Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Best Practices: fix relative pathnames #1359

Open
wants to merge 2 commits into
base: staging
Choose a base branch
from
Open

Security Best Practices: fix relative pathnames #1359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
45ae115
air-gap, secure-workflow: standardising intra-Portal links as docs/*.md
rphair Nov 21, 2024
b6d2eb2
Merge branch 'staging' into airgap-fix-node-install-link
rphair Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/get-started/air-gap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ sudo apt upgrade

This is recommended because it will give you a means of taking password-encrypted notes that can move between your air gap and computer host environments *in both directions*, so you can:

- record transaction details from your home computer environment & Internet connected machines, for use in the air gap (as per [Secure Workflow](./secure-workflow)):
- record transaction details from your home computer environment & Internet connected machines, for use in the air gap (as per [Secure Workflow](docs/get-started/secure-workflow.md)):
- your Cardano account balances, UTxO addresses & payment addresses
- notes from personal files & web sites about the work you will be doing within the air gap (since you won't have Internet access there);
- take notes in the air gap environment (problems, error messages) to copy back to your computer, since you can't upload them through the air gap.
Expand Down Expand Up @@ -244,7 +244,7 @@ This confirms that your system will start properly after having updated your sys

Use the standard instructions here at the Developer Portal:

- **[Installing cardano-node and cardano-cli from source](../get-started/cardano-node/installing-cardano-node)**
- **[Installing the node from source](docs/get-started/cardano-node/installing-cardano-node.md)**

Note this will build `cardano-node` as well as `cardano-cli`, but don't worry: you won't be running a node inside the air gap. 😜

Expand Down Expand Up @@ -277,7 +277,7 @@ Therefore, you can [find your WiFi MAC address](https://help.ubuntu.com/stable/u

### Congratulations, your air gap environment is complete!

You now have a safe place you can use for your [Secure Transaction Workflow](./secure-workflow).
You now have a safe place you can use for your [Secure Transaction Workflow](docs/get-started/secure-workflow.md).

## Option 2: Install your air gap environment on a persistent USB drive

Expand All @@ -299,7 +299,7 @@ If this appeals to you, and you don't mind following a more complicated and erro
This loosely documented configuration has been called the **Frankenwallet**, with separate instructions at these links which mostly follow the procedure above:

- **[The Frankenwallet](https://cosd.com/frankenwallet)** - detailed external web site, including semantics for using your bootable USB environment in secure & blockchain workflow
- [Get Started with the Frankenwallet](/docs/operate-a-stake-pool/frankenwallet) - one-page summary here on the Developer Portal
- [Get Started with the Frankenwallet](docs/operate-a-stake-pool/frankenwallet.md) - one-page summary here on the Developer Portal

:::warning

Expand Down
35 changes: 15 additions & 20 deletions docs/get-started/secure-workflow.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,45 +14,45 @@ Payment keys can never be stored, even for a moment, on an Internet connected ma

:::

Therefore we present a secure, standard workflow for this sequence of `cardano-cli` commands for a simple, single transaction for funds transfer:
Therefore we present a secure, standard workflow for `cardano-cli` commands like the ones presented without consideration of security here:

- **[Create Simple Transaction](/docs/get-started/create-simple-transaction)** (*insecure* version)
- **[Create Simple Transaction](docs/get-started/cardano-cli/get-started/simple-transactions.md)**

Once you feel comfortable doing a simple transaction securely, you'll also be able to use it to securely execute these more complex transactions as well:

- [Minting Native Assets](../native-tokens/minting)
- [Minting NFTs](../native-tokens/minting-nfts)
- [Registering a Stake Address](/docs/operate-a-stake-pool/register-stake-address)
- [Registering a Stake Pool](/docs/operate-a-stake-pool/register-stake-pool)
- [Minting Native Assets](docs/native-tokens/minting.md)
- [Minting NFTs](docs/native-tokens/minting-nfts.md)
- [Registering a Stake Address](docs/operate-a-stake-pool/register-stake-address.md)
- [Registering a Stake Pool](docs/operate-a-stake-pool/register-stake-pool.md)

### A model for a secure transaction

All transactions will be done in these 3 steps:

1. on Internet connected computer:
- **Assemble** all transaction details (from Cardano node or other query) in a file & save it to a removable device.
2. in [air gap environment](./air-gap):
2. in [air gap environment](docs/get-started/air-gap.md):
- **Build** information from this file into a signed transaction & save the Tx file back on the same device (note `Tx` = "transaction").
3. on Internet connected computer:
- **Upload** the Tx file to your Cardano node and submit it.

Therefore, the payment signing key (the private component of the [Cardano wallet address key pair](../operate-a-stake-pool/cardano-key-pairs#wallet-address-key-pairs)) **never leaves the air gap environment**. This is vital because:
Therefore, the payment signing key (the private component of the [Cardano wallet address key pair](docs/operate-a-stake-pool/cardano-key-pairs.md#wallet-address-key-pairs)) **never leaves the air gap environment**. This is vital because:

- A standard assumption in security is that *any* Internet connection on *any* computer creates opportunities for malicious people or programs to copy, view, or modify *anything* unencrypted on that computer.
- Unlike transactions with cryptocurrency wallet software, in which the wallet's private payment keys are carefully encrypted and securely managed, the payment key (in this documentation, `payment.skey`) used for the raw transactions of development & stake pool operations is *not encrypted*.
- This means that this file stored anywhere on your Internet connected computer or server, even for an instant, creates an opportunity for the funds at that address (`payment.addr`) to be ***lost***.

## Prerequisites

### Your [air gap environment](./air-gap)
### Your [air gap environment](docs/get-started/air-gap.md)

Follow [these instructions](./air-gap) to procure the environment (usually a dedicated "air gap machine") if you haven't already.
Follow [these instructions](docs/get-started/air-gap.md) to procure the environment (usually a dedicated "air gap machine") if you haven't already.

### Move any existing keys inside the air gap

Second, if you've been running your applications, token/NFT generation, or stake pool with keys stored on any Internet connected machine (whether desktop or server):

- Move all those keys onto the air gap host and [securely delete](../get-started/air-gap#install-secure-deletion-tools) the originals.
- Move all those keys onto the air gap host and [securely delete](docs/get-started/air-gap.md#install-secure-deletion-tools) the originals.
- Also, seriously consider whether those resources should be rebuilt due to the exposure of those private keys.

To simplify the commands below, this guide assumes you will store all your keys and addresses *in the same single directory* where you will be building your transactions.
Expand All @@ -66,12 +66,7 @@ Format a memory stick on a machine you believe to be secure, and then (to be on

## Steps of a secure transaction

This is rewritten from page [Create Simple Transactions](/docs/get-started/create-simple-transaction) (only considered secure to run on a testnet) with the following exception:

- [Determining the TTL (time to Live)](/docs/get-started/create-simple-transaction#determine-the-ttl-time-to-live-for-the-transaction) for the transaction is omitted, along with setting this value in the transaction itself, to simplify the information-gathering step.
- This poses no security risk since an omitted TTL value allows a Tx file to be used indefinitely *but* submitting that Tx will change the UTxO set so that submitting that transaction again will be impossible.

Also note that in general your "Internet connected machine" and your "Cardano node" will be two separate systems, and you will have to transfer files from one to the other with programs like [`rsync`](https://linux.die.net/man/1/rsync).
Note that in general your "Internet connected machine" and your "Cardano node" will be two separate systems, and you will have to transfer files from one to the other with programs like [`rsync`](https://linux.die.net/man/1/rsync).

- So if you're running your Cardano node on a home machine (or using the Daedalus node port, for instance), where it says "upload" you only have to copy such files to where you can access them on that node.

Expand Down Expand Up @@ -203,13 +198,13 @@ cardano-cli conway transaction submit \
--mainnet
```

Then check for a successful transaction by whatever means you prefer, e.g. as illustrated in [Check the balances](/docs/get-started/create-simple-transaction#check-the-balances).
Then check for a successful transaction by whatever means you prefer, e.g. a [Cardano Explorer](https://explorer.cardano.org/).

## FAQ

### Why can't I use `cardano-cli conway transaction build`?

This is a convenient command to avoid the ["change" (return UTxO) calculation](../get-started/secure-workflow#calculate-the-change-to-send-back-to-paymentaddr) which requires you to prepare a test transaction, estimate fees, and calculate a final value of the funds to be moved. Instead, `transaction build` sends back "change" to a designated address.
This is a convenient command to avoid the ["change" (return UTxO) calculation](#calculate-the-change-to-send-back-to-paymentaddr) which requires you to prepare a test transaction, estimate fees, and calculate a final value of the funds to be moved. Instead, `transaction build` sends back "change" to a designated address.

Some consider this so much easier to use that ***all*** transactions should be performed with this command, as discussed here:

Expand All @@ -230,4 +225,4 @@ These are not directly related to transactions, and will all eventually be addre
- making encrypted backups of your private keys (so they can be kept offsite / stored outside your air gap environment)
- keeping secure (encrypted) records of your stake pool & development resources

For ideas on secure backup & record-keeping, see [Get Started with the Frankenwallet > Making & verifying backups of assets & keys](/docs/operate-a-stake-pool/frankenwallet#making--verifying-backups-of-assets--keys).
For ideas on secure backup & record-keeping, see [Get Started with the Frankenwallet > Making & verifying backups of assets & keys](docs/operate-a-stake-pool/frankenwallet.md#making--verifying-backups-of-assets--keys).
Loading