KiChain: How to use Ledger to secure your XKIs transactions

Welcome to the Ki-steps series, a sequence of how-to posts where we explain the detailed steps to perform more or less advanced tasks on the KiChain. In this post, we will explain the process of securing your XKIs and your transactions using a Ledger hardware wallet.

Disclaimer : Ledger is not the only hardware wallet technology available on the market. However, it is the most used and tested one, seems extremely secure and is natively supported by all Cosmos SDK based blockchains. Trezor is an other known hardware wallet. At the time being, Trezor does not support cosmos based chains.

Quick access:

• Why using a hardware wallet?
• How to use ledger with ki-tools?

Why using a hardware wallet ?

TL;DR : Securing a wallet passphrase is a key element in securing its assets. Not exposing the passphrase to anyone is the only way to ensure its safety. A hardware wallet allows a wallet owner to transact with their assets while never exposing their passphrase to any third party entity.

Thanks to cryptography, a blockchain is an intrinsically secure and tamper proof store of value and data (i.e., of crypto assets). If implemented correctly, a blockchain can guarantee that some given assets are held by a specific account and can prove that some given assets have been transferred between a specific account and another. Moreover, a blockchain can — in some regulated configurations — associate an account to a physical or moral person. However, it has no mean to ensure that, at the moment of transacting, this person actually controls the account. At least not without adding lots of UX, blockchain unrelated, friction.

In blockchain terms, an account or a wallet is defined by a private key, which in turns is derived from a passphrase (a.k.a. a mnemonic, or “the 12/24 words”). This passphrase can be seen (in a simplistic way) as the human readable version of the usually encoded private key. By definition, having access to the passphrase is equivalent to owning the associated wallet and its assets. Therefore, securing someone’s assets boils down to securing the passphrase of the wallet where these assets are “stored”, and ensuring that nobody else has access to this passphrase.

Over the course of life of a passphrase (from being created to being discarded and no more used), there are 4 situations where this passphrase might be exposed to third party apps or tools, that is:

1. During the passphrase generation.
2. While importing it to a wallet app.
3. When signing transactions.
4. While it is stored.

Generating a passphrase in a secure manner is easily feasible as it requires minimal code and no internet connexion. Importing a passphrase to a wallet application is per se a way of exposing it. This is not to say that wallet apps are not secure or that the passphrase will be accessible by anyone. It rather means that a passphrase cannot be considered sufficiently safe when it lives in a tool connected to the internet and that needs to decrypt it when signing a transaction. Storing a passphrase in a wallet app is known as hot storage. It has the advantage of being practical and user friendly.

Theoretically, securely storing a passphrase can be achieved by writing it down on a piece of paper and storing it in a secure place such a personal safe or a bank safe box. For redundancy, a copy of the passphrase can be created and stored in another secure place. While very secure (under some physical accessibility assumptions), this manner of storing a passphrase is rather unpractical if the asset owner intends to use their assets frequently (e.g., to transfer, stake, lend or swap them). In other words, this method is adapted to cold storage.

Hardware wallets set the sweet spot between the security of a cold storage and the convenience of hot wallet. In a nutshell a hardware wallet secures a passphrase using two measures:

1. The passphrase is stored on a chip which interacts with the outer space exclusively using the verified on chip code and protocol.
2. The passphrase never leaves the hardware, even when connected to a computer. To sign a transaction, the transaction data are transferred to the hardware wallet where the stored passphrase is used, upon the user confirmation, to sign the transaction and only the signature is sent back to the computer/wallet app.

The remainder of this post is a tutorial that takes you into the steps needed to start using you Ledger hardware wallet to sign KiChain transactions.

🤓 Pro Tip : Always ensure that you are using genuine tools and material from Ledger by referring to official stores and software pages.

How to use ledger with ki-tools?

To sign and broadcast transaction on the KiChain using ledger get your Ledger (Nano S or Nano X) and follow these steps:

Download Ki-tools

The ki-tools is a command line tool that allows a user to interface with the KiChain. To get it, clone and build ki-tools by following this tutorial. Make sure that you’re using the ledger branch by checking out as follows:

git checkout ledger

To test the installation run the following command:

kid version --long 

Which should output the following:

name: ki-tools
server_name: kid
client_name: kicli
version: 0.1–14-g5814c4b-Mainnet
commit: 5814c4bd64a2a2f7d388d9155c2d4b69b11fb03c
build_tags: netgo,ledger
go: go version go1.13.5 linux/amd64

Download ledger live and install the Cosmos app

Now that ki-tools is running on you system, download and install ledger live for the official page. Once done, connect your Ledger to your computer. Ledger live will detect it and in some cases perform an authenticity check to verify you have an authentic Ledger hardware and firmware. Finally, head to the manager tab, search for the Cosmos app and install it. This will add the cosmos app to your ledger which allows you to interface with all of the Cosmos SDK based blockchains.

Add a key to your ledger

After installing the Cosmos app, now it is time to store your passphrase to the Ledger wallet. To learn how to perform this task please refer to this instruction video if you are using a ledger Nano S or this one if you are using the Nano X in the detailed official documentations of Ledger.

🤓 Pro Tip : This tutorial is not intended to initiate you on using Ledger. Please refer to Ledger’s documentations to get familiar with their devices before storing your keys on them.

Using kicli with Ledger

Commands fromki-tools used to manage keys and send transaction with a key stored on a Ledger are pretty similar to those used with a key stored in kicli‘s keychain (i.e. the basic context). The only difference is that the --ledger should be added to indicate that the used key is stored on a Ledger hardware wallet.

Consequently a new key wallet can be created as follows:

kicli keys add <wallet-name> --ledger

To send transactions, launch the cosmos app on your Ledger and start by generating the transaction as usual. Here is an exemple on how to launch transfer transaction:

kicli tx send <sender-address> <recipient-address> <amount> --from <wallet-name> --ledger --chain-id=kichain-1 --gas-prices=0.025uxki

The Ledger will prompt you to validate and approve the transaction. Once your approve this transaction, kicli will automatically broadcast the transaction.

🤓 Pro Tip : As always with ki-tools, a KiChain node is required to relay your transaction. If you are using your own local node with the default configurations then kicli will automatically query this node. If you are using a custom node or a remote node, use the --node flag followed by your node rpc address and port number.

Staking transactions (i.e. delegation, unbonding and redelegation) work in the exact same way. Please refer to this post to learn how to stake with ki-tools.

⚠️ A hardware wallet secures your assets by securing your passphrase. However, compromising your passphrase is not the only way to steal your assets. Indeed, if you intend to send X tokens to a wallet A, ledger, or any hardware wallet, cannot prevent you from signing a transaction that transfers Y tokens to a wallet B. That is to say, if you don’t verify the information of the transaction you are about to sign, there is a multitude of ways to trick you into singing a fraudulent transaction. Read here about a recent similar case. Be vigilent!

Building and using a command line tool might not be an easy task for everyone. Therefore, we are working on integrating the ledger support into the Ki Desktop Wallet. Meanwhile, check out the following posts to know more about the KiChain:

• KiChain: How to unjail a jailed validator
• A guide to staking on the KiChain
• KiChain: How to use the Ki Monitor
• KiChain: How to use multi-signatures in the Ki Desktop Wallet
• Introducing the Ki Desktop Wallet
• How to join the KiChain Mainnet

• Buy Ki Tokens
• Join our community on Slack
• Join our telegram account
• Add Us On Facebook
• Follow Us On Twitter
• Check Us Out On Github
• Connect With Us On LinkedIn