
Secure Polkadot wallet setup
Posted on Monday 4 September 2023 Suggest An EditTable of Contents
- Securing Your Assets with Offline Wallet
- Hardware Selection
- Vault Deployment
- Initial Configuration
- Integration with Online Services
- Using Rotko Signer Extension
- Pure Proxy Setup
- Metadata Management
- Security Best Practices
- Physical Security
- Operational Security
- Backup Strategy
- Advanced Backup Methods
- Maintenance Protocol
- Software Updates
- Regular Verification
- Advanced Configurations
- Multi-signature Setups
- Time-locked Vaults
- Conclusion
Securing Your Assets with Offline Wallet
In the evolving landscape of blockchain security, protecting digital assets requires purpose-built tools. NovaSama Vault (formerly Parity Signer/Polkadot Vault) exemplifies this principle - a wallet focused solely on security. This guide details establishing a high-security air-gapped setup for Polkadot assets.
Hardware Selection
GrapheneOS officially supports these devices:
- Pixel 9 series - 9a (tegu), 9 (tokay), 9 Pro (caiman), 9 Pro XL (komodo), 9 Pro Fold (comet)
- Pixel 8 series - 8 (shiba), 8 Pro (husky), 8a (akita)
- Pixel 7 series - 7 (panther), 7 Pro (cheetah), 7a (lynx)
- Pixel 6 series - 6 (oriole), 6 Pro (raven), 6a (bluejay)
- Other devices - Pixel Fold (felix), Pixel Tablet (tangorpro)
All listed devices receive official GrapheneOS support with ongoing security updates. Avoid older Pixel models (5a and earlier) as they lack both Google firmware updates and GrapheneOS support.
Installing GrapheneOS: Follow the web installer for a simple, step-by-step flashing process:
- Enable OEM unlocking and USB debugging
- Connect phone to computer via USB
- Use the web installer to automatically flash GrapheneOS
- Lock bootloader after installation
GrapheneOS provides an open-source mobile OS with hardware-backed keystores, hardened memory allocation, and extensive security improvements.
Vault Deployment
-
Download NovaSama Vault
- Use GrapheneOS’s sandboxed Google Play Store
- Alternatively, sideload from vault.novasama.io
- Verify APK signatures before installation
-
Enable Air Gap
- Activate airplane mode immediately
- Disable WiFi, Bluetooth, and cellular permanently
- Never reconnect this device to any network
Initial Configuration
-
Create New Vault
- Launch NovaSama Vault
- Generate new wallet
- Write down seed phrase on paper (never digitally)
- Store seed phrase in secure physical location
-
Key Derivation Paths
- Create separate accounts for different networks
- Use hardened derivation paths for extra security
- Consider multiple accounts for different purposes
Integration with Online Services
Using Rotko Signer Extension
For daily transactions while maintaining security:
- Install Rotko Signer browser extension
- Connect to your Vault via QR codes
- Sign transactions offline, broadcast online
- Never expose private keys to internet-connected devices
Pure Proxy Setup
For maximum security with flexibility:
- Navigate to polkadot.js.org/apps
- Create a pure proxy account controlled by your Vault
- Fund the proxy, not the Vault address directly
- Use proxy for all on-chain activities
Benefits:
- Vault keys never touch online systems
- Proxy can be transferred without moving funds
- Modular security with role segregation
Metadata Management
Keep your Vault updated without breaking air gap:
- Visit metadata.parity.io
- Display network metadata as QR code
- Scan with Vault to update chain information
- Verify metadata hash before accepting
Security Best Practices
Physical Security
- Store device in secure location when not in use
- Consider tamper-evident seals
- Never leave device unattended in public
Operational Security
- Use device only for signing transactions
- No other apps or activities
- Regular security audits of setup
Backup Strategy
- Multiple copies of seed phrase
- Geographically distributed storage
- Consider metal backup plates for fire/water resistance
Advanced Backup Methods
Shamir’s Secret Sharing via QR Codes Use Banana Split to split your seed phrase into multiple shards:
- Generate threshold shards (e.g., 3-of-5 scheme)
- Convert each shard to QR code
- Store QR codes in separate physical locations
- Require multiple shards to reconstruct seed
Steganographic Storage For maximum operational security:
- Split seed using Shamir’s Secret Sharing
- Password-protect each shard
- Embed shards into uncompressed images (PNG/BMP)
- Distribute images across different storage media
- Maintain plausible cover story for each image
This approach provides:
- Threshold security (need k-of-n shards)
- Hidden storage (shards invisible to casual inspection)
- Additional password layer
- Resilience against single point of failure
Maintenance Protocol
Software Updates
- Check vault.novasama.io for new versions
- Verify update authenticity through multiple channels
- Clean install recommended:
- Export accounts if needed (QR backup)
- Factory reset device
- Reinstall GrapheneOS
- Fresh Vault installation
- Restore from seed phrase
Regular Verification
- Test signing with small amounts periodically
- Verify all derivation paths still accessible
- Check backup seed phrase validity
Advanced Configurations
Multi-signature Setups
- Use multiple Vaults for enhanced security
- Implement m-of-n signing schemes
- Geographic distribution of signing devices
Time-locked Vaults
- Implement governance delays
- Use conviction voting for extra protection
- Consider social recovery mechanisms
Conclusion
The combination of GrapheneOS-hardened hardware and NovaSama Vault’s focused design creates an unparalleled security foundation. By maintaining strict air-gap discipline and following these protocols, your digital assets remain protected against both remote and physical threats.
Remember: security is a practice, not a product. Regular reviews and updates of your setup ensure continued protection as the threat landscape evolves. The decentralized future demands decentralized security - your Vault is the cornerstone of that protection.