Farming Flax securely?


Does anyone here is farming Flax (one of the chia forks)? How to do that securely? One option, is to install it in a Virtual machine as I am doing now. However, it seems I have to put my chia private key in order to recognize my plots farming with chia.

Is there other way to farm my chia plots with flax without using my private key?

Thks for advise.

Basically no way to prevent sharing keys, either you use the same key for both or you make separate plots for each.

The solution is that you shouldn’t be sending farming rewards to the key you made your plots with. There shouldn’t be a single mojo of any crypto attached to that address, which has to be exposed to the internet 24/7 and is thus by its very nature always vulnerable. That is known as a “hot wallet”, and actually keeping crypto in it is a terrible practice, whether you’re farming any forks or not.

Instead, you should make a cold wallet, transfer any chia you’ve earned to that cold wallet, write down the 24 word mnemonic and the “first receive address” for the cold wallet and then delete the private key from anything electronic anywhere, and then set all farming rewards go to the cold wallet’s “first receive address”. Then you can share that hot wallet key with any fork in complete safety. Hell, you could post that hot wallet 24 word mnemonic on reddit and there isn’t a damn thing anyone could do with it.

You would always only ever need the one hot wallet that you made your plots with, but each fork (including chia) needs to have its own cold wallet.

The only two disadvantages to a cold wallet are:

  1. you’ll never see any “farmed” balance or crypto appear in the GUI ever again. You’d need to use an explorer like to check your cold wallet balance.
  2. for now, at least, you will need to sync that cold wallet to actually transfer funds out of that wallet (transferring in and checking balances doesn’t require sync). During the period you’re syncing that cold wallet, it is effectively “hot”, and you’d want to delete it again as soon as your transfer out was done. And syncing the cold wallet could take some time. But I believe chia is working on a way where wallet sync will not be required to transfer funds out, so eventually this disadvantage should go away.

OMG. I haven’t farmed anything for weeks and then stopped farming alt-coins.
Of course, I’ve set up different cold addresses as receivers for all rewards.
I did not know about but now I see my different cold wallets are filled with rewards!

Thank you Qwinn

Really nice summary.

Although, I would like to add two things. First is that the cold wallet is not really that cold. The main reasons we need to create it is that either our machines are already infected, as such whoever got your initial wallet keys will also have that cold wallet keys. Or, assuming that the machine was not infected, the situation will repeat, the next time you will need to warm it up (you may get infected after you created that wallet, but before you access it the next time). Another reason is your friends/family that have access to that machine / your stuff (the minute someone else has admin rights on that box, it is not that safe anymore).

That said, the second issue is that I don’t understand why I need to use alltheblock, etc., where Chia’s main UI should be able to take your wallet address and show it in a read-only mode. Again, potentially the main reason to be infected is using a browser, so by not having that feature in the Chia UI is basically making that semi-cold wallet rather insecure by forcing people to use a browser to look for such utilities, test something that they don’t quite understand.

Therefore, I would expect more from Chia to make us farmers more secure, not just blame everyone for potentially a lack of experience while doing nothing.

By the way, here is (IMO) a must watch video about how to use a cold wallet:

As long as you just check the transactions and balance of the wallet, there is no problem at all to check it in browser. The only thing someone can do with that info is send you money.

When you want to do a transaction out of the cold wallet, you have to take it out of storage. So then it is hot again.

You should them make a new cold wallet and transfer everything there.

Depends. The browser is the main source of malware, so potentially you should not use it on the full node (or any other box that has access to your keys). And, no I am not talking about just going to a well know wallet page to check it, but rather stumbling on some typo based page, or going sideways.

And yes, during that check / browsing you are not exposing anything, but if it happened that you downloaded some crap, you may infected your box, and the next time that box will see your keys (to the old cold wallet or the new one) it will take them all.

In any case, this point would be mute, if Chia UI supported read-only wallets (based on address not keys).

That is not true. There is no magic around taking your wallet out of the cold storage, or creating a new one. The only reason to create a new wallet is that you assume that your box was infected when you warmed up that wallet. If that is the case, you can also assume that whatever took your keys at that point will also take your keys when you create a new wallet, so actually both will be compromised.

I guess, the point I am trying to make is that you should not use your main box to manipulate your keys, as potentially that box is at greatest risk. When you dedicate a box to a full node, and refrain from opening any ports, and using browser, or other “cool” software, you make that box a bit more secure The bottom line is that warming up your cold wallet is as safe / unsafe as creating a new one to replace the old one - in both cases any key logger will grab them all.

I think we have different views on what a cold wallet is.

A real cold wallet is created on a clean machine not connected to any network.

You write down the seed phrase and wallet address. After that you either keep that machine offline, or just wipe the system clean.

You can use the wallet address on any other computer, even public ones to check your balance.

As soon as you connect a computer that has the private keys installed on it to a network, it is now a hot wallet.

Do I use that level of security for my couple of XCH? Atm, no. But like the story of the guy who had his 250 XCH stolen, above is the only way to stay safe.
Keeping you seedphrase safe is another matter of offline security. Two things to consider

  • fire
  • burglary

We are more or less in agreement.

What i am saying is that if you believe that such machine is clean, then use that machine to make your transaction, and you don’t need to create a new cold wallet. There is nothing special either in creating a transaction or creating / warming up a wallet.

For instance, if you keep that machine powered off (as you suggested), you can just power it on for that one transaction, and that is exactly the same as you would create a new wallet. All should be good to some extent.

You don’t need to do that, as you can just wipe out the keys from that box (as outlined in that video), and there is no way in hell to access your cold wallet.

Again, if you are worrying that such “clean” box will be infected, and you need to do those extra steps, you are assuming that the malware is going to take some time to deliberate whether to take over your wallet or not.

As all that is automated (capturing your keys, taking over your wallet) you cannot assume that you will have time to create a new machine, create new wallet, remove keys, and be happy.

The issue is not so much a clean machine, as such thing doesn’t really exist, but rather an ounce of prevention to keep your network safe (what is not that easy, we agree on that as well), and to keep your “clean” machine off of your mundane tasks (browsing, installing extra software). Just make it Chia only box, install some AV, and that is basically all what you can do. Assuming that when your network is infested, but you can create a clean machine is unfortunately false security.

I would also add “incapacitated”

Yes we do agree mostly.

My point is more to the definition of a cold wallet
A cold wallet is offline, and stays offline.

What you are describing is a second chia wallet on a different computer.

It’s just that there is no point in calling a wallet that is connected via an active internet connection “cold”.

Yes, thats a good addition indeed.

This is very good advice but there is one thing that isn’t quite correct.

If you posted the 24 word mnemonic on reddit or whatever, other people could install the client add your key and generally f*ck up your NFTs and settings and make trouble for you. Not necessarily steal your coins sure.

Cold wallets make sense. VM software and trial OSes are free. Using them to secure your crypto is just good sense.

Can you provide me with some sources that support this statement?

More or less, the only point that I was trying to make is that on an infected network, there is no such thing like “offline.” That’s it.

You need to:

  1. Download the OS ISO somewhere, or purchase a new computer somewhere
  2. Create the OS USB stick somewhere
  3. Connect the new cold machine to the network, to let the Chia network know that the new wallet was created

If you are on an infected home network, during those three points you are potentially being exposed. It just depends on the infection level of your network, and sophistication of the malware.

Potentially, for people like you and I, the risk is next to none. However, that may not be the case for majority of people.

And I feel sorry for the guy who lost that 250 XCH, as much as for any other person that lost their XCH. However, for that 250 XCH guy, if that was not a friendly human, then I would assume that he has a trojan screen sharing crap installed on his computer(s). I doubt that at least for now, any malware that goes after Chia is that sophisticated to break potentially rudimentary steps to prevent such things.

It used to be that you were infected by floppies, etc. Right now, virtually everything comes from the network. My take on those connection is:

  1. Your Internet connection - your router may/may not be able to protect you here, although being on a hot-spot connection makes you open, of course, firewalls help, as long as you understand what they are for, and how to manage them
  2. Browser - either visiting unsafe websites, or a corollary - downloading infected “cool” software from websites that seem “clean”
  3. Your email - checking out unsafe ones
  4. Your samba, etc. home network (e.g., from your laptop to your desktop / cold machine)

Whether you want to do another split based on the type of the malware (virus, trojan, script, …) is rather irrelevant.

Feel free to add more, and do more research on any other potential sources.

Again, the point is not to debate the security risks among those that are somehow security conscious, but rather don’t spread false procedures for those that are not able to evaluate them, and thus are most likely unable or maybe unwilling to check their home networks. And that is potentially majority of people (e.g., that 250 XCH guy).

Yes, agreed I think you summarized quite good there.

Only this step is not needed, you can just create a wallet offline and use the address. No need to communicate with the blockchain untill you want to send an outgoing transaction.

No one argues with that. Those are all good points.

On the other hand, if the home network is compromised, those things are just false security steps that may or may not help. The basics (clean network) need to be done first. That’s all.

I really don’t know how the wallet is created; therefore I assumed that the Chia client needs to let the blockchain know about it.

If what you said is true, then I should be able to xfr XCH to a wallet address 12345, and such wallet should be created on the blockchain during the xfr time. That implies, that no xfr to a badly formatted address would fail (and I saw people writing that it doesn’t work). What it means, that if you just mistyped that address, you don’t have keys to such garbled address anymore, so everything that you xfred there is lost. I really don’t know what are the mechanics of wallet creation.

Although, assuming that you can do it as you described, means that Chia client software has the Chia public key to properly format such address, and Chia network has the private key to read it. If that is the case, who is safeguarding the private key?

Anyway, I have no doubt that you are right. So, my take is that as long as you don’t have network connection on that clean box, you should be able to safely reuse it the next time you need to create a new wallet.

However, I would still be cautious, when comparing a non-connected stand-alone box to a VM hosted on a compromised and connected one.

Lastly, I would also like to stress that when we make that transaction on that non-safe box, our millage may vary, as we operate at typing speeds, where malware runs at the full CPU speed.

Well here’s the kinda weird thing. Private keys and their addresses are randomly generated and not reported or checked to/by the blockchain. Theoretically you could generate the private keys that give you access to the pre-mine right now. However the chance to generate the same keys twice is so infinitesimally small as to be actually impossible. (not even with the supercomputer from Hitchhikers guide to the Galaxy)

So yes, you can send XCH to any valid random address, even if no one has generated those private keys yet. This would basically mean destroying those coins as no one would ever be able to get those private keys.

I don’t pretend to understand how exactly this works, I no cryptographer but I’m quite sure this is at least the result of it.

1 Like

Cool, thank you! @Voodoo. I am always happy to learn something new.

1 Like

Thank you all for the input. I think that I have another way to use a cold wallet (or potentially just duplicated what someone with more Chia experience already published).

However, before going there, let me clarify what we are aiming for. To create a new wallet, we need a machine that needs to be disconnected in a broad sense. I guess, that’s the only requirement. We cannot require a non-compromised machine, as most of us don’t have enough experience.

Here are my steps.

  1. Download Ubuntu installer and created a USB installation stick
  2. Download Chia installer, and copy it to say /chia folder on that USB stick
  3. Use a box that doesn’t have any active connections
    a. remove Ethernet cable
    b. kill WiFi (temporary disable it on your router)
    c. …
  4. Boot from the USB stick, and use “Try It” option (don’t install it on that box)
  5. Run Chia installer
  6. Create your new wallet, copy keys/address in a normal way (paper, whatever you feel comfortable)
  7. Shut down that box
  8. Remove that USB stick, and keep it with your paper info

In case you need to create a new wallet, just use the same USB stick, and again use Try It option. You will need to install Chia again, as whatever you install is placed in RAM, so goes away when you shut down that box.

We have to assume that the machine on which we will create that USB stick is compromised, as such the installation stick may have malware. We also have to assume that the box we will be using to create a new wallet is compromised, although, although we will not run that box OS during the wallet creation.

The only potential threat that I can see is that the malware on the USB stick will also run when we use Try It option and try all possible ways to store our keys. It will try to save those keys somewhere (writable drives that are in the box, or somewhere on the motherboard). So, yes if someone will require more safety, it would be good to just disconnect the original drives. We would also assume that the malware would need to be really sophisticated to save those keys on the motherboard, so likelihood of that is small (for some time). If you still feel unsafe, such box should be used only for that Ubuntu USB drive, but then you may just want to install OS on it, and keep it powered off (the original suggestion).

The advantage of this method is that we can store that USB drive together with the paper with those keys, and reuse it when needed. The potential threat to capture and store those keys during wallet creation are rather small. If we feel safe (I do), we can use it on any box we have at home (compromised or not - the original OS will not run, so that part of malware will not be active). So, basically it is the same, or close to the “perfect” solution promoted in those how-to writeups. On the other hand, it is much more secure than using VMs, as we don’t have two live and potentially cooperating compromised systems. In addition, it is much easier to use such stick (e.g., for novices / grandmas), than deal with VMs. I do use VMs (actually a bit), and would not feel comfortable using that method.

If you see any other holes, or how that could be improved, please do it, as in my opinion, that may be the easiest method for those less experienced that mix technical religion with practical steps and cannot tell the difference