Key management can be very stressful to cryptocurrency investors and users who control a large amount of crypto funds. Despite your best efforts, it can be very easy to compromise a key that has had any exposure to the internet, or to hijack a user’s phone, in order to steal their digital assets. So it’s no surprise that hardware wallets have taken over as a popular (and effective) counter-measure for hackers seeking to gain access to your private keys.

Hardware wallets do have some limitations, though. In this article, I’ll briefly review some important points to consider before employing a hardware wallet, and then I’ll provide a step-by-step walkthrough on how to set up a Ledger Nano S in order to better secure a cryptocurrency account (in this case, an Algorand account).

Why You Should (or Shouldn’t) Use a Ledger

Hardware wallets such as the Ledger Nano S offer significant advantages over software-based wallets.

First, there’s the physical security element. By storing private keys for an account in a secure element within the hardware device, it becomes very difficult for an attacker to steal the private key for your account without having physical access to the device and knowledge of the PIN for the device.

By keeping the private key on a hardware wallet, you also reduce the risk of malware and other online attacks from compromising your account spending keys, since the keys never leave the physical device.

HOWEVER, hardware wallets can be finicky and difficult to use.

For example, in Algorand, only the command line tools support the Ledger device.  So that means that you cannot use a Ledger with the Algorand mobile wallet, at least as of right now.  Only the Ledger Nano S is supported; the Nano X is not yet supported. Using a Ledger on Algorand means you are limited to apps that specifically have Ledger support.

The Ledger also only supports a single key, so multisig configurations will require multiple ledger devices which adds complexity.  Ledger support is planned for the Algorand mobile wallet application at some point, but it is not clear when this will happen. To use a Ledger with your Algorand account today requires comfort at the command line.

So, to recap:

How to Set Up the Ledger Nano S for Use With Algorand

To use a Nano S to secure an Algorand account, you first have to go through the basic setup of the Nano S. For this article, I’m going to assume that you are starting with a fresh Ledger Nano S that will only be used to store ALGOs securely.

To start, you will download the Ledger Live application to your computer. Ledger Live is what you use to manage the applications on your Ledger device. You can download Ledger Live here.

Once you install it and plug your Nano S into your computer, click the “Get Started” button. You should see this screen:

When initializing a new device, the first step is to choose a PIN code:

You should follow the steps in the Ledger Live application and on your Ledger Nano S device. There are 2 buttons at the top of the device. Hitting both buttons simultaneously acts as the “Enter” option.

Again, since I’m assuming this is a new device, you will want to elect to configure it as new. This will wipe out any previous configurations on the device.

The next step is to choose a PIN code.  This is a critical step to preventing someone who steals the device from being able to use it to access your funds.

Follow the prompts on the device and Ledger Live app closely, and use the left and right buttons on the device to select a PIN code.  It should at least be 6 digits long. Hitting both buttons advances you to the next position. The selecting the check mark will indicate that you are done.

The next step is to write down the recovery phrase for the device. This is critical. In case you ever lose the device or if it malfunctions, you will be able to restore the account to another device. The Ledger Live app walks you through this:

You will need to write down all 24 words of the recovery phrase, and you will be tested to make sure you have written down all the words.

Once you have verified the recovery phrase, the base setup of the Ledger is complete.

Next, you need to use the Ledger Live application to install the Algorand application onto the device. Go to the manager section of the Ledger Live app, search for “algorand” and click to install the Algorand application.

Once the application is installed on the ledger, you should see the Algorand app as shown below.

The installation of the Algorand app on the ledger created an Algorand account and stored the private key of the account on the secure element of the Ledger device. The private key never leaves the device, but you can see the account address if you go into the Algorand app on the device under “Address”:

Using the Ledger From the Algorand Command Line

Now that we have the ledger configured with the Algorand app, it is ready to use with an Algorand node installation.

In my examples below, I have an installation of Algod installed from the Debian package running under Ubuntu 18.04 with a synced blockchain. I have plugged in the Ledger device to the computer with Algod on it.

The first thing we can do is look to see that the Ledger device has been recognized. We can do this with the “goal wallet list” command:

ubuntu@ubuntu:/var/lib/algorand$ sudo goal wallet list -d /var/lib/algorand
##################################################
Wallet:    Ledger Nano S (serial 0001) (default)
ID:    0001:000a:00
##################################################
ubuntu@ubuntu:/var/lib/algorand$ sudo goal account list -d /var/lib/algorand
[offline]    Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE    Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE    0 microAlgos
ubuntu@ubuntu:/var/lib/algorand$

Note that the ledger shows up as a wallet on this computer once it is plugged in. I did not create this wallet with the “goal wallet new” command. It was created for me when I plugged in the ledger device. Issuing the “goal account list” command shows the single account on the device and the balance of that account, which is 0. I also did not create this account with the “goal account” command, it simply came along with the wallet that was automatically created.

When you list the accounts, if you get the error message “Error processing command: Exchange: unexpected status 680.” This means that you need to unlock the Ledger with your PIN. It should work after that.

In this example, the Algod node is on the TestNet. In order to try out a transaction, let’s use the TestNet dispenser to give our Ledger account some testAlgo:

Using the dispenser, we issue 100 testAlgo to our account. After dispensing the Algo we can verify the balances using the “goal account list” command again:

ubuntu@ubuntu:~$ sudo goal account list -d /var/lib/algorand
[offline] Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE 100000000 microAlgos
ubuntu@ubuntu:~$

Note that the account now has 100,000,000 microAlgos or 100 Algo in it. Now that we have a balance, let’s try sending a transaction from this account. To do this, we will use the “goal clerk send” command to send 1 Algo to another account:

ubuntu@ubuntu:~$ sudo goal clerk send -a 1000000 -f Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE -t OBONCJ4D4WEUYFWRDLZEJOMAN22HWZGZPAEWSPK7S6VOIHDCAFR3ACUSTA --note "" -d /var/lib/algorand

Note that the –note option with the empty string is needed, as the Ledger does not support values for the notes field and it will complain if you don’t explicitly specify the notes field to be blank.

Once you issue this command, you will be prompted on the ledger to sign the transaction. Recall that the private signing key for this account never leaves the secure element of the ledger, so the signing action happens on the ledger device:

There are a bunch of details about the transaction that you are shown on the ledger device including sender, firstvalid round, lastvalid round, genesis id, genesis hash, receiver, and amount. You will ultimately be asked if you want to sign the transaction:

If you click yes, you will see progress on the Algod command line:

Sent 1000000 MicroAlgos from account Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE to address OBONCJ4D4WEUYFWRDLZEJOMAN22HWZGZPAEWSPK7S6VOIHDCAFR3ACUSTA, transaction ID: TSTO3YZJAJJFL433VTMWGPEA6FKAEW34JYP32RAM7DCZV7ITIP6Q. Fee set to 1000
Transaction TSTO3YZJAJJFL433VTMWGPEA6FKAEW34JYP32RAM7DCZV7ITIP6Q still pending as of round 2060606
Transaction TSTO3YZJAJJFL433VTMWGPEA6FKAEW34JYP32RAM7DCZV7ITIP6Q committed in round 2060608
ubuntu@ubuntu:~$

Note that if you take too long, the operation can timeout on the Algod side, requiring you to start over.

Once we have completed the transaction we can view the balances for the account once again:

ubuntu@ubuntu:~$ sudo goal account list -d /var/lib/algorand
[offline] Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE Y2I3YF5AHFBMRUNKKXY6VPOT6QITCQMXSB5RDM2LG2IE74HGLDIROANCNE 98999000 microAlgos
ubuntu@ubuntu:~$

You can see that our account that had 100 Algo in it now has 98.999000 Algo in it. 1 Algo was sent to OBONCJ4D4WEUYFWRDLZEJOMAN22HWZGZPAEWSPK7S6VOIHDCAFR3ACUSTA, and there was a 1000 microAlgo transaction fee on top of that getting us to the resulting balance.