This is a functional Owner Key Certificate for a real account on the EOS network. We loaded 1000 of our own EOS onto this account - but omitted out the 6-word encryption secret to illustrate their security.

The tokens are yours, if you can take them.

1236×1600 567 KB

These certificates are part of the new Account Creation process being developed for Anchor. Upon account creation, new users will securely generate their account keys and be prompted to print this sheet or save it. Users will hand write the 6-word encryption key directly on the print out.

At any point in the future the user needs to recover their account, they will be able to scan the QR code on the certificate and enter their 6-word secret. The “owner” key will be temporarily recreated in Anchor and will prompt the user to create a new “active” key for regular use.

You can already see an alpha version of it in action with Anchor Wallet for iOS using the certificate we shared here today. Open Anchor, tap “Scan QR”, and point it at the certificate. You’ll be prompted to enter the 6-word encryption key.

After the new account creation feature is released, all new EOSIO accounts created through Anchor Wallet for Mobile will offer this method of backup. It’s easy, secure, and brings us one step closer to mass adoption.

Some details on the implementation:

Keys are encrypted with AES-CBC using a key derived from the password using scrypt. The standard is based on BIP-38 with the following additions:

Key-type header

The format allows multiple key types, e.g. K1 or R1 so it can be extended as EOSIO adds support for different cryptography schemes.

Scrypt params

Future proofing the standard so that encrypted keys can be configured to require more resources as more compute power becomes generally available. The lowest possible setting matches the BIP-38 recommendation.

Currently we have a Swift implementation of this standard and we will be releasing a JavaScript implementation along with a formal specification in the future.

Key certificate

Owner Key Certificate Annotated1275×1650 944 KB

The owner key certificate is composed of 4 pieces of information:

1. The encrypted private key
2. The EOSIO account
3. The EOSIO network
4. The encryption password as 6 words in base2048

All information except the encryption key is redundantly represented in three different formats (QR code, base2048 mnemonic key and as strings).

The QR code is the intended way of recovering an account using the certificate by scanning it in a compatible app and entering the 6 encryption keywords. If the QR cannot be scanned the 28 mnemonic words can be entered along with the 6 encryption keywords.

If both those methods fail the private key can be recovered from the SEC_... key string using the key encryption standard and manually used to recover the account.

Do the 6 encryption keywords come from the 28 mnemonic words listed on the certificate?

No they come from the pool of 2048 words in the BIP 38 wordlist

OK, thanks…was going to try and grab the EOS with about a week of work, but from a pool of 2048 it would take a LOT longer…more like picking the right atom out of the universe…thanks again for the quick reply…I do like and use your products…

haha, that’s a pretty excellent way to describe it

Hi all,

Great work on Anchor.

Quick question about Owner Certificates and 6-word encryption secret. If a user has created an account on Anchor mobile, but goes through the backup process and doesn’t have a printer, or feels unsafe with a physical copy:

1. If they still have the EOS account in iOS, are they able to retrieve Owner Keys directly from it?
2. Is it possible to reprint the backup sheet and/or encryption secret at a later date?
3. What would be the process of importing the account created in Anchor mobile (with Active/Owner keys) to the Anchor desktop version?

Lastly, for users who prefer password managers to store private keys, do you think integration with would be worth looking into (where keys could be securely stored in the correct format, etc).

Once the backup process is completed, the owner key is removed from the iOS device storage leaving that backup as the sole source of the owner key itself. If the backup process hasn’t been completed, it’s kept encrypted on the device until the user chooses to complete that process.

If you hit “do this later” and didn’t finish the process, yeah. It’s not possible to reprint later though (see above).

Currently this is a bit rough and requires the iOS device. You’d scan the backup sheet on Mobile, and import either the active or owner key using it (importing owner key directly is under “Advanced” options during the import). Then with the permission imported, you can export the actual key out of the “Accounts” section of the mobile app. The key would be used too import into desktop.

We are working on allowing the actual import of those sheets into desktop - but haven’t released a version that allows it yet.

Potentially? I’m not sure how we’d do that exactly though, maybe a “copy as string” option or something. That’d allow you to paste the SEC_K1 string from the sheet and put it into a password manager. I believe that string contains the 26 words and some metadata, but then you’d also need to manually add the 6 extra security words to your backup as well.

I don’t think we’re opposed to making that an option, it’d just be clunky UX

One method of re-printing the key certificate and/or exporting the owner key WIF is to scan your existing one in Anchor on iOS, enter the encryption key, select advanced and import the account with the owner key.

IMG_1792.PNG1125×2436 215 KB

IMG_1793.PNG1125×2436 338 KB

Then you can select the imported account and either print a new certificate or export the owner key.

IMG_1794.PNG1125×2436 232 KB