Privacy is a fundamental human right. At Tangram, we know that the battle has only just begun. To protect your privacy we need to enable the individual. We need security that is not only built for financial institutions, governments and multinational corporations, but also yields zero-risk and zero-compromise solutions for the everyday individual.
If a system you use compromises on the level of security it implements, your privacy is at risk. Tangram will always strive to ensure that its software modules are developed and provided on Tangrams privacy-focused ledger. Our mission is to create the most private distributed ledger; therefore we need to build the most secure wallet. These go hand in hand in the long-term, which is why Tangram has chosen to build an enterprise-grade wallet — and put it in your hands.
Today’s release of Tangram CLi wallet marks the release of the first tool in what we believe is an incredible toolbox for all privacy and security aware individuals, developers and businesses. We’re building a future for privacy by providing a secure platform for you to keep your data and information safe from prying eyes.
Introduction to HashiCorp Vault Enterprise
First and foremost this release is intended to be an introduction and by no means production ready and is the first of many releases. We’re looking for a high success rate in first time installation and prior to network launch (main-net) we’ll ensure the more obvious nuances are ironed out and a cross platform build is seamless.
Tangram CLi wallet uses HashiCorp’s Vault Enterprise which is completely free and open source to manage, secure and control your keys and data. HashiCorp Vault Enterprise is also Federal Information Processing Standard (FIPS) 140–2 Compliant.
See more here — https://www.hashicorp.com/vault-compliance
Some of the features of Vault Enterprise features are currently integrated in v0.8, and further development, integration and publishing of the full feature set will allow you to manage your wallet the way you want.
Vault Enterprise Feature Set
- Secure storage
- Key Rolling
- Credential leasing & revocation
- Detailed Audit Logs
- Secure Plugins
- Access control policies
- Encryption as a service
- UI with cluster management
- Init and unseal workflow
- Identities (Entities + Groups)
- Vault Agent
- ACL Templates
v0.8 Features (CLi wallet)
One of the reasons for choosing Vault is that it is open source, with a rich feature list. Vault has all the basic features you’d expect from a secret manager, but also some novel features that we believe will modernize the space and extend the boundary for decentralised excellence.
Current features in CLi wallet:
- Secure secret storage: Arbitrary key/value secrets are stored in .tangramcli. These secrets are encrypted prior to being written to persistent storage, so gaining access to the raw storage isn’t enough to access your secrets. Vault can write to disk.
- Leasing and renewal: All secrets in Vault have a ‘lease’ associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in APIs.
$ vault read secret/foo Key Value lease_id secret/foo/9c5f3cf1–1239–0160–4311-d6544fd1018c lease_duration 2592000 value bar
$ vault delete secret/foo Success! Deleted ‘secret/foo’
When you read a secret, Vault returns the data you wrote along with leasing information. Leasing is a core, critical part of Vault. Every secret in Vault must have a lease.
The lease tells a consumer of a secret that the secret is guaranteed to remain valid for that lease period, but past the lease period, there is no guarantee the secret will still function. This forces clients to renew the lease periodically, where Vault can record this in the audit log and can use this opportunity to potentially deny lease renewal as well.
When writing secrets manually, revocation of secrets past the leasing period is also manual. However, Vault also supports dynamic secrets that have automatic revocation.
One of the many reasons for choosing Vault as a technology is because of its seriousness in security and its use of industry best practices for secret management.
Data stored and key used to encrypt the data uses 256-bit AES in GCM mode with randomly generated nonce. The encryption happens in-memory prior to being sent to the backend storage driver, the storage never sees the unencrypted value. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed.
This is known as the master key. The encrypted encryption key is stored in the backend storage. The master key is then split using Shamir’s Secret Sharing.
Vault also has the ability to initialise Using PGP, GPG, and Keybase as an additional layer of security when performing certain operations. One of the many native features we’ll be adding in the future.
In addition, the initial release of Tangram CLi wallet v1.0 will be open to the general community for testing and review. We will be reaching out specifically to security teams at companies as well as individuals with a specialisation or background in security to help review and audit Tangram CLi wallet at a certain point and version prior to the Tangram network release.
Note on Hardware Security Modules (HMS) integration
Hardware security module (HSM) is a hardware device that is meant to tightly secure various secrets using protections against access and tampering at both the software and hardware layers for applications, systems and infrastructure. In our case, your wallet, nodes and computer in which they run on, through to the applications you build.
Something as simple and cost effective such as the Yubikey (YubiHSM 2): https://www.yubico.com/products/yubihsm/
Any hardware security module that supports PKCS#11 would be possible to integrate with Tangram CLi wallet and further control access to your secrets across the Tangram ecosystem in the future.
Development of the CLi wallet has just begun and from here on out we will continue to improve and integrate features, security and UX (user experience). A much more complete and ambitious roadmap will be released after mainnet. The current roadmap is as follows:
v0.8.1 / v2.0
- All necessary operations and outputs to be generated client side
V0.8.2 / v2.1
- Offline wallet creation and transactions
- API calls with HTTP over TLS
V0.8.3 / v3.0
- Basic (UI) cross platform desktop app
Security is vital when it comes to any tool in Tangrams ecosystem. CLi wallet will undergo multiple independent audits prior to launching with the Tangram network.
Note: v0.8 is ONLY an introduction of CLi wallet to all community members, and further development will be made in 0.8.1 and 0.8.2. These releases will occur in a closed beta and sign-ups will begin just after the security audit has concluded. Please do not build on the current repository as it WILL change.
If you have any questions or suggestions about CLi wallet, please feel free to reach out in the #cli-discussion channel on Discord.
Ease of use and access to documentation are fundamental policies we will undertake to achieve. To this end, please find the documentation link below which will walk you through the CLi wallet setup and use.
As this is the initial release, we will be capturing any questions in order to improve the documentation. This will ensure that newcomers to the community are able to promptly solve any issues they may have.
Documentation will be built moving forward for not only the CLi wallet but for all software in the Tangram ecosystem.
Note: Installation may not be successful for all users. This will vary depending on your setup and configuration of your computer. This is an introduction to the Tangram CLi wallet. Prior to main-net release we will ensure that the installation is seam-less for all platforms.
Tangram CLi Documentation
Start here to install Tangram CLi wallet
FAQs will be updated periodically based on discussions and questions we come across. Before release, Tangram Documentation will be synced with Github in order for anyone to collaborate!
Tangram CLi Wallet Github
Source code — Github
Tangram builds solutions for privacy and security in the digital age. There will never be an instance where Tangram takes shortcuts on the process, the analysis, and the technologies we select and utilise.
If you’re interested to know more about Tangram:
Visit our website: www.tangrams.io
Read our blog: www.medium.com/@tangramd
Subscribe on Reddit: www.reddit.com/r/Tangrams
Discover us on Discord: www.discord.tangrams.io
Message us on Telegram: https://t.me/Tangrams
Follow us on Twitter: www.twitter.com/tangram