How to secure your IOTA wallet and migrate from Light Wallet to Trinity
Quick Intro to IOTA and Tangle
IOTA is a transactional and data transfer layer aiming at the Internet of Things.
It uses a distributed ledger called Tangle which scales better than blockchain. The more Tangle gets used the more efficient it becomes.
The Tangle ledger is based on distributed technology called DAG (directed acyclic graph). Each transaction forms its own “block” and is essentially verified by itself.
To put your transaction through, your device has to verify two other randomly chosen older transactions in the network. This is done with a simplified version of proof-of-work. Thanks to this solution for network confirmations, transaction cost is essentially zero. (It also opens the ledger to new kinds of attacks though.)
That in turn makes IOTA ideal for automated transactions in the IoT.
In 2019, IOTA trading has spread widely from the initial two markets on Bitfinex and CoinSpot.
How to store IOTA: Light Wallet and Trinity
IOTA Light Wallet
The official and until recently the most used IOTA wallet was simply a GUI for your seed, where the seed is not even generated for you - you need to do it yourself.
That was the IOTA Light Wallet, still available from the official iotaledger github for Windows, Mac and Linux - but not updated in about a year.
If you ever used the IOTA Light Wallet you will know about its perks - “Can’t connect to remote node”, “Can’t sync”, the notorious zero balance issue and more.
IOTA Trinity Wallet & Ledger Nano S
The IOTA team has recently released a new wallet called Trinity that is in public beta at the time of writing. You can import your old seeds into it and protect them with a password which is more user-friendly. I encourage you to move some of your IOTA there (obviously, there can still be bugs).
The Trinity wallet is also the software you will need to hold IOTA on your Ledger Nano S, which is newly an option too.
How to migrate from IOTA Light Wallet to IOTA Trinity
- Download and install the Trinity wallet from the releases page on IOTA’s github: github.com/iotaledger…
- Create a new default wallet: The Trinity wallet is a multi-seed vault protected by a master password. You cannot “recover” your Light Wallet address by directly importing old seed like you would do when changing Bitcoin wallets. You’ll first need to create a default wallet in the Trinity vault, set a master password and then you can start importing additional seeds into the vault.
- Click the add ‘Add new account’ in the left sidebar of Trinity: This will lead you to the interface where you can insert your seed.
- Submit your old seeds: Copy-pasting is disabled for security reasons. You get the option to drag and drop a text file that contains your seed but for me that did not work, Trinity kept claiming the file’s corrupt. If this happens to you just open the text file and re-type the seed into the dialog. It will work.
- Check your balance: After this you should be able to see your correct balance right away.
How to Generate IOTA seed
IOTA seed is a string of 81 characters consisting only of uppercase latin letters and 9’s (there has to be at least one ‘9’ in the seed).
The seed string can be absolutely anything, as long as it’s 81 characters of uppercase latin letters and 9s. There are websites that generate the seed for you but in this way you are depending on their good will of not snooping on you, so this way of seed generation shouldn’t be encouraged.
I wanted to create a short program to show that this type of password is also insecure. Using Python with a few simple libraries, I created this script that generates a password list based on a given artist. Discovering someone’s favorite band is pretty easy… that sort of thing is plastered all over social media, and it’s usually something people will provide when asked by anyone. (via privsec.blog, includes the python code)
On Linux and Mac, hands down the best option is to open up the terminal and generate a random string like this:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 | head -n 1
If you want to store your seed on paper, simply write it down now and you are done here.
If you want to store your IOTA seed on a computer you need to encrypt it. The best way is to encrypt the seed right after its generation, without having had the plaintext seed on your laptop at all:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 \ | head -n 1 | openssl enc -aes-256-cbc -salt -out paranoia.enc
The command above will ask you for password - choose something strong. You can verify the file is encrypted by trying
cat paranoia.enc. If you want a different cipher check what’s available with
openssl list-cipher-algorithms. Allegedly the 256bit AES is still what the US government uses to encrypt information at the Top Secret level. Salt (
-salt) adds strength to the encryption and makes it harder to do a dictionary attack.
Decrypting the file on Mac goes like this:
openssl enc -d -aes-256-cbc -in paranoia.enc | pbcopy
The first part before the pipe is the decrypting,
pbcopy is a command that will dump the seed into your clipboard so that the seed won’t get printed out into your terminal’s display. You should have
pbcopy by default on Mac. When you open your IOTA wallet and press
Cmd+V it will be the first time you are ever seeing your IOTA seed.
This way the seed will be decrypted without creating a file on the disk for it - it will only be in the memory for a short while. It is far from bulletproof but it is better than generating a plaintext file with the seed on your hard drive and then trying to securely remove it.
The above is also a better way rather than writing the string into a file and then encrypt it which brings up the problem with secure removal of files:
cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 | head -n 1 >> testfilename openssl enc -aes-256-cbc -salt -in testfilename -out file.enc
Copying into clipboard on a Linux laptop:
On Linux (with display) you will need the
xclip package. To get to the clipboard available from
CTRL+V do this:
openssl enc -d -aes-256-cbc -in paranoia.enc | xclip -sel clip
IOTA offline wallet (true cold storage)
As mentioned before, IOTA is now supported by Ledger Nano S devices. The community sometimes calls Ledger the ‘cold storage’ - nonetheless, hardware wallets are a black box, you don’t know what’s in the hardware or whether there are vulnerabilities in the code. If you are a somewhat confident command line user, I encourage you to take more charge of your crypto holdings.
The previous section about generating the IOTA seed can be upgraded into a cold storage solution if it’s done on an air-gapped laptop or a Raspberry Pi: a clean, secure device that is not connected to the internet and when it has ever been, it was to download packages from official repos and sync blockchains - not to watch hentai from dodgy servers with malware in ads.
IOTA GUI wallet: Generating receiving address online
You do need an internet connection to install the IOTA wallet (the GUI) and to login and see your receiving address but the seed generation via command line doesn’t need internet at all. If you have a separate device for coins and go offline for the generation, then open your wallet and copy your address in the Receive tab and move that address only to your computer for normal daily use, and only connect to the internet on your storage computer to check balances when withdrawing, that’s reasonably safe.
Even colder version - IOTA Paper Wallet: Generating IOTA receiving address offline
There is also this offline tool for IOTA paper wallet generation by /u/mothermole1 on Github. You’ll need an online computer that can run nodejs apps to download the zip from Github. After unzipping generate the offline app - for Linux and Mac:
cd IOTA-Paper-Wallet rm out/* npm install npm run build
Now for the work on your offline device:
- Safely transfer the generated
outdirectory into your offline machine that has a display and a web browser.
- With the offline app generation there was also a sha256 checksum generated into
checksum.mdinto the root of your repo on your online computer. On your offline machine you should check the integrity of the transferred zip file now. On Linux,
sha256sum offline-build.zip. If you are posh enough to have an offline Mac it goes
shasum -a 256 offline-build.zip.
- Unzip the offline build and enter the directory.
- Open index.html in a web browser.
- If you haven’t already, generate your encrypted seed and decrypt it into your clipboard now - as described above.
- Paste your seed into the input field in the web app and click “Generate” to collect your receiving address or print your paper wallet.
Image: IOTA paper wallet - Your seed is in the left & upper parts, your receiving address in the right & bottom parts.
The receiving address is public and it’s the only information that has to leave your offline device. You can use it to check your balance from an online machine via an address explorer. This way your storage device doesn’t need to connect to the internet until you want to send a transaction.
getNewAddress method to generate the receiving address from a seed on an offline device. Here is the lib in the paper wallet app, here on IOTA’s Github - so that you can do a
quickdiff.com. If you are paranoid about using an app the code of which you won’t read, there is a simplified tutorial version that doesn’t require node on https://github.com/domschiener/iota-address-generator, which is linked from the official basic tutorial on learn.iota.org.
Where to learn more on how to store IOTA
- IOTA has a good and very active subreddit r/iota. The developers are on Reddit and hold AMAs regularly. Technical questions are welcome.
- For traders, IOTAmarkets is also very lively.
- The IOTA official blog lives at https://medium.com/iotatangle.
- iota.cool is the IOTA address explorer.
- There is a neat tangle visualizer at https://tangle.blox.pm
Thanks /u/2t6vFAdRMsRl and /u/MrStormLars for contributing good ideas.