Category Archives: Tezos

Kukai, the Tezos Wallet. Step-by-step guide to Setup and Offline Signing.

Featured

Posted by in Tezos

2 Comments

Tags

In this post I’d like to tell you about some features of my currently preferred Tezos wallet – Kukai. I’ll tell you why I like it, and I’ll show you how to use Kukai’s unique Offline Signing feature.

Why Kukai?

Let’s start with why you might want to use this wallet. I like it for the following reasons:

Works Everywhere

Kukai provides native clients for Linux, Mac and Windows, and a web client that can be conveniently accessed from your browser from anywhere with an Internet connection.

Private Keys Never Leave Your Device

The private keys are stored in a local file on your computer (or in your browser’s local storage while you use the web client), but your keys are NEVER sent over the Internet. The local wallet file containing all the sensitive data is made easily accessible to you, so that you decide how you wish to manage the security of your private key. Furthermore, the sensitive data inside this file is encrypted with a password that hopefully exists only in your head.

Offline Signing

This is the most interesting and so far, unique feature in Kukai. Offline Signing is a really simple, but powerful idea that provides the highest level of security. If you set this up correctly, the security can be as good as a hardware wallet. The usage of this feature is optional, but very interesting and will be the focus of this guide.

Why Offline Signing?

It might be helpful to talk about why Offline Signing is something you might consider using.

The idea is simple – any Internet-connected computer is at risk of being hacked. Period. Even if your computer was perfectly secured, the user never can be ;).

So even though your private keys are never sent over the Internet by the wallet on purpose, attackers can still get them from you with any number of techniques. Here are just a couple of most common examples:

  • Link manipulation: The attacker might fool you into clicking on a malicious wallet link that is slightly different from the real link. It will take you to the attacker’s website, which will look exactly like your wallet. If you don’t notice this in time, you’ll end up typing your passwords and providing your wallet file to the attacker.
  • Virus: Your computer might be infected with a key logger virus, or a browser extension that records everything you type and steals specific files from your computer. Attackers will eventually get both, your wallet file and your password.

 

The ONLY sure way to be safe is to never store or access your private keys on an Internet-connected computer at all.

This is exactly where Kukai’s Offline Signing feature comes in. The idea is to use one computer to create and send transactions to the Tezos blockchain, and another separate, disconnected computer to sign these transactions with your private key.

Setting up this system is very easy, as long as you have another device to dedicate to this process.

Setup

Offline Signing will require 2 computers/devices – one connected to the Internet and one offline device, used exclusively for signing Tezos transactions. I’ll designate operations on the Internet-connected machine (aka “Workstation“), with green text, and operations on the signing machine (aka “Signer“), with red text.

It is completely up to you what kind of devices and operating systems you want to use on the Workstation and Signer. My personal preference for the Signer’s OS is Lubuntu (https://lubuntu.net/), because it is very quick and easy to install and configure.

If you do end up using a Linux distro on the Signer, please make sure you have this package installed while still connected to the Internet during your install:

$ apt-get install libgconf2-4

This library is required to run Kukai’s native Linux client.

After you are done performing the initial OS install on the Signer, and possibly installing the latest updates from the Internet, disconnect Signer from the Internet. The Signer is now purely an offline machine.

Installing Kukai on Signer Machine

On the Workstation

  • Download Kukai stand-alone client from https://github.com/kukai-wallet/kukai/releases. Select the build that matches your OS.
  • Verify the checksum. This is how you ensure that nobody is messing with you and that the wallet has not been modified in any way en-route to your computer.
$ sha256sum kukai_linux_x64_1.0.3.tar.gz
012cf59820c84a7bd4f61414d02ad8196e8f4e317fa7905e81d59efc82da6901 kukai_linux_x64_1.0.3.tar.gz
  • Compare that number to the number on the download page. It must match exactly!
  • Copy kukai_linux_x64_1.0.3.tar.gz to a USB stick and place it somewhere on your Signer machine.

On Signer

  • Extract: 
    $ tar zxvf kukai_linux_x64_1.0.3.tar.gz
  • And run: 
    $ cd kukai_linux_x64_1.0.3/
$ ./kukai

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

00 Intro

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Creating or Importing a Wallet

When Kukai starts, you’ll be presented with different options to get your wallet started. In this guide I’ll assume that you’ll be importing a wallet that was created during the Tezos ICO, but other scenarios will be very similar.

  • If you have not yet activated your Tezos ICO account, do so now by selecting Activate and providing your ‘public key hash’ and your ‘activation code’ (obtained from here: https://verification.tezos.com/).

On Signer

  • Once activated, go to Import wallet -> Retrieve wallet and provide the full wallet information. After you do that correctly, Kukai will ask you to provide an additional password to encrypt your Kukai wallet, which contains your private key (among other things). This means that if someone gets a hold of your Kukai wallet file, it is still useless to them without this password. Please make sure that this password exists only in your head.

Feel free to make this password as long as you need, because humans are very bad at remembering short cryptic passwords like ‘s7ya48u1EE’, and computers are very good at cracking them. Instead, try something like ‘correct;horse;battery’ or ‘enlightened:papal:shrimp’. You’ll never forget it and its super-hard to brute-force or guess a password like that.

You’ll be presented with an Overview screen for your wallet:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

02 Overview_out

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Exporting Your Wallet

On Signer

The next thing to do is to export 2 versions of the wallet you just created. Go to the Backup menu in Kukai and export:

  1. The Full Wallet. This file will be called something like ‘wallet.tez’, and will contain your public and private keys. Feel free to rename it to something better. This wallet file can be used to gain full access to your tezzies, so be careful with it! Save this file somewhere on the Signer machine and maybe even back it up somewhere else for safety. But don’t stress too much – the private key in this file is encrypted with the password you selected earlier, so the file by itself is still useless without it.
  2. The View-only wallet. You’ll need to enter your wallet password and click on the Generate button. This file allows you to see your tezzies, but not actually access them, because your private key is not in this file. If someone gets a hold of it somehow, all they get is the ability to see how many tezzies you have, and what you have done with them in the past. This is the file we’ll use on the Internet-connected machine (Workstation).

Take the ‘view-only_wallet.tez’, put it on a USB stick and take it to your Workstation machine.

Import View-only wallet

Now that we have our view-only wallet, we can safely use it in Kukai web-client on the connected Workstation. It is convenient, and we no longer have to worry about getting hacked, since our private key is not stored anywhere on the connected Workstation.

On The Workstation:

– Go to https://kukai.app/
Import Wallet -> Import wallet from File and select your ‘view-only_wallet.tez’ file we brought over from the Signer machine.

Note that the Overview screen contains all of the account info that we saw on the disconnected Signer machine, and all of the operations like Send, Receive and New Account are still available, but the wallet is marked as “View-only”:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

03 View Only Wallet_edit

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

And that’s it! Your setup is now complete.

Slinging Tezzies

Ok, let’s move some tezzies around. In this example I’ll move 500 XTZ between my own accounts. Let’s say from tz1bGHcWHMLtn7vFsJMoxri226QebeGC8zcd to KT1DQwmnBU6UoopeejTNQQDcbqeGxSVUxgMq. See the picture above for reference.

On The Workstation

  • Go to Overview -> Send
  • From: tz1bGHcWHMLtn7vFsJMoxri226QebeGC8zcd []
  • To Address: KT1DQwmnBU6UoopeejTNQQDcbqeGxSVUxgMq
  • Amount: 500
  • Click Preview -> Confirm
  • You should get a message that says: Your unsigned transaction has been created successfully

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

05-unsigned-tx-new

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  • Download it. Let’s give it a name like ‘demo1.tzop’
  • Put ‘demo1.tzop’ on a USB stick and take it to the Signer machine.

On The Signer

  • Run the native Kukai client (if not already running): 
    $ cd kukai_linux_x64_1.0.3/
$ ./kukai
  • Your Full Wallet should already be loaded here, but if not, just go to Import wallet -> Choose File again and select the full wallet file you saved earlier.
  • Go to Offline Signing -> Sign operation (offline) -> Choose File, and select the unsigned operation file (‘demo1.tzop’).
  • Verify that what you are about to sign with your private key is correct and awesome:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

07 Sign Op

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  • Type in your wallet password in the Password field and click Sign…………..
  • If all went well, you’ll see a success message saying: ‘Operation successfully signed!
  • Download the signed operation file. Call it something like: ‘demo1_signed.tzop’.
  • Put it on the USB stick and take it to the Workstation.

On the Workstation

  • In Kukai, go to Offline signing -> Broadcast  -> Choose file and select ‘demo1_signed.tzop’ from the USB stick.
  • You can see what you are about to broadcast by clicking Yes on “Would you like to decode the operation?”

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

09 Broadcast

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

  • Click Broadcast. You’ll be provided with the Operation Hash for your transaction.

And you are done!

You can go to the Account menu to see the transaction. Or you can use the Block Explorer to look at it:

https://tzscan.io/<Operation Hash>

Final Word

This is clearly a somewhat lengthy process, but some amount of inconvenience is always the trade-off for extra security.

If you do lots of small operations in a day, you could optimize this workflow by creating another Full Wallet on the connected Workstation, with a small amount of tezzies in it – for convenient day-to-day tasks, and keep the majority of your Tezzies in the offline Signer wallet for any large transfers. That way if your Workstation does get compromised, you only lose a small amount of tezzies instead of everything.

I hope this guide was helpful to someone.

Guide to Delegating on Tezos Betanet

Featured

Posted by in Tezos

Leave a comment

Tags

This guide is written for people that participated in the Tezos ICO, and who now wish to claim their Tezzies (XTZ) and then use them for delegation.

First of all, you need to get your Activation Code from Tezos. Please follow the intructions here: https://verification.tezos.com/

Although delegation is not mandatory, it is an easy way to passively make more XTZ with the ones you already have. If you don’t delegate, you won’t receive a share of the new XTZ created by the Delegated Proof of Stake system that Tezos runs on. This will deflate the value of your tokens compared to users who do participate.

Also, if you happen to own more than a single roll of Tezzies (10,000ꜩ), you are likely more interested in doing your own baking, rather than delegating to someone else. This guide will still be useful to you for the initial setup though.

There are 2 ways you can go about claiming and delegating your Tezzies:

Option 1: Using TezBox Wallet

The easiest way is to use a wallet, such as https://tezbox.com/. This is a very user-friendly option, but it requires you to reveal your private key to the service. If you don’t feel that trusting, read on about how to do everything yourself, which is really simple if you follow this guide.

Option 2: Running Your Own Tezos Node

This is the option the guide focuses on. The guide is written for people on Linux or Mac, but if you are on Windows, you can also follow along by installing Git Bash first (https://git-scm.com/downloads). This will give you both – access to Git and a command-line where  you can type in all the commands in this guide.

Install Docker

Follow the instructions here to install Docker for your OS: https://docs.docker.com/install/

Download the Tezos Project

If you have Git installed, you can clone tezos like this:

$ git clone https://gitlab.com/tezos/tezos.git
$ cd tezos
$ git branch betanet

If you don’t have Git, go to https://gitlab.com/tezos/tezos.git, click on the branch selector drop-down that currently says “master”, and change it to “betanet”. Now use the Download button in the upper right-hand corner to download the code.

Open Port 9732 In Your Firewall

This port is used by Tezos network protocol to connect to peers, so it needs to be open. The details of this are different depending on your setup, so left as an exercise for the reader. Just make sure that this port is open and routed to the box you are going to be running the Tezos Node on.

Run a Tezos Node

Make sure that you are in the directory where you placed the Tezos code and run

$ cd tezos/scripts/

There’s a script here called betanet.sh. We’ll use this script to interact with the Tezos node running inside a Docker container.

Lets start the node now:

$ ./betanet.sh node start

This command will do a lot of things:

  1. Download the Tezos Docker containers.
  2. Use Docker Compose to deploy the Node, the Baker, the Endorser and the Accuser as services. We are only going to use the Node in this guide, but those other services are now also ready to go, should you choose to try baking yourself.
  3. Start the Node
  4. Generate a new network identity
  5. Discover and connect to network peers
  6. Start downloading the entire blockchain

This last step will take a long time! You will just need to wait. You can monitor the progress in a couple of ways. You can see the log output from the node like this:

$ docker ps -q
7c04ab2f4c5e
$ docker logs 7c04ab2f4c5e --tail 40 -f

These commands discover the Container ID where the Tezos node is running, and then attach to the STDOUT and STDERR outputs of that container. You will now get a lot of scrolling info, telling you what the node is doing.

You can see the network connections your node has made like this:

$ ./betanet.sh client rpc get /network/connections

You can also monitor how much of the blockchain the node has downloaded so far:

$ ./betanet.sh head

This will print a lot of output, showing you the information about the top block the node has so far. The interesting part here is the “timestamp” field near the top. We can monitor that field like this:

$ watch "./betanet.sh head | grep timestamp"

We need to wait until that “timestamp” catches up with current time.

Do not proceed with the guide until that’s done!

Activate Your Account On The Blockchain

Now that your node is fully synced, we can start to inject changes into the blockchain.

First, lets create an alias for our public address. This information is found in the wallet you got during the ICO:

$ ./betanet.sh client add address ico_key tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
$ ./betanet.sh client list known addresses
ico_key: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB

In this case we chose the name “ico_key“, but you can call it anything you want.

And now the actual activation.  <activation_key> is provided to you when you complete the KYC process.

$ ./betanet.sh client activate fundraiser account ico_key with <activation_key>

Node is bootstrapped, ready for injecting operations.
Operation successfully injected in the node.
Operation hash: ooWpYVXe466VC48nwbiFeRR2Djeg4u3CCYkLuSoUfxfeG6TAU1w
Waiting for the operation to be included...
Operation found in block: BKivKRERjTWCWZJAYxADaFeUiA42XjYKkiet6HqNxkDNDATbMbX (pass: 2, offset: 0)
This sequence of operations was run:
Genesis account activation:
Account: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Balance updates:
tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB ... +ꜩ1521

The operation has only been included 0 blocks ago.
We recommend to wait more.
Use command
tezos-client wait for ooWpYVXe466VC48nwbiFeRR2Djeg4u3CCYkLuSoUfxfeG6TAU1w to be included --confirmations 30
and/or an external block explorer.
Account ico_key (tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB) activated with ꜩ1521.

Note that there’s a command given to you in the end:

$ ./betanet.sh client wait for ooWpYVXe466VC48nwbiFeRR2Djeg4u3CCYkLuSoUfxfeG6TAU1w to be included --confirmations 30

If you run that, you’ll get a message every time your transaction is baked into a block, all the way up to 30 blocks.

You can also use the block explorer to monitor that progress. In this example, it would be here: http://tzscan.io/ooWpYVXe466VC48nwbiFeRR2Djeg4u3CCYkLuSoUfxfeG6TAU1w

Import Your Private Key

Now we are ready to access our tezzies. Of course, that will require the private key from the wallet you got during the ICO.

So, import the private key into our node:

$ ./betanet.sh client import fundraiser secret key ico_key

This will ask you some questions, including all the words in the mnemonic in the wallet. Enter all the data it asks for.

Now let’s check our work:

$ ./betanet.sh client show address ico_key -S
Hash: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Public Key: <.........>
Secret Key: encrypted:<.........>

And finally, let’s check the balance in our account:

$ ./betanet.sh client get balance for ico_key
1521 ꜩ

Setting Up Delegation

We are now ready to put our tezzies to work.

The first step is to decide who you are going to Delegate your baking to. This list of Delegators here is an excellent resource to help you make the choice: https://www.mytezosbaker.com/bakers-list/.

Let’s say that we decided to go with Tz Vote: http://tzscan.io/tz1bHzftcTKZMTZgLLtnrXydCm6UEqf4ivca

Let’s create an alias for them:

$ ./betanet.sh client add address Tezos_Vote tz1bHzftcTKZMTZgLLtnrXydCm6UEqf4ivca

Now we create an “originated” smart contract called “ico_key_originated“, managed by the account we activated (called “ico_key” in this guide), and delegated to “Tezos_Vote”. We also transfer all the money from “ico_key” into the new smart contract “ico_key_originated”:

$ /betanet.sh client originate account ico_key_originated for ico_key transferring 1520.742 from ico_key --delegate Tezos_Vote --fee 0.0

Node is bootstrapped, ready for injecting operations.
Estimated storage: no bytes added
Enter password for encrypted key: 
Operation successfully injected in the node.
Operation hash: ooCj9jGio6oCMksnuZQ5EE42h93VSM3c2hRuc3z4W1XXmyyURpK
Waiting for the operation to be included...
Operation found in block: BLkvov4WBkr4hN4RTNXePRwfgj2wpvu6pUfHzr2cizGZbcXxiTt (pass: 3, offset: 0)
This sequence of operations was run:
Manager signed operations:
From: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Fee to the baker: ꜩ0
Expected counter: 45247
Gas limit: 0
Storage limit: 0 bytes
Revelation of manager public key:
Contract: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Key: edpku7CbCYBFhYw1NfU26sGo7asGsvZcvew1VsygxwHoWr6emY5Cq6
This revelation was successfully applied
Manager signed operations:
From: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Fee to the baker: ꜩ0
Expected counter: 45248
Gas limit: 0
Storage limit: 0 bytes
Origination:
From: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
For: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB
Credit: ꜩ1520.742
No script (accepts all transactions)
Delegate: tz1bHzftcTKZMTZgLLtnrXydCm6UEqf4ivca
Spendable by the manager
This origination was successfully applied
Originated contracts:
KT1PUFGwJB9qtWfdbzgURni3JykVBycdwwAK
Consumed gas: 0
Balance updates:
tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB ... -ꜩ0.257
tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB ... -ꜩ1520.742
KT1PUFGwJB9qtWfdbzgURni3JykVBycdwwAK ... +ꜩ1520.742

New contract KT1PUFGwJB9qtWfdbzgURni3JykVBycdwwAK originated.
The operation has only been included 0 blocks ago.
We recommend to wait more.
Use command
tezos-client wait for ooCj9jGio6oCMksnuZQ5EE42h93VSM3c2hRuc3z4W1XXmyyURpK to be included --confirmations 30
and/or an external block explorer.
Contract memorized as ico_key_originated.

The above command is certainly confusing. To understand some more details about what happened there, please refer to this excellent article:  http://archive.li/NsPFt (section “How to Delegate and Understanding Implicit and Generated Accounts”)

As with our previous injection, we can either use our node:

$ ./betanet.sh client wait for ooCj9jGio6oCMksnuZQ5EE42h93VSM3c2hRuc3z4W1XXmyyURpK to be included --confirmations 30

Or the Block Explorer: http://tzscan.io/ooCj9jGio6oCMksnuZQ5EE42h93VSM3c2hRuc3z4W1XXmyyURpK

to monitor the progress of our transaction.

There’s an important subtlety to notice here. The balance in my “ico_key” account was 1521ꜩ, yet in the command above I only transferred 1520.742ꜩ. Why is that?

Well, if we try to transfer the entire amount, we get this error:

Error:
  Unregistred error:
     { "kind": "temporary",
       "id": "proto.002-PsYLVpVv.gas_exhausted.operation" }

The problem here is that some of our tezzies need to be burned in order to pay for executing the transfer and delegation. In this case the required fee was 0.257ꜩ, which is why I only transferred 1520.742ꜩ.

So, let’s check everything now to make sure that the transfer worked, and that the delegate is established:

$ ./betanet.sh client list known contracts
ico_key_originated: KT1PUFGwJB9qtWfdbzgURni3JykVBycdwwAK
Tezos_Vote: tz1bHzftcTKZMTZgLLtnrXydCm6UEqf4ivca
ico_key: tz1NQo6LNh4isv8Gavc53EGy5TozLRCAkXzB

$ ./betanet.sh client get balance for ico_key
0.001 ꜩ

$ ./betanet.sh client get balance for ico_key_originated
1520.742 ꜩ

$ ./betanet.sh client get delegate for ico_key_originated
tz1bHzftcTKZMTZgLLtnrXydCm6UEqf4ivca (known as Tezos_Vote)

And that’s it.

Resources and References

Here’s the list of most useful materials that I used while figuring this out: