Overview
During the creation of your wallet, your keys will be generated on a Keycard.
An example of the Keycard can be found at the bottom of this page.
The Levain multi-signature wallet follows a 2-of-3 model:
Key 1: Controlled by both Levain and institution
Key 2: Controlled by institution
Key 3: Controlled by Levain
| Key 1 | Key 1 | Encrypted password | Key 2 | Key 3 | Spend |
Controlled | Levain | Institution | Institution | Institution | Levain |
|
Storage | π¦ | π | π | π | π¦ |
|
Access to all items | β | β | β | β | β | β |
Access to all institution-controlled items | β | β | β | β | β | β |
Lost 1 key Access to Levain | β | β | β | β | β | β |
Lost 1 key No access to Levain | β | β | β | β | β | β |
Lost 1 key + encrypted password Access to Levain | β | β | β | β | β | β |
Lost 2 keys Access to Levain | β | β | β | β | β | β |
Lost 2 keys No access to Levain | β | β | β | β | β | β |
Lost 2 keys + encrypted password Access to Levain | β | β | β | β | β | β |
Lost 3 keys Access to Levain | β | β | β | β | β | β |
Lost 3 keys No access to Levain | β | β | β | β | β | β |
Legend:
π¦ Key stored in Levain's Amazon Web Services (AWS) Hardware Security Module (HSM)
π Key backed up safely on paper
π Key (password-protected) held on Levain servers, where institutions have a separate password not known to Levain
The Keycard is therefore made up of the following components:
Key 1 - Main Private Key: This is your main private key which has been encrypted using your wallet password. This private key is stored with Levain on Levain's AWS HSM, however, Levain has no knowledge of, nor access to the private key.
Key 2 - Backup Private Key: This is your backup private key which has been encrypted using your wallet password.
Key 3 - Public Key: This is the public part of the key that Levain will use to co-sign transactions with you.
Activation Code: This is the 8-digit activation code which you will need during the creation of your Wallet.
Encrypted Wallet Password: This is your wallet password which has been encrypted on the client-side with a key held by Levain.
Keycard Storage
When generating a wallet via Levain, you will be prompted to download a keycard from your browser. Take note of the following best practices to store your keycard securely:
Download your keycard directly to a USB device:
As an added layer of security, it is recommended that you use an encrypted USB flash drive for this purpose.
Once you have downloaded your keycard, immediately disconnect your flash drive from your device.
Connect your USB device to a printer and print the keycard:
Follow your printer manufacturerβs instructions to perform this step.
Clear your printer memory once your keycard is printed.
For durability, laminate your printed keycard: To further protect your keycard from water damage, store it in a sealed plastic bag.
Use a mobile device that is not connected to the Internet to scan your keycardβs QR codes: Ensure that the mobile device is equipped with QR scanning functionality. The contents should match the QR code data printed on your keycard.
Store your keycard in a secure, robust safe: Your safe should ideally be reinforced with fire and theft protection capabilities.
Save a backup copy of your keycard in an encrypted USB device: This USB device should only be deployed as a backup as USB devices are subject to loss and even operational failure.
To further mitigate your keycardβs susceptibility to security compromises, avoid the following practices:
Recording your keycardβs details in online platforms (such as Google Drive, email inboxes, or any cloud storage service).
Taking photos or make digital copies of your keycard.
Informing unauthorized personnel about your keycardβs location and how it is secured.
Sharing sensitive information such as your passphrase, keycard, and login credentials with unauthorized personnel.
Disseminating your credentials to external wallet-hosting services.
KeyCard Sample
A sample of the Levain KeyCard can be found below.