Wallet Security

One of the downsides of the Chia protocol, from a security perspective, is the need to have a Full Node online while harvesting with open connections from the internet on port 8444. In the default installation the wallet you choose, your harvester, your full node and your plotter are all on the same machine exposed to the internet. The most significant risk to this setup is your Chia Wallet once you have farmed blocks and are holding funds.

Before you start making changes to your setup, please read our guide on threat modelling here, as what you do with each wallet will determine how you secure it.

Active Farming Wallet

The wallet you have connected to the Chia Network is your Active Farming Wallet, and this wallet is at the most risk to loss of funds, from either direct attack because this wallet is connected to the internet or via malware on your farming machine that steals your keys

The best way to mitigate this risk is what is referred to as a “cold wallet”, or a “transaction wallet” depending on how often you will need to access your XCH. A cold wallet is a wallet setup on another computer, not directly internet facing, where you are not farming or harvesting. A transation wallet will be similar, but likely installed to a computer with access to your full node so you can send XCH from it in short order. You then use the Farming Rewards settings panel to add the Receive Address from your cold wallet into both the Farmer Reward Address AND the Pool Reward Address of your Harvester, like so.

This will mitigate the primary threat to your Active Farming Wallet, as if properly setup you should never have Chia held in this wallet to steal.

The next set of threats are going to be general threats from running new software, directly connected to the internet with inbound access. This is inherently dangerous, as all software eventually will have bugs so you will want to do everything you can to reduce the impact of such a compromise. We are going to explore network and system security separately and in great detail in the days and weeks to come, but the following quick suggestions should help a lot.

The first is a separate network, if possible. If you have business class networking, or a managed switch and advanced router, you should strongly consider running your full node and harvester on separate VLANs, both without direct network connectivity back to your main network. This will ensure that a compromise only takes out your full node or worst case your farming setup, and doesn’t impact the rest of your network. With any new software using inbound connectivity there is an inherent risk to everything else on that network. You should follow our guide here on how to configure a properly segmented farming network.

The second is firewall. Do not put your harvester into a DMZ or expose any ports other than 8444 to the Full node. If possible don’t even expose 8444 to your full node, but use a TCP reverse proxy, like HAProxy or an F5 load balancer, to proxy traffic back on 8444 to your full node from your network device. Do not expose any additional ports to the internet to any other nodes or services. Do not allow for full network connectivity from your wallet, harvesters or plotters to your Full Node, or vice versa. This will ensure that any one part does not bring down the rest.

If you are using Windows, do not under any circumstances disable the Windows Defender Firewall. It is important for a number of networking purposes, but it is also your last line of defense in the face of compromise. You should ensure that only 8444 is accessible outside your network and that any open rules are limited to your local subnets. Do not allow SMB traffic from Anywhere under any circumstances, even if you do not have 445 forwarded to your machine.

The next critical part will be antivirus. This is a more difficult proposition on Linux, but arguably less important especially if you never use your nodes for anything but their primary purpose in your Chia Farm. But for Windows using the full Chia application with ports opened back to your machine it is vitally important that you do not disable any Windows Defender settings, and that you do not blanket exclude your Chia folders from Windows Defender scanning. You are safe to exclude .tmp and .plot files from Windows Defender to maximize plotting performance and keep latencies low on plot filter proof checks, but you should always ensure that Windows Defender is up to date and running reliably.

The mnemonic to this wallet should be kept safely, but accessible. Preferably in an encrypted cloud storage container like OneDrive Personal Vault or a DropBox/Box encryption tool like BoxCryptor. The key drivers for this wallet will be Integrity and Availability, as without the mnemonic or private keys all your plots will be useless and you will not be able to farm them. The risk to compromise to this wallet will be relatively low, as no funds should ever be deposited here but you obviously want to be careful and not expose it somewhere else. Do not store any reference to this mnemonic on your Full Node machine, and do not install the keys to this wallet onto computers that you use daily.

Cold Storage Wallet

As discussed in the threat model section, the cold wallet is a wallet that should never be accessed and is used for long term storage. This wallet should not be used other than to generate a receive address. If you are only farming to hold XCH and not planning on moving any into an exchange wallet for trading or planning on spending any then you should have your farming rewards set to directly deposit into your cold wallet.

The mnemonic for this wallet should be extremely difficult to access, as it is similar to a retirement fund or long term savings account. The keys should not be installed on any machines, the mnemonic should not be kept as text or as a screenshot on any computers or in a cloud storage provider. You should remove the keys from the machine used to create the wallet immediately after testing and confirming the wallet is functional and store the keys somewhere for long term safety like an insurance policy.

The recommendation from The Chia Plot and the community, and following best practice security standards, would be to store one physical copy in a fireproof safe with important on-site papers and one copy in your bank’s safety deposit box for long term disaster storage. Ensure you have two copies at least. Ensure they are not accessible by anyone but you and those you designate.

Transaction Wallet

The transaction wallet is going to be the trickiest to recommend, and to secure. You will need to provide your own threat model based on your specific use cases and how often you will need to utilize your transaction wallet. A good security practice is to ensure that this wallet is never installed on your farming machines and has connection to either your Active Farming Wallet or your Cold Storage Wallet. In order to use this wallet for transactions it will need to sync to your Full Node, so it does need network connectivity to the farming infrastructure, but only when you are initiating a transaction.

If you are regularly making XCH transactions in and out of your wallet, you should have your Farming setup configured to deposit farming rewards into this wallet, and transfer your savings into your Cold Storage Wallet as quickly as you can manage to minimize your exposure. This wallet will always be at greatest risk to loss, and if you are using it you should try to keep as few XCH held here as possible.

Do not install this wallet to multiple machines for ease of access, and ensure that any computers that it is installed to are not regularly used in a risky fashion and do not have inbound connectivity from the internet. To ensure privacy, regularly change your Receive Address so that the block explorer does not show your address with high levels of inbound activity. The recommendation here is to generate a new receive address for every reward you earn and constantly change that, as well as between major transactions. One of the advantages to Chia is the Hierarchical Deterministic Wallets (HD Wallets) which allow for nearly infinite public keys for each private key and you should use this to your advantage by rotating regularly.

To protect the keys for this wallet you will need to ensure that mnemonic is highly secure, but you will need reliable access to it if you are using it regularly. The recommendation here is going to be to keep the mnemonic in a cloud storage provider’s most secure storage, again OneDrive Personal Vault or encrypted folders on another major cloud provider but also to use a file-level encryption program (as simple as an encrypted zip file) with a high entropy passphrase you have memorized or contained in a password manager as an additional layer of protection. This will allow for relatively quick access to your funds should you lose your wallet computer, but will minimize the risk of loss of your funds if your cloud storage account becomes compromised. As with all things, always configured Multi Factor Authentication and avoid SMS notifications when dealing with accounts that have any intersection with your finances.

Exchange Wallets

Right now not enough is known about how Cryptocurrency trading exchanges will operate Chia wallets, and how to best secure them. The general advice will be to ensure that MFA is configured on all accounts and to minimize the funds stored in these exchange to the minimum of what you need to trade. Do not use these accounts as long term storage, as the last decade is littered with cautionary tales of exchange problems leading to massive losses for those invested at that exchange. These should be treated as Transaction Wallets where you have even less control over the security and that can largely be access anonymously from anywhere. Do not trust them, even if they are trustworthy.

In the coming weeks more information will become known about how Exchanges are operating, and if any additional security requirements will be uncovered for pooled farming and we will address those here.

Previous: Wallet Threat Modelling

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
na_id	1 year 1 month	This cookie is set by Addthis.com to enable sharing of links on social media platforms like Facebook and Twitter
na_rn	1 month	This cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_sc_e	1 month	This cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_sr	1 month	This cookie is set by Addthis.com. This cookie is used for sharing of links on social media platforms.
na_srp	1 minute	This cookie is used to recognize the visitor upon re-entry. This cookie allows to collect information on user behaviour and allows sharing function provided by Addthis.com
na_tc	1 year 1 month	This cookie is set by the provider Addthis. This cookie is used for social media sharing tracking service.
ouid	1 year 1 month	The cookie is set by Addthis which enables the content of the website to be shared across different networking and social sharing websites.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_199099757_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 4 months 5 days	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
advanced_ads_browser_width	1 month	This cookie is set by Advanced ads plugin.This cookie is used to measure and store the user browser width for adverts.
anj	3 months	No description available.
CMID	1 year	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
CMPRO	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMPS	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMRUM3	1 year	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMST	1 day	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
DSID	1 hour	This cookie is setup by doubleclick.net. This cookie is used by Google to make advertising more engaging to users and are stored under doubleclick.net. It contains an encrypted unique ID.
i	1 year	The purpose of the cookie is not known yet.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
KADUSERCOOKIE	3 months	The cookie is set by pubmatic.com for identifying the visitors' website or device from which they visit PubMatic's partners' website.
KTPCACOOKIE	1 day	This cookie is set by pubmatic.com for the purpose of checking if third-party cookies are enabled on the user's website.
mc	1 year 1 month	This cookie is associated with Quantserve to track anonymously how a user interact with the website.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
uid	1 year 1 month	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
uuid	3 months	To optimize ad relevance by collecting visitor data from multiple websites such as what pages have been loaded.
uuid2	3 months	This cookies is set by AppNexus. The cookies stores information that helps in distinguishing between devices and browsers. This information us used to select advertisements served by the platform and assess the performance of the advertisement and attribute payment for those advertisements.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
__gpi	1 year 24 days	No description
adImpCount	past	No description
C3UID	5 years	No description available.
C3UID-924	5 years	No description
fc	5 months 27 days	No description available.
pf	past	No description
pxs	5 months 27 days	No description available.