Image for post
Image for post

Enterprise Grade Wallet — Built for You

Oct 17, 2018 · 7 min read

Privacy is a fundamental human right. At Tangram, we know that the battle has only just begun. To protect your privacy we need to enable the individual. We need security that is not only built for financial institutions, governments and multinational corporations, but also yields zero-risk and zero-compromise solutions for the everyday individual.

If a system you use compromises on the level of security it implements, your privacy is at risk. Tangram will always strive to ensure that its software modules are developed and provided on Tangrams privacy-focused ledger. Our mission is to create the most private distributed ledger; therefore we need to build the most secure wallet. These go hand in hand in the long-term, which is why Tangram has chosen to build an enterprise-grade wallet — and put it in your hands.

Today’s release of Tangram CLi wallet marks the release of the first tool in what we believe is an incredible toolbox for all privacy and security aware individuals, developers and businesses. We’re building a future for privacy by providing a secure platform for you to keep your data and information safe from prying eyes.

Introduction to HashiCorp Vault Enterprise

Image for post
Image for post

First and foremost this release is intended to be an introduction and by no means production ready and is the first of many releases. We’re looking for a high success rate in first time installation and prior to network launch (main-net) we’ll ensure the more obvious nuances are ironed out and a cross platform build is seamless.

Tangram CLi wallet uses HashiCorp’s Vault Enterprise which is completely free and open source to manage, secure and control your keys and data. HashiCorp Vault Enterprise is also Federal Information Processing Standard (FIPS) 140–2 Compliant.

See more here

Some of the features of Vault Enterprise features are currently integrated in v0.8, and further development, integration and publishing of the full feature set will allow you to manage your wallet the way you want.

Vault Enterprise Feature Set

  • Secure storage
  • Key Rolling
  • Credential leasing & revocation
  • Detailed Audit Logs
  • Secure Plugins
  • Access control policies
  • Encryption as a service
  • UI with cluster management
  • Init and unseal workflow
  • Identities (Entities + Groups)
  • Vault Agent
  • ACL Templates

v0.8 Features (CLi wallet)

One of the reasons for choosing Vault is that it is open source, with a rich feature list. Vault has all the basic features you’d expect from a secret manager, but also some novel features that we believe will modernize the space and extend the boundary for decentralised excellence.

Current features in CLi wallet:

  • Secure secret storage: Arbitrary key/value secrets are stored in .tangramcli. These secrets are encrypted prior to being written to persistent storage, so gaining access to the raw storage isn’t enough to access your secrets. Vault can write to disk.
  • Leasing and renewal: All secrets in Vault have a ‘lease’ associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in APIs.
  • Revocation

$ vault read secret/foo Key Value lease_id secret/foo/9c5f3cf1–1239–0160–4311-d6544fd1018c lease_duration 2592000 value bar

$ vault delete secret/foo Success! Deleted ‘secret/foo’

When you read a secret, Vault returns the data you wrote along with leasing information. Leasing is a core, critical part of Vault. Every secret in Vault must have a lease.

The lease tells a consumer of a secret that the secret is guaranteed to remain valid for that lease period, but past the lease period, there is no guarantee the secret will still function. This forces clients to renew the lease periodically, where Vault can record this in the audit log and can use this opportunity to potentially deny lease renewal as well.

When writing secrets manually, revocation of secrets past the leasing period is also manual. However, Vault also supports dynamic secrets that have automatic revocation.


This is just a brief overview of the security of Vault. For a full explanation, see the pages on the Vault security model and Vault architecture.

One of the many reasons for choosing Vault as a technology is because of its seriousness in security and its use of industry best practices for secret management.

Data stored and key used to encrypt the data uses 256-bit AES in GCM mode with randomly generated nonce. The encryption happens in-memory prior to being sent to the backend storage driver, the storage never sees the unencrypted value. No software or firmware can read them directly; they can see only the results of encryption or decryption operations performed.

This is known as the master key. The encrypted encryption key is stored in the backend storage. The master key is then split using Shamir’s Secret Sharing.

Image for post
Image for post
Example — Protecting your Encryption Key with a Master Key, then splitting the Master Key into ’n’ shares.

Vault also has the ability to initialise Using PGP, GPG, and Keybase as an additional layer of security when performing certain operations. One of the many native features we’ll be adding in the future.

In addition, the initial release of Tangram CLi wallet v1.0 will be open to the general community for testing and review. We will be reaching out specifically to security teams at companies as well as individuals with a specialisation or background in security to help review and audit Tangram CLi wallet at a certain point and version prior to the Tangram network release.

Note on Hardware Security Modules (HMS) integration

Hardware security module (HSM) is a hardware device that is meant to tightly secure various secrets using protections against access and tampering at both the software and hardware layers for applications, systems and infrastructure. In our case, your wallet, nodes and computer in which they run on, through to the applications you build.

Something as simple and cost effective such as the Yubikey (YubiHSM 2):

Any hardware security module that supports PKCS#11 would be possible to integrate with Tangram CLi wallet and further control access to your secrets across the Tangram ecosystem in the future.


Development of the CLi wallet has just begun and from here on out we will continue to improve and integrate features, security and UX (user experience). A much more complete and ambitious roadmap will be released after mainnet. The current roadmap is as follows:

v0.8.1 / v2.0

  • All necessary operations and outputs to be generated client side

V0.8.2 / v2.1

  • Offline wallet creation and transactions
  • API calls with HTTP over TLS

V0.8.3 / v3.0

  • Basic (UI) cross platform desktop app

Security Audit

Security is vital when it comes to any tool in Tangrams ecosystem. CLi wallet will undergo multiple independent audits prior to launching with the Tangram network.

Note: v0.8 is ONLY an introduction of CLi wallet to all community members, and further development will be made in 0.8.1 and 0.8.2. These releases will occur in a closed beta and sign-ups will begin just after the security audit has concluded. Please do not build on the current repository as it WILL change.

If you have any questions or suggestions about CLi wallet, please feel free to reach out in the #cli-discussion channel on Discord.

Getting Started

Ease of use and access to documentation are fundamental policies we will undertake to achieve. To this end, please find the documentation link below which will walk you through the CLi wallet setup and use.

As this is the initial release, we will be capturing any questions in order to improve the documentation. This will ensure that newcomers to the community are able to promptly solve any issues they may have.

Documentation will be built moving forward for not only the CLi wallet but for all software in the Tangram ecosystem.

Note: Installation may not be successful for all users. This will vary depending on your setup and configuration of your computer. This is an introduction to the Tangram CLi wallet. Prior to main-net release we will ensure that the installation is seam-less for all platforms.

Tangram CLi Documentation

Start here to install Tangram CLi wallet

FAQs will be updated periodically based on discussions and questions we come across. Before release, Tangram Documentation will be synced with Github in order for anyone to collaborate!

Tangram CLi Wallet Github

Source code — Github

We have tested and run this release on an isolated environment. If you experience any issues, please report them on the Tangram CLi GitHub issue tracker or post in the Discord under #cli-discussion.

Tangram Built

Tangram builds solutions for privacy and security in the digital age. There will never be an instance where Tangram takes shortcuts on the process, the analysis, and the technologies we select and utilise.

If you’re interested to know more about Tangram:

Visit our website:

Read our blog:

Subscribe on Reddit:

Discover us on Discord:

Message us on Telegram:

Follow us on Twitter:


Tangram was created with a singular vision: to inspire…


Written by


Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.


Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.


Written by


Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.


Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store