We use encrypted storage to store private keys. The root storage password is a cryptographically strong key derived from the machine key plus a
pin, which must be provided every time the accounts store should be accessed. The
pincan be provided via CLI or Environment variable.
- 🖥️ Machine Key — the storage file can't be decrypted on other machines (unless your machine is compromised and a hacker has full access to it, and even then, he must listen to your actions - see the next requirement, the
This combination of keys makes the storage file safe from various attack vectors.
The pin is set on the first storage write — when you add or create an account. So you must:
- remember the PIN - it won't be possible to decrypt the storage without it.
- do not reset the operating system — the machine key will be lost and the storage won't be accessible.
If you forgot the
pinor the machine key was changed — you can reset the storage, and this means - it will be completely cleared.
To summarize: ALWAYS back up your keys.