CargoX Platform supports all popular blockchain key types. Due to simplicity new users start with keystore file, which is using encrypted file + key password pair that offer moderate security.
NOTE: Users can of course still login with their username and password, but in that mode they can not send documents or initiate any other blockchain based action.
We strive for the highest level of safety and security for our users therefore we periodically encourage our users to upgrade their blockchain key to a more secure type. You might have seen this screen, and chose to just snooze the warning for now.
What is the actual danger?
All blockchain key types with exception of hardware wallets and specialized software wallet called MetaMask are vulnerable to the so called man-in-the-middle attacks. This means that if you by accident (or as a result of scam), use your blockchain key to login on a website that looks similar or even identical to CargoX Platform, but is in fact not, perpetrators can steal your blockchain key from you. They can then use it to login to the real CargoX Platform and access your data, steal your documents by transferring ownership of them to a third party etc.
So, what to upgrade to?
There are several options on how to store your blockchain key (private key). This can either be in the form of a hardware security device (similar to your bank's one-time password generator); a browser-security component (similar to certificates) or a password protected file containing your private key (similar to username/password combination).
But generally, these options of storing the private key can be sorted into two groups:
- the secure way, by using a hardware wallet, such as Trezor or Ledger.
- the less secure way, by storing the private key of your wallet on your disk. That could be a problem as your key is easier to get lost or stolen or damaged. To simplify management of these keys and make it a bit more secure you should use MetaMask.
Notice: It's vital that you store your private key properly. Please treat it as a real, physical key. Whoever has access to your private key can essentially do anything on your behalf. Since CargoX does not have access to users' keys, we can not restore a lost blockchain key.
Notice: You might be interested in reading best practices managing blockchain keys for companies.
Hardware wallets are the most secure way of storing your private key. Using a hardware wallet device, your private key never leaves the device, which means that you are safe from all sorts of scams and phishing attempts.It is also the safest way of logging into and using the CargoX Platform.
Firstly a word of caution: software-only based approaches are inherently insecure. Software-only wallets store your private keys on your computer and can therefore be stolen, compromised or lost. Use the following methods only if hardware-based wallets are not an option due to various constraints. Make sure you always have an offline backup of your software wallet!
The following software based-logins are supported:
- MetaMask, which provides the most secure way of logging-in, out of all software based solution
- Keystore (JSON) login, which saves your credentials into an encrypted file locally (default for new users).
- Private key and Mnemonic phrase - which are direct approaches of entering your "secret" into the browsers and are not recommended.
Best practices managing Blockchain keys
How to best manage blockchain keys (private keys) of your company and your employees?
CargoX recommends users to use hardware wallet devices.
Special care should be given to creating a proper backup of these hardware wallet. Follow the instructions of the device manufacturer (which includes writing the seed words to a piece of paper and storing it in a sealed envelope in a safe place - like a safe deposit box), as this enables you to later restore your blockchain key to a replacement device (in case of malfunction or damage to the device, forgotten pin, employee loosing the device)...
Company's informational security officer should make sure all hardware wallets' backups are made and locked away in the company's safe deposit box.
While in a perfect world every user would use a hardware device, it is acceptable to use other blockchain key type (such as default keystore) for users with a limited set of access rights (i.e. limited to creating but not sending (managing) documents, etc). In a case where such user would loose or misplace their blockchain key, you can just disable their blockchain key.
Similarly, for users with very limited access rights it might be acceptable to let them use only username+password. Password can be reset if they forget/lose it, and if they leave the company you can delete their CargoX account.
All users can link blockchain key to their accounts later on - when needed. Even user with very limited permissions.
For department heads and other users that will perform irreversible transactions (like transferring documents / releasing cargo and accomplishing documents / accepting and activating blockchain keys ), CargoX recommends use of hardware devices as well.
But really, what should I get?
We strongly recommend that you use a hardware wallet device.
Choose Trezor One if you have Chrome or Firefox on your Windows or Mac.
Choose Ledger Nano S if you have Chrome browser on your Mac (Windows 10 security mechanism made using Ledger a nuisance due to constant security notification popups, therefore we do not recommend using Ledger for Windows users).
Both devices provide ultimate security and should be your preferred choices. However, both require installation of supporting software which requires administrative rights on your PC/Mac. If you cannot install the software, please get in touch with your system administrator.
If you do not want to wait days to obtain the hardware wallet device, your best way forward is using the MetaMask plugin for Chrome/Firefox/Opera. It is also integrated in Brave browser. Metamask provides more security than other non-hardware options.
I still don't understand anything.
You can think of your blockchain public address (also called ethereum address) as your email address. Although it looks like a bunch of random letters and numbers, it always starts with the "0x" (like this one 0xde0B295669a9FD93d5F28D9Ec85E40f4cb697BAe).
This is a public address like your email address is. Anyone who wants to send you something (email) needs to know it. It is safe to give your public address to anyone, even printing it on your business cards and advertising it on your website. The only downside to this is that now people will now be able to associate your name/company with your blockchain public address.
But in order to read the received emails, forward them or even print them, you need more. You need your username and password. And no-one else has this, you keep it secret. Well - in the blockchain world this "secret" is called the blockchain private key. Anyone with access can empty your "blockchain account", so take precautions guarding it as you do with your bank's credentials and email password.
Here you have it - two things to know.
- address (public, you can share it)
- key (private, its yours only)
Keys are stored in various ways. The default key storage on the CargoX Platform is keystore file. But a much better way is to store your key in wallet. Wallet is a hardware device (or a program) that stores your private key and allows interactions with the network in a very secure way that prevents anyone stealing the key from it.