joininbox icon indicating copy to clipboard operation
joininbox copied to clipboard

Published 20 hours ago verified publisher icon openoms

[Research] safe autounlock for the Yield Generator

Open openoms opened this issue 4 years ago • 3 comments

Currently considered highly unsecure since cannot protect from physical theft. The unencrypted password can be extracted from storage if stored in plaintext leading to risking all the funds.

Can consider an optional YG autounlock with only the encrypted password stored on disk if the boot process would have some kind of authentication. Ideas:

  • attached (and/or unlocked) U2F device like YubiKey or HWW
  • PIN on touchscreen (many dependencies)

Encryption should use a salt unique to the build (maybe using uname- a, but look for better options)

~~Alternative: the JoinMarket wallet could have a second password which would not allow spending only signing as a Maker.~~

openoms avatar Dec 16 '20 10:12 openoms

Idea: PGP encrypted password stored on disk - decrypted to RAMdisk

Requires:

  • USB connected HWW/Yubikey
  • No battery or UPS used

Process:

  • The encrypting PGP key should be stored on a separate 2FA device like a HWW (Trezor or Ledger): https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md#3-common-use-cases
  • the 2FA would need to be confirmed after boot (eg. PIN on HWW) which would allow the unencrypted password file to be present on an ephemeral RAMdisk: https://github.com/rootzoll/raspiblitz/blob/v1.6/home.admin/config.scripts/blitz.cache.sh
  • if the computer is rebooted or power cycled the RAMdisk is deleted and only the encrypted password file remains in storage protected by the locked HWW/Yubikey.

Needed:

  • guided setup of the 2FA device (the PGP key doesn't need to be recoverable from the HWW seed as the JM wallet can be fully recovered from seed if the access is lost)
  • script to:
    • set up ramdisk
    • look for the unlocked 2FA

openoms avatar Dec 30 '20 22:12 openoms

In case of autounlock implemented the YG could restart after it was stopped to make a transaction. Would need to record if YG was switched on before in the joinin.conf.

openoms avatar Feb 23 '22 07:02 openoms

Since txs are manually initiated, it can be a viable workaround to just remind the user to restart the YG manually, or actually a Press Y to restart YG now and then have JB ask for password

GordianLN avatar Aug 16 '22 07:08 GordianLN