This repository contains a plugin for Vault that let's you store your crypto in a secure way. It exploits Vault's capabilities of storing encrypted data to securely create new random wallets, get addresses and sign raw transactions and setting strict policy rules to access and manage your funds.
At the moment only bitcoin is supported.
If you have already installed them on your machine, skip this step.
Clone the project
git clone https://github.com/vulpemventures/custodian-vault.git && cd custodian-vault# Install Golang
./scripts/go_installer.sh
# Install Vault
./scripts/vault_installer.shGo is installed at path /usr/local/go and environment variable GOPATH=$HOME/go is exported.
Vault is installed at path $HOME/vault.
# Install Golang
./scripts/macos_go_installer.sh
# Install Vault
./scripts/vault_installer.shGo is installed via Homebrew at path GOROOT=/usr/local/opt/go/libexec and env var GOPATH=$HOME/go is exported. First install Homebrew if you have not already done so.
Vault is installed at path $HOME/vault.
Delete GOROOT and ~/vault folders to uninstall the packages.
Create the path for the project in your go workspace GOPATH
mkdir -p $GOPATH/src/github.com/vulpemventuresMove the folder of the project into the path
mv ../custodian-vault $GOPATH/src/github.com/vulpemventuresClone the project in the directory
git clone https://github.com/vulpemventures/custodian-vault.git $GOPATH/src/github.com/vulpemventures/custodian-vaultYou can now start an instance of Vault and automatically install the plugin launching the script
./scripts/start_dev.shThis starts Vault in dev mode, in order to let you test the features of the custodian plugin.
vault write custodian/wallet/<name> network=<mainnet|testnet|regtest>This creates a random mnemonic that's returned in the response object. It is used to generate the seed as stated in BIP-0039.
NOTICE: In order to enforce to backup the mnemonic, it is showed to the end user only once, at creation time, and won't be accessible anymore in the future.
To get info about a wallet:
vault read custodian/wallet/<name>It returns a response object that contains:
networkeither bitcoin main net or test net- extended public key at path
m/44'/0'/0'/0for main net, that is the master key from which all receiving address are generated (see BIP-0032 for more details).
vault write custodian/wallet/<name> network=<mainnet|testnet|regtest> segwit=trueAgain, this creates a mnemonic visible only at creation time, but derivation path is set to m/49'/0'/0'/0 (for mainnet). This kind of wallet is used for segwit backward compatibility.
vault write custodian/wallet/multisig/<name> m=<number> n=<number> pubkeys=<list,of,pubkeys> network=<mainnet|testnet|regtest>This creates a new key used in an m of n multisg wallet. It requires a list of n-1 comma separated public keys that are used to create the redeem script. This will be subject of breaking changes, since it's planned to add support for BIP-0045.
To get the redeem script along with the other info:
vault read custodian/wallet/multisig/<name>vault write custodian/wallet/segwit/<name> network=<mainnet|testnet|regtest>This creates a native segwit wallet.
vault read custodian/creds/<wallet_name>
# Expected output
# lease_id <lease_id>
# lease_duration 5m
# lease_renewable false
# token <auth_token>This creates an auth_token to allow the end user to interact with the created wallet. Operations like generating a new receiving address or creating a signature for a raw transaction require a token to be passed in the request.
NOTICE: Auth tokens expire right after a request is satisfied and have a default Time To Live of 5 minutes.
To manually revoke an auth_token:
vault lease revoke <lease_id>vault read custodian/creds/multisig/<wallet_name>
# Same response object as abovevault read custodian/creds/segwit/<wallet_name>
# Same response object as abovevault write custodian/address/<wallet_name> token=<auth_token>This derives new P2PKH addresses for BIP44 wallet and P2WPKH nested in P2SH for BIP49 wallet.
vault write custodian/address/multisig/<wallet_name> token=<auth_token>This returns the receiving address of a previous created multisig.
The address won't change since it's the base58check encode of the hash of the redeem script.
Also this feature will change when BIP-0045 will be supported.
vault write custodian/address/segwit/<wallet_name> token=<auth_token>This derives new P2WPKH addresses in Bech32 format.
vault write custodian/transaction/<wallet_name> mode=<standard|multisig|segwit> rawTx=<string> token=<auth_token>This will create a signature for the passed raw transaction.
You need to specify if the wallet is a multisig, native segwit or standard (either BIP44 and BIP49) type, this flag is set to standard by default.
The produced signature is deterministic, which means that the same message and the same key yield the same signature, and canonical in accordance with RFC6979 and BIP-0062 respectively.
// TODO
If you get a server gave HTTP response to HTTPS client error:
export VAULT_ADDR='http://127.0.0.1:8200'