Multisig accounts and offline keys provide a great deal of added security, but are not always simple to set up. To help you get started, I’ve outlined the steps you will need to take to create a multisig account with Algorand and store keys offline on an air-gapped device.
For this tutorial, you will need at least 3 USB drives:
- “Ubuntu” to serve as a bootable Ubuntu USB device
- “Key” to hold the algokey binary and private keys
- “Transfer” to move transaction files to and from the offline computer
If you are going to store significant funds in the account being created, make sure that they USB drives are new, so there is no chance of any unwanted data or malware on the drives. It may seem excessive to use so many USB drives, but in the case of the private key drive, it is important that it never is plugged into a computer that is on the internet.
While the ideal approach to using multisig keys offline is to have a separate, dedicated laptop or computer, that will not be necessary to complete this tutorial. I will demonstrate how to use a bootable USB device in place of a dedicated offline machine.
Setting Up Your USB Drives
1. Download and Install the Algorand Node Software
On your online computer, download and install the Algorand node software. This software will be used to interact with the Algorand network. Installation instructions for Algorand node software on different platforms can be found here: https://developer.algorand.org/docs/introduction-installing-node
For my examples, the online computer will be running Ubuntu 18.04 with Algorand installed using the debian package from the official repositories using the following instructions: https://developer.algorand.org/docs/installing-ubuntu
2. Create an Ubuntu Bootable USB Device
In order to create an Ubuntu bootable USB device, you can follow the instructions below depending on your OS:
3. Label Your USBs
When we need to perform sensitive signing actions on our offline computer, we will boot our computer using the bootable USB device you have just created. Label it “Ubuntu” or something similar to identify it as the bootable USB device.
The second USB device will hold the algokey binary and the private keys that we will use to sign transactions on the offline computer. Just label this USB drive “Keys” or similar for now. Do not plug this drive into the online computer. This USB drive should never be plugged into any computer other than the offline computer. We will put the algokey binary on it in a later step.
The third USB drive will be used to transfer files to and from the online and offline computers. Label the drive “Transfer” or similar.
4. Copy the Algokey Binary to the Transfer USB
The algokey binary is part of the algorand node installation, but is a standalone executable that can be copied to a different computer running the same architecture / operating system without needing to perform a full node installation.
From our online computer that has a node installation based on the debian package, the algokey binary can be found at /usr/bin/algokey. Copy the algokey binary to the Transfer USB drive. We will later move algokey to the offline computer and ultimately to the Keys drive, but we will do that once we have the offline computer set up.
Creating an Algorand Multisig Account (Offline)
Let’s start by creating a new 3-of-5 multisig account that we will use to store Algo securely.
Before we start issuing commands, we need to use the Ubuntu USB drive to boot into our offline computer. Insert the Ubuntu USB drive into your computer and reboot the machine. You may need to enter the bios of your computer to tell the computer to boot from the USB device.
Once you are booted from the USB, you want to indicate that you want to try Ubuntu (not install Ubuntu).
After the computer is booted, you will be logged into an ephemeral Ubuntu desktop without networking. This will be our offline environment for signing transactions. Create a folder on the desktop that we will be working in. In the examples below, I called mine “tx.” Insert the Transfer USB device and copy the algokey binary to the tx directory. Open a terminal window to the tx directory and change the permissions of algokey to make it executable, and test running it to make sure everything is working:
ubuntu@ubuntu:~$ cd Desktop/tx ubuntu@ubuntu:~/Desktop/tx$ ll total 22472 drwxr-xr-x 2 ubuntu ubuntu 60 Sep 2 10:48 . drwxr-xr-x 4 ubuntu ubuntu 100 Sep 2 10:48 .. -rw-r--r-- 1 ubuntu ubuntu 23011080 Sep 2 10:48 algokey ubuntu@ubuntu:~/Desktop/tx$ chmod 755 algokey ubuntu@ubuntu:~/Desktop/tx$ ./algokey -h CLI for managing Algorand keys Usage: algokey [flags] algokey [command] Available Commands: export Export key file to mnemonic and public key generate Generate key help Help about any command import Import key file from mnemonic multisig Add a multisig signature to transactions from a file using a private key sign Sign transactions from a file using a private key Flags: -h, --help help for algokey Use "algokey [command] --help" for more information about a command. ubuntu@ubuntu:~/Desktop/tx$
We are going to use the algokey utility to create 5 accounts with 5 associated private keys. These accounts will later be combined to form one 3 of 5 multisig account. We perform this account creation step on the offline machine so that we can record the 5 secrets securely, and so that these secrets are never online. We will do this by running the “algokey generate” command 5 times.
ubuntu@ubuntu:~/Desktop$ ./algokey generate Private key mnemonic: expire wear husband fancy now until laundry token strong dignity arrow valley post raven pudding farm twin chalk cloud tenant cart off shop abandon trophy Public key: OBONCJ4D4WEUYFWRDLZEJOMAN22HWZGZPAEWSPK7S6VOIHDCAFR3ACUSTA ubuntu@ubuntu:~/Desktop$ ./algokey generate Private key mnemonic: lucky dust hub crew barely leave gas crew canvas exhibit margin mixed impose air wasp chat athlete sketch ozone humble parent rail remind abandon host Public key: P7ZEFUIWTABXLMC77P3DAE5ZMU7BDY3HZ4KF7ZXSPTCYKZ4AOCKGRZTCUE ubuntu@ubuntu:~/Desktop$ ./algokey generate Private key mnemonic: draft mule stamp run absent congress leopard notice minute hungry fresh physical flee favorite cram green salad promote remember route assume gentle early absorb during Public key: JPPERBQVBGKHMKTVZUOQKSZHVDYMC3AYYD6NHT355HEZHZXW5CLNUIMJT4 ubuntu@ubuntu:~/Desktop$ ./algokey generate Private key mnemonic: primary tone inquiry video bicycle satisfy combine pony capable stamp design cable hub defy soup return calm correct cram buyer perfect swim tone able math Public key: GW5J5C2X7L7F2NIWISELS5EQI74Y5W6VDZ2W45NLIYY256EUYLKORY7AJE ubuntu@ubuntu:~/Desktop$ ./algokey generate Private key mnemonic: seminar screen join potato illegal vacuum predict measure cable reject crazy document edit erosion decline giggle neutral theory orient keen slow walnut reject absorb rain Public key: ANQADWSXUDMOHYYOVAKII3COO3KIBBXXLFF2RPSCFIVXQJZOZ76DKR5YPU ubuntu@ubuntu:~/Desktop$
A few important things to note. First, you will get different accounts and secrets when you run “algokey generate.” DO NOT USE THE ACCOUNTS LISTED ABOVE, they are example accounts created for this tutorial, and most importantly, the spending keys are right here on this webpage. Anyone reading this post can spend the funds in these accounts or any multisig account based on these accounts.
Second, note that every time you run “algokey generate,” you get a valid single key account with a public key and a private key. In Algorand, you will often hear the public key referred to as the address, and the private key as the spending key or mnemonic.
Third, observe that the private key mnemonic has 25 words which is quite unusual. In other crypto systems, you will typically see word lists that encode a seed phrase or secret using 12 or 24 words. Algorand uses 25 words, so make sure you get all 25 words. If you plan to use something like Cryptosteel to store the seed phrase, the 25th word will overflow a single plate, which is designed to hold only 24 words.
The public and private keys need to be securely recorded for your accounts. One way to do this would be to write them down on 5 separate pieces of paper, store them on 5 separate USB drives, etc. Having a paper backup is a good idea in case the USB drives fail. To more securely store them on the USB drive, they can be saved in a file which is then encrypted using pgp or similar, and the encryption passphrase is then securely stored separate from the drive.
In terms of distribution, you could put the keys in 5 different locations or give them to 5 different people for safekeeping. There are many ways to securely store these keys, including bank safety deposit boxes, cryptosteel plates, and other options.
For purposes of this tutorial, I will put all 5 keys in a file on the same USB drive labelled “Keys,” but this is not recommended for production use. It is important to number the keys 1 – 5. The order of the keys will be important when we go to set up the multisig account in the next step.
Set Up a Wallet and Multisig Account (Online)
For this step, you need to go back to the online computer with the online Algorand node. If you are sharing the same computer for both online and offline needs, remove all USB drives and reboot the computer to bring it back to its online state. Log in to the computer and open a terminal. We will first create a wallet using the goal command:
purestake@algo-node:~$ goal wallet new MyWallet Please choose a password for wallet 'MyWallet': Please confirm the password: Creating wallet... Created wallet 'MyWallet' Your new wallet has a backup phrase that can be used for recovery. Keeping this backup phrase safe is extremely important. Would you like to see it now? (Y/n): n purestake@algo-node:~$
In the example above, I named the wallet “MyWallet,” but you can name it whatever you want. I also specified a password for the wallet. The reason I elected not to see the backup phrase is that I do not plan on having any secrets on this online node. I’m only going to use it for looking at balances and sending transactions which have already been signed elsewhere.
The next step is to use the goal command to create a new 3-of-5 multisig account using the keys we generated in the previous step. This will add the multisig account to the wallet and let the wallet know what the constituent parts of the multisig account are. But the private keys for the account will not be in the wallet, and the wallet will have no control of or ability to spend funds in the multisig account. By putting the multisig account in the wallet we can work with the multisig account on this node even if we plan to sign multisig account transactions with our spending keys on the offline machine. If you skip this step, transaction files you create for the multisig account on this node will be invalid as the node doesn’t know what the multisig account is and what the component parts of the account are.
purestake@algo-node:~$ goal account multisig new OBONCJ4D4WEUYFWRDLZEJOMAN22HWZGZPAEWSPK7S6VOIHDCAFR3ACUSTA P7ZEFUIWTABXLMC77P3DAE5ZMU7BDY3HZ4KF7ZXSPTCYKZ4AOCKGRZTCUE JPPERBQVBGKHMKTVZUOQKSZHVDYMC3AYYD6NHT355HEZHZXW5CLNUIMJT4 GW5J5C2X7L7F2NIWISELS5EQI74Y5W6VDZ2W45NLIYY256EUYLKORY7AJE ANQADWSXUDMOHYYOVAKII3COO3KIBBXXLFF2RPSCFIVXQJZOZ76DKR5YPU -T 3 Please enter the password for wallet 'MyWallet': Created new account with address FHYPIFKSTJTUT4QCR4MJWZUY2Y4URVFHF2HIXGZ4OHEZSIEQ5Q64IIGEMY purestake@algo-node:~$ goal account list [offline] Unnamed-0 FHYPIFKSTJTUT4QCR4MJWZUY2Y4URVFHF2HIXGZ4OHEZSIEQ5Q64IIGEMY 0 microAlgos [3/5 multisig] *Default purestake@algo-node:~$
Note that the 5 public keys we created on the offline computer are listed here as arguments to the goal account multisig new command. Be very careful, as the order of the keys matters. Changing the order of the public keys results in a different multisig address. Recall that we numbered the keys 1-5: always list them in that order, so you will get consistent results.
The “T” flag specifies the threshold, or how many of the associated spending keys in the multisig account need to sign transactions. In this case we specify 3 making this a 3-of-5 multisig account. The resulting address of the multisig account is: FHYPIFKSTJTUT4QCR4MJWZUY2Y4URVFHF2HIXGZ4OHEZSIEQ5Q64IIGEMY. The “goal account list” command confirms that this is a 3/5 multisig account with 0 Algo in it.
Now you have successfully created a 3-of-5 multisig account (albeit, with no balance). Next week, I will publish a follow-up tutorial that demonstrates how to sign a transaction with your newly-created multisignature keys, enabling you to spend funds, bid on auctions, and more.