Replying to Avatar kiwi

What’s the best way to store and interact with your NOST private key?

#asknostr
Avatar
Dikaios1517 11mo ago

There are currently 3 ways to sign without entering your nsec into the client.

1. NIP-07 via browser extension. Almost all web apps now support this method, and it has a pretty good user experience, but users may not be comfortable with storing their keys in a browser extension.

2. NIP-46 first used via NsecBunker, but now also available for use via nsec.app, Amber signer on Android, and most recently with a unique method of splitting your key between three remote custodians via njump's new onboarding app. However, NIP-46 support is much less common among clients, and it often just seems to not work, even if it is supported.

3. NIP-55 Android Signer which is only available via Amber at this time. It is my personal favorite option, as it is very user friendly and your keys are stored locally by an open-source app. However, there are even less options for this signing method among clients than there are for NIP-46.

We do not have any way to store keys offline, because your key is needed to sign EVERYTHING on Nostr. It's similar to the reason keys cannot be stored offline for Lightning. We would need to have the ability to generate child-keys that can be used instead of the parent-key, and which can be revoked if they are compromised, before we would have the ability to store the parent-key offline, and use the child-key for regular event signing.

Reply to this note

Please Login to reply.

Discussion

Avatar
kiwi 11mo ago

Thank you for the detailed response!

For that last paragraph, is that solved by Frost?

I see FROSTR is being developed, seems an initial PoC has been built. Have you looked into this, and if so, what’s your thoughts?

Avatar
Dikaios1517 11mo ago

Great question! The short answer is no.

However, FROSTR is a very interesting way to have multi-sig for Nostr signing. However, each key shard is still kept hot. These are not child-keys so much as portions of a full key that are split apart so that it takes a quorum of the parts in order to sign.

This is being used in Njump's new onboarding tool announced here:

nostr:nostr:nevent1qvzqqqqqqypzq77777lz9hvwt86xqrsyf2jn588ewk5aclf8mavr80rhmduy5kq9qqsqqqp70h0sxn3mlradqmzv585t9ape055wyj2uutqqs6q42zzdggcz4xvrr

The way it is implemented, signing requests are sent to the key-shard custodians via NIP-46 and are automatically approved. Pretty cool idea, but not an answer to the key management problem entirely.

Avatar
kiwi 11mo ago

Hmmm, a difficult problem to solve indeed. But it does need to be solved! Relying on browser extensions is not the way to go…

Is the best solution, as it currently stands, nsec bunker and coracle usage then?

If you don’t mind me asking, what trade offs did you go for?

Avatar
Dikaios1517 11mo ago

I happen to be using Coracle via NIP-46 login right now, actually. I generally use Alby as my signer extension on my desktop, but I am testing out Amber's NIP-46 signing option for a review I am writing.

I also use Amber for all signing on my mobile Nostr clients, using NIP-55 whenever possible.

I don't log into any clients that require my nsec whatsoever.

I think that's about the best we can do at this point. If NIP-46 signing was just a bit more reliable, I would go to just using Amber, and not use a browser extension either.

Avatar
kiwi 11mo ago

Interesting, I look forward to reading the review and will test these out too, thanks for all the info 🤝 god bless!

Avatar
Dikaios1517 11mo ago

I'll hopefully be dropping the review next week on www.nostr-reviews.com