Hacker News new | ask | show | jobs
by peter_l_downs 4253 days ago 

    > COINBASE KEY: The only key that Coinbase stores.
    > SHARED KEY: Encrypted with your password and stored
    >             both by you and Coinbase.
Are these the same key, or is there an inconsistency with the language here? How many keys does Coinbase store?
2 comments
coinbase-craig 4253 days ago
Coinbase stores one private key that we can access, and one private key that is encrypted with the user's vault password on the front-end and sent to us encrypted for storage. The third key is the user's and we never see that.

We have no ability to access multisig vault funds without the user passphrase, which never touches our server.

link
STRML 4253 days ago
Is there a way to sign a transaction offline but still run it through Coinbase? When it comes to decrypting private keys in the browser, unless the user inspects the javascript each and every time they use the site, there is no guarantee that it hasn't been silently replaced by code that steals keys.
link
coinbase-craig 4253 days ago
Yes, you can sign a transaction offline using our multisig vault recovery tool, which is open source:

https://github.com/coinbase/multisig-tool

You can use it to generate a transaction payload which can be broadcast from a client of your choice, including Toshi, our open source bitcoin node:

https://toshi.io/docs/#relay-transaction

link
STRML 4253 days ago
Excellent! Thank you for putting forth the extra effort and thinking this through. Many comparable online solutions in the Bitcoin space do not offer similar offline tools, making them a non-starter for business use.
link
adrianmacneil 4253 days ago
Yes. You can sign transactions completely independently from Coinbase, provided you have your private key, encrypted shared key, and passphrase (the two keys are provided on a sheet of paper which you print out during vault creation).

https://github.com/coinbase/multisig-tool

link
jerguismi 4253 days ago
Different key. The other key is encrypted with BIP38 with your chosen password. I don't know how the actual interface works, if it is encrypted client-side or server-side. Anyway, on paper it sounds fantastic.
link
adrianmacneil 4253 days ago
Yes, the shared key is generated and encrypted with your passphrase client-side, then sent to Coinbase. We never see the raw private key.
link