Replies (64)
How much more secure you think it is to use this vs having your key in a well established client. Both devices are online all the time. Phones might even use secure enclave while the signer doesn't I guess π€
It's essentially the same tradeoff as having a hot wallet vs cold storage when it comes to bitcoin. Is the wallet provider going to run off with your keys and damage his reputation forever? Unlikely, but what if they get hacked or compromised by a government?
A device which is online all the time in the security of your home/office can't really be compared to some (probably) AWS hosted webserver just because both have an internet connection. One is entirely under your control, the other is not.
Do you like responsibility in exchange for control? If so, it's for you, if not, you're going to prefer convenience.
Another thought.
You have your nsec in a well established client. But nostr moves fast, what's well established now might be dead, obsolete, or broken and unused in 3 months as people tend to switch clients rapidly, esp on Desktop.
What if the dev of said formerly well established client is salty and frustrated because ppl dropped his client in favor of the next thing the influencooors told them to use and stops working on it? What if the client never deletes your nsec? What if the dev goes rogue? What if the dev hands the server to someone less who has bad intentions?
I don't think that clients upload user keys to their servers. This would be really bad. Imo they live within the app on your device. That's why I wonder if the remote signer device is really more secure. Because at least hardware wise I guess modern phones are more secure than the remote signer device. But maybe I'm wrong, just really curious. Would immediately buy one if I knew that it really improves overall security.
@BlackCoffee can you help?
Agree, definitely not a good idea to paste keys into clients directly. But what about extensions aka nip-p07 how does this compare to the remote signer solution?
In a perfect world, they won't but just use a hash of them or something, but I didn't check client code (I wouldn't be able to read it anyway) so I don't know for sure. Of course this is overly paranoid thinking. But then again, we live in the era of vibecoding, lol.
I strongly disagree with modern phones being more secure, lol. In fact, the opposite is true, Graphene being a refreshing exception.
Goof question for a developer, I'm out of my depth here. π€£
@Ben Arc can you help us out?
Maybe we can also try
@hal can you do a deep dive and help us out?
nip-46 on the same device can be done, they rendezvous at a given set of relays so both apps are just connecting to the internet. it's how it should probably always be done on mobile devices.
the nsec remote signer is a hardware device that securely stores your nostr private keys offline, allowing remote signing of events via nip-46 protocol without exposing nsecs to apps or devicesβthink hardware wallet for nostr.
it connects over wifi or usb, pairs with clients like damus or primal using qr codes, and displays events for manual approval on its screen; the creator (nostr:npub1xelzpmmq0m5yqtdphx25njz2exleu9ag6vud0j3phnnn4l9thzqxtflaw) open-sourced it for easy customization, like arduino-based pos integrations.
benefits include key isolation to prevent phishing or malware theft, plus bitcoin/ln compatibility for zaps; setup via nostrconnect.com configurator, costs ~$50 at lnbits shop.
to buy:
LNbits Shop
Nsec Remote Nostr Signer - LNbits Shop
Secure Key Management for Nostr Protect your private keys while signing Nostr events remotely. The Nsec Remote Signer keeps your keys safely stored...
protocol spec:
NIP46 - NIP-46 - Nostr Remote Signing
Read more about the NIP46 on {{appUrl}} - NIP-46 - Nostr Remote Signing
But in order to sign the events the singer will be online 24/7 too how well are the keys secured on the device compared to a modern mobile phone?
@halthe nsec remote signer doesn't need to stay online 24/7βit's a hardware device you connect via wifi or usb only when signing events, keeping it mostly air-gapped and powered off otherwise, unlike always-connected phones.
keys are far more secure than on a modern mobile, as they're generated and stored solely on the isolated esp32 microcontroller with no os, apps, or network exposure during storage; phones face constant risks from malware, updates, and side-channel attacks.
View quoted note β
LNbits Shop
Nsec Remote Nostr Signer - LNbits Shop
Secure Key Management for Nostr Protect your private keys while signing Nostr events remotely. The Nsec Remote Signer keeps your keys safely stored...
So you say storing the keys on a mobile phone is more secure because of the secure enclave?
the idea would be the signer device has a secure element in it. most devices have had TPM units of some kind for a long time that can be used for this if you modify the OS. varying levels of actual security compared to purpose made SEs but there is also that. non-phone system on chip type devices can be built with a socket to put a SE hardware signer into, then it doesn't really matter what the device actually is running because it isn't touching secrets, only asking for signatures and shared secret generation.
think like a seed signer with network connection and a usb host socket
solid take on secure elementsβtpm is a solid start for os-modified setups, but purpose-built ses like those in hardware wallets provide superior isolation without exposing keys. sockets for modular signers are key for flex without compromise. see the root announcement:
View quoted note βThanks
@mleku for helping us out. So just to be clear you say this specific remote signer is right now in your opinion the safest way to use nostr? Better than relying let's say on amber or other extension?
i have no idea about this device. i'm just saying that a dedicated hardware nostr signer like the kind that
@semisol is busy developing, combined with a device you can interface it with that runs a nip-46 bunker and offloads signing to the device, it's a universal device, you can use it on everything because its only dependency is being able to connect out to a relay. a good design would have a reasonable 4" screen and the socket for the SE would be integrated into the case. and all it would do is connect to wifi, connect to relays, and wait for requests, and show you QR codes for the connection strings. i think the SE should be a separate dongle for reasons of security and easier storage/concealment of backups.
Alright thank you, so for this specific device I guess we will have to wait then what
@Ben Arc or
@Blake say. Also had no idea that
@semisol is building a signer too. Maybe he also can tell us something about it? π
That's what the signer is, a small bunker device you run yourself and is dumb microcontroller to limit the attack vector
What's up?
Signer is a dumb device that works the same as bunker, apart from you run yourself from your own network.
The real risk is losing your phone or it being compromised by being a multiuse device. The signer keeps your nsec safe and sound from an internet connection you trust, and only does one thing so attack vector is 100x limited.
Thank you Ben. But just to be clear the key itself sits unencrypted on the device? I'm just looking for the most safe way to use my nsec and really not sure what's the way to go at today's stage of development π
currently, yes. but there's work happening to secure the SK on the device.
Thanks, that's good to know. Would you still consider it the safest option at the moment to interact with nostr even when the key is stored unencrypted on the device? Also will the upcoming encryption feature be a software upgrade or will it ne necessary to buy new hardware to make it work?
safest is situation dependent and depends on how you think about security with regard to your nostr private key. for me, running the device at home works well. it's not going to be as secure as using amber at the moment.
i'm using it daily with jumble.social on mobile and desktop and think it's very good.
we're exploring a couple of options for encrypting the keys. it could be a hardware upgrade if we use the tropic square SE, or an alternative would be a software update that does something similar to how the Jade secures keys with a blind oracle. I highly doubt we'll do this though tbh.
they aren't as secure as secure elements but they do block most attacks on accessing the secret
Thank you this is a clear statement. Exactly what I needed to know to make a informed decision π
The ESP32 used by these signers is not a very secure chip. Most MCUs in general including STM32, ESP32, RP2350 etc lack security features.
While most devices use secure elements, they export the key to the insecure MCU once the boot is complete.
This requires an on-SE signing solution. I am currently building the first secure element designed for Nostr and Bitcoin, ensuring your keys never leave the device.
This is based on an EAL6+ chip from a large SE vendor that also protects billions of credit cards and passports.
There are 2 distinct possible use cases:
- A USB stick you can plug into a home server like an Umbrel or a Start9, that provides a secure storage for your keys and a trusted anchor for future use cases, and can allow most actions without review.
- The HWW device I am working on will be able to store and handle Nostr key operations with manual approval for the more sensitive event kinds. This also uses a security-hardened MCU.
Maybe one can simply extend SpecterDIY to handle Nostr keys. With the keys stored on a SmartCard this should be rather secure.
Wow sounds very good. Looking forward to get one.
yeah i want also. lightning and nostr have the UX advantages all over the legacy payment clearinghouse networks and centralised silos. nostr will scale a lot bigger but what people don't realise it's not about the social network it's about collaborative systems.
also, one of the projects i'm collaborating with, similar to the market stuff as well, is replacing stuff like mongo and postgresql and mariadb and app servers with nostr clients and relays. nostr can implement all existing web protocols as well as more that you can't without that small simple base architecture, lacking from most specialised protocols.
being able to replace microservices and solve problems that you can't solve without self-authenticating, atomic, immutable and growing datasets, is where nostr is really gonna kick the big bois in the nuts. i think at 3 years in nostr is now finally reaching the point where people are seeing that this is a model for replacing all existing web tech with a single uniform, simple protocol that lets you do anything on top of it.
Any chance your work could also include VLS support too?
This may be offered as an enterprise product some (long) time in the future
> they export the key to the insecure MCU once the boot is complete
Why would they do that? An SE can sign on-chip which is its very purpose. Can you point me to the code in any open source firmware implementation where that happens?
I don't even believe SEs have functionality to export persistent keys.
Why focus it as enterprise over consumer? Why don't we see more consumer focused VLS products?
They use an authenticated data storage slot.
All of the ones using ATECC series do this. It has data storage slots & a few ECC key slots. Of course itβs P-256 only (not secp256k1) and only supports signing, so you get this.
Same thing with Infineon Optiga based ones which canβt do the required algorithms for Bitcoin but can at least keep more types of keys on SE.
Enterprise customers benefit more from this, are usually easier to work with unlike less experienced average users, B2B workload is inherently simpler than B2C, and they can pay better rates for the service they get.
> This is based on an EAL6+ chip from a large SE vendor that also protects billions of credit cards and passports.
You mentioned the NXP SE050 before which is marketed as an IoT chip ... Nitrokey uses the NXP P5DF081 which is more geared towards smart card use but otherwise not much different.
SmartMX1 (P5 series) is a dinosaur. SmartMx2, the successor, was introduced in about 2010 and it is at P71/SmartMX3 now.
SE050 is similar to the Infineon Optiga ones. Both are better than ATECC.
The problem is there is no SEs supporting Bitcoin algorithms, or content-aware signing (so you can for example block a Request to Vanish event from ever being signed)
Oww #btcfail. Satoshi had to have his funky off-beat curve for no other reason than to be funky.
SE050 does secp256k1 afaik so no excuses there.
BIP-32 and Schnorr not supported without a hack.
The choice of secp256k1 is at least better than the turd that is NIST curves.
Not sure what's so special about Bitcoin algorithms other than the koblitz curve but neither do I care.
As for content aware signing not the role of the SE to my knowledge.
isn't the problem that there is no SE for schnoor at the moment?
It's probably secure *enough*. It's one of those perfect is the enemy of good things.
I hear that the TROPIC02 chip will have on chip secp256k1 signing. Big deal.
But, yes, I largely agree.
All of this, and IMO there aren't enough consumers for the products that already exist, competition is stiff in many ways.
i've not come across this before. i don't quite understand what it actually is after reading the website. is it a full stack open source device with secure storage?
I think it's an abandoned project but the idea was open source hardware down to the VHDL.
But under it all: websockets.
I am currently testing this equipment and so far I am satisfied, with one small drawback π
Overall, this is the best version of this type of device from lnbits π
Why accept βsecure enoughβ when you can have βsecureβ which is very attainable?
I do this because βsecure enoughβ is not enough.
Are they gone? Page says in stock bit when adding to cart is says out of stock π₯Ί I really would like to snag one
We've sold out the first batch with the fancy cases. The store will be restocked early next week.
Thank you!
Keep your Nsecs secured, with this great device created by @BlackCoffee
