Hello! I'm a software engineer and I created a new, more secure stellar wallet called Lumen Vault. https://lumenvault.com/

Due to the inherent risk of using your secret key with other online wallets, I wanted to build a wallet where you don't use your secret key every time you need to send payment from your wallet. In order to do that, Lumen Vault generates two new signing keys (one for us and one for you) and both are required to send payments…that way you can keep your secret key backed up offline.

You can even generate and sign the transaction to add our two new keys to your account offline so that your secret key stays private, and then you would use your new Lumen Vault signing key for day-to-day usage. The signing key for us is generated on our server, encrypted, and never leaves our server. The signing key for you is generated in your browser, and will be the one you use to send payments or manage your wallet through our website. If someone steals your signing key using a key logger or browser hack, they still can't make any changes to your account since they won't have the key that we keep encrypted on our server.

From the multi-sig point of view, we set the low and medium thresholds on your account to 2, the high threshold to 3, and your master key weight to 3. We then add the public keys for our signing key and your signing key to your account as signers, both of them with a weight of 1. That means both keys are required to reach the low/medium threshold (payments, etc). Your master weight is set to 3 so it is the only key that can add other signers to your account, and it still has full access to manage your wallet if needed. Due to that, your master key should be backed up offline.

Feedback is welcome!

Awesome, looks great so far. Well designed and solving for a real need. Good stuff.

For what it's worth, here's where I got stuck. I added an address and generated the keys required by Lumen Vault using my private key. At that point I didn't realize that I needed to save one of the two keys that you generated for signing transactions going forward. In the dialog box where you provide the "new" secret key I just assumed you would be storing that as well for me. My thought was that the 2FA setup was my protection, not that I need to keep track of an additional key going forward.

When I went to test sending my first payment and it asked for my key to sign the transaction, that's when I realized I didn't have what I needed. I went though the process of issuing the keys again, and it worked well, good job making sure you had that step.

I think the trap here is that you're making things more secure, but in doing so I have one extra piece of information to keep track of. While this gives me an out if your service is unavailable, I have one extra step (2FA) anytime I need to send a payment, I still have to copy/paste the 2nd key from somewhere, and I still have to be damn sure that I never lose my private key.

Don't take this as a negative criticism. You are onto something with this, and you've got a great v1 of the product out in the wild. Maybe I'm in the wrong mindset because I'm thinking about using this as an everyday wallet, when instead it should be positioned to customers as long term storage. That could be what you all have in mind - it's called vault after all. Keep up the great work! I'll keep testing.

    rbates That's super helpful! I really appreciate you taking the time to write down your thought process when setting that up. You have no idea how valuable that is.

    I do envision Lumen Vault being an everyday wallet. Lumen Vault should empower people to feel safe using their wallet for everyday transactions and not scared that entering their secret key online will cause some hacker to drain their account. That was the main goal of this, with trust being a very big issue when interacting with an online wallet.

    Your 2FA point is interesting, but since our Lumen Vault (server-side) key is tied to your account, the 2FA is really only protecting your Lumen Vault server-side key...if that makes sense. For example, say you have a safety deposit box at your bank. The bank has one key and you have one key...and it takes both keys to open the safety deposit box. 2FA in Lumen Vault is like the bank installing a brand new security system that requires your fingerprint before letting the bank use their key. With the 2-key system, if a bad guy was able to somehow impersonate you or get someone on the inside to make a copy of the bank's key, they still wouldn't be able to get access to your safety deposit box because you have the other physical key.

    So if Lumen Vault just used one key and had you use 2FA, that's not as secure as you also having a secret key to enter (does that make it 3 factor auth?). Hopefully that example makes sense. That was more of me justifying it to myself than to you haha.

    Does that make sense? I definitely get that we need to make it easier to use if we want people using it day-to-day. The secret/public key is already pretty hard to understand for newcomers and thrusting more keys on them may make it more secure... but I can understand if it's more confusing. Maybe we could save your key in your browser, encrypt it, and require a pin to unlock it for making payments? That way you just remember a short pin? Just thinking out loud there. We'll definitely want to make it easier to use and eventually get rid of copy/pasting keys since that's a pretty bad UX altogether, especially on mobile.

    Thanks again for your feedback!

        toddlv You're analogy is perfect, I can literally picture myself walking into a bank and saying here's proof that I'm the person who has the other key to the safe we're about to open. But to extend the analogy, in the back of my mind I'm thinking "I've also got another key under my pillow at home that I could also use. Is it still there? Damn, I hope it's still there."

        In the end this all comes down to key storage and recovery. We can't expect to give humans a string of random digits and say: "If you lose this you are screwed. There is no solution. It's over". My very first reaction when I saw Lumen Vault was,: "ok, thank god. Finally a way to cover my ass if my backup solution fails, or my files get corrupted, etc..."

        Right now with crypto there are too many outcomes that result in game over. Anything that can be done to provide user failover, recovery, whatever you want to call it is needed. Outcomes involving user error are way more likely to occur on a regular basis vs individual accounts getting hacked.

        It sounds like you all get it. This is an iterative process and you're headed down the right path. If there's anything you want help testing feel free to ping me.

            rbates Thanks! Your feedback has been super helpful. I'll definitely ping you soon after some changes are made ?

              rbates If you don't mind, I'd love to have you take a look at our latest release. ?

              We still have the setup with two keys just like we had before, but now we give you the option to store your key with us, and encrypt it with a PIN of your choosing. You can still download your signing key to your computer and even skip the PIN if you don't want to store your key with us. Using the PIN makes things much more convenient and allows you to use your wallet on desktop/mobile/tablet without having to copy/paste your key everywhere. You will just want to go back through the key issuing process to set up the new PIN.

              From our previous real bank example, it's like the bank now has a box (with a keypad) inside the bank where you can store your key if you'd like, but it's not necessary if you want to hold onto your key.

              Let me know if you run into any issues there and I'd love to hear your feedback. I really appreciate it!

                  toddlv Hey there, nice update! I like this approach much better. The setup was smooth, although I had to create and fund a new account. I received a message about my other account having keys that the site didn't recognize.

                  Fundamentally I like how this works. I understand there is always a balance between security and convenience, to me personally this is a step in the right direction.

                  During the PIN setup process I can tell you spent time trying to really explain everything in detail. I get it, you're trying to build trust. On the flip side I think you could be over-explaining things to the point of diluting the value of your service. This is what I'm referring to:

                  "Entering a PIN encrypts your new signing key in your browser (using the PIN) and sends it to Lumen Vault for storage so that you can use your wallet on any device without having to remember your long signing key or copy/paste it everywhere.

                  The PIN is not saved in Lumen Vault. Instead, your PIN will be used to decrypt your signing key any time you need it to sign a transaction.

                  If you don't want your encrypted signing key to be sent to Lumen Vault and would rather enter your signing key every time, save this signing key on your computer and click Skip Pin."

                  That first sentence is really wordy. Then it talks about decryption and signing transactions. Then it ends with, "also, you don't even have to use it." You're asking people to process a lot information here.

                  To me the value prop of the product should be as simple as this: send Lumens quickly from any browser using just your email account and a PIN. From a consumer standpoint the whole discussion about a second set of keys should just go out the window. As long as I know that the master key is my responsibility - and it's my way out if I should decide to leave the service - forget about making people try to decipher key weights, secondary keys, and encryption using a PIN. That's the value of your service, they don't have to think about it.

                  You're going to get pushback from some people saying there is no way they can trust you or this service, and you must open source your encryption code, my only comment would be this product shouldn't be targeted at them.

                    toddlv One more thing. I'm not saying to ditch things like the explanation your about page

                    https://lumenvault.com/#about

                    If there are people that want to dig deeper you should absolutely be transparent about the approach you're using.

                        rbates Thanks so much for taking a look and I completely agree!

                        I'll keep working on making things simpler, less confusing, and smoother.

                        Sorry to make you keep spending transaction fees testing things out. I'd love to reimburse you ? I created https://test.lumenvault.com which is completely separate from the production site and operates solely on the Stellar test network. You can fund new accounts automatically there with 10,000 XLM without having to worry about using your main account on the production stellar network. If anyone wants to just play around with the product with no risk, that's a good place to test.

                        I'll keep posting updates here.

                        Thanks again @rbates , you're the best!

                          9 days later

                          Hi everyone! We've made lots of changes to Lumen Vault recently.

                          • Removed our Inflation Pool in favor of using Lumenaut instead
                          • Made it super easy to join an inflation pool of your choice while showing your estimated payout before joining
                          • Added a PIN to use for any actions on your wallet instead of copy/pasting your signing key
                          • Mobile first - Lumen Vault works great whether you log in on your phone, desktop, or tablet. No app needed and since we secure your account with 2 keys, it's super secure!

                          We still create a server-side key and a client-side key for your account to keep your lumens safe, the PIN just encrypts/decrypts your client-side key... so no more copy/pasting signing keys!

                          Thanks for using Lumen Vault and helping us make it better!



                          Mobile Dashboard Mobile Dashboard Mobile PIN

                          Awesome work. After reading the comments here I got confused on something. Is the client-side signing key (encrypted with the PIN) also saved on your server?

                          Thanks! ?

                          Yes, when using a PIN, the client-side key is currently encrypted in your browser with the PIN and saved on our server (encrypted again with a much longer server side key).

                          If we only saved the encrypted client-side key in your browser, clearing browser data (like local storage) would delete your key. When dealing with the possibility of losing access to someone's lumens if they also didn't save their master key, we erred on the side of having the PIN be more convenient to use, while also allowing the advanced option of skipping the PIN and using the signing key directly.

                          If you skip entering a PIN and go the advanced route, then the client-side key is not saved anywhere and entering the client-side signing key each time is up to you copy/paste the key from your computer.

                          It would be pretty easy for us to add a checkbox so you can choose to only save the PIN-encrypted key locally or to save it on our server. Saving the PIN-encrypted key on our server also lets you access your account on any device so it has its trade-offs.

                          Great question and we'll add the ability to let you choose to only save it locally soon! Thanks for the feedback!

                            toddlv I do prefer the idea of saving the client-side key encrypted with the PIN locally on the computer/phone, instead of leaving it in your server (since the server already has server-side key).

                            However, my post was not exactly a suggestion, just a question about how it works.
                            Follow your vision of how the application should be ?

                              Just tested your service. It’s very impressive.
                              I have one question: if, theoretically, your website got compromised and both keys were captured, would the double auth + email verification protect the user or is a total hack possible? Even a 0.000001% chance?
                              Thank you!

                              Edit: another question, it may seem stupid but for the moment 99.9% of my XLM transactions are done on SDEX. I guess i’ll always need to enter my master secret key to access an exchange like Interstellar, Stellarterm, Stellarport... ?

                                cryptobrant Thanks!! Theoretically, if someone got both of your keys then they could access your lumens by manually creating a transaction and signing it with both keys. That's why we encrypt everything on our server with strong keys and that's why your server-side key never leaves our server.

                                If you are using another service, then yes you'd need to enter your master key. We could offer a feature through Lumen Vault that would create a new, temporary wallet for you to use on other websites that need a master key. That way it only has access to the amount of XLM you intend to use on a different website. That would be safer than using your master wallet key directly. What are your thoughts on something like that?

                                    toddlv thanks for your answer. That’s my question actually: how unbreakable is the server-side encryption? I’m not an expert so I don’t know if it’s possible to hackers to theoretically gain access to the encryption keys. And, of course, if someone took control of the website/or you were dishonest, the accounts could be compromised, right? There is always a trusted party somewhere, so in theory we mitigate the risk of entering our master key anywhere but we still need to trust you, your person and your technology, at 100%? Sorry, I’m trying to be as paranoid as possible ?

                                    The idea of creating a temporary wallet for exchange transactions is pretty interesting. There should be an option to merge accounts after use, with newly acquired assets and trustlines. But then, suppose I bought different assets with my temporary wallet (ETH, BTC, MOBI and RMT) and I merge the temporary wallet with the main wallet. Now a few days later I want to sell some RMT and BTC, would it be easy to create a new temporary wallet with my RMT and BTC assets? I’m afraid this could become a bit complex. What do you think?

                                        cryptobrant We use AWS and their Key Management Service for very secure encryption on Lumen Vault. The only way for someone to get access to our encryption keys would be for someone to get into our production AWS account which is behind a long, random password and two-factor authentication.

                                        You are correct that there is always a trusted party somewhere and being paranoid is a good thing! You could even do something like setting up a wallet just for use on Lumen Vault that contains a subset of your XLM/assets. Stellar makes it pretty easy to use as many wallets as you need.

                                        If we set up a way to easily create temporary wallets, we'd definitely have a way to merge that account back into your main account through Lumen Vault after use. We'd want to make it very easy to set up a temporary wallet with the amount of assets you are looking to trade while also allowing a one-click merge back into your main account with no complexity on your end.

                                          a year later