer. This way your storage device doesn’t need to connect to the internet until you want to send a transaction.
getNewAddress method to generate the receiving address from a seed on an offline device. Here is the lib in the paper wallet app, here on IOTA’s Github - so that you can do a
quickdiff.com. If you are paranoid about using an app the code of which you won’t read, there is a simplified tutorial version that doesn’t require node on https://github.com/domschiener/iota-address-generator, which is linked from the official basic tutorial on learn.iota.org.
Receiving and sending IOTA
If you want to receive IOTA for the first time you may click “Attach to tangle” in the IOTA wallet but it is not needed, you will receive your money without it just the same.
Sending is done from the GUI just by specifying the address and amount (be careful about the units).
Where to read more
- IOTA has a good and very active subreddit r/iota. The developers are on Reddit and hold AMAs regularly. Technical questions are welcome.
- For traders, IOTAmarkets is also very lively.
- The IOTA official blog lives at https://medium.com/iotatangle.
- iota.cool is the IOTA address explorer.
- There is a neat tangle visualizer at https://tangle.blox.pm
Thanks /u/2t6vFAdRMsRl and /u/MrStormLars for good ideas.