EOSCommunity.org Forums

Using Anchor to change permissions of an existing EOSIO account to use a Ledger

I’m writing this up as a guide on how to make an existing EOSIO account use a Ledger device. If you don’t have an EOSIO account already, you’ll need to create one first before this guide is applicable to you - however one thing to note is that if you use a service that asks what you’d like your public keys to be, you can use the public key of your Ledger during creation to start with a Ledger controlled account.

The steps in converting an account to use a Ledger (or any hardware wallet) are as follows:

  1. Find the PUBLIC key of your Ledger device.
  2. Load the PRIVATE key of your account into Anchor.
  3. Change the PERMISSIONS of your account to use the PUBLIC key of the Ledger.
  4. Remove and re-import your account in Anchor.

:warning: Just as a word of warning for those going through this process… be very careful when changing the keys of your account. If you change the keys to a private key you don’t have control of, you may not be able to recover the account or any tokens held by that account.

1. Finding the Public Key of your Ledger device.

The first thing you’ll need to do is figure out what the PUBLIC KEY of the Ledger device is for EOSIO. Each Ledger device internally generates its own keys, which are based on the seed phrase of the Ledger itself. You can find the public key of the Ledger from within Anchor by using the “Ledger” tool found in the “Tools” section.

With the Ledger connected, unlocked, and with the EOS app running on the Ledger, go into Tools and then Ledger. You’ll be greeted with this screen:

The Ledger here shows that it’s connected as well as displays a number of pieces of information about how the Ledger and Anchor are connected.

The blue button towards the bottom lets you “Load Public Key”, which asks the Ledger device for the public key at a certain index. You can (and probably should) leave the index at 0, which essentially means “load the first public key”. Hit the button, and you’ll be given a PUBLIC KEY. It will appear right below this load button.

The public key will look like this:

EOS551cjMiYhXSXrsmQhUFhmCYyVLeUkzd4dw8bB1GNmcZatGRwHD

Right below the key is also an option to request that the Ledger display its key on the screen. You click this button and the Ledger will show the exact same key to verify that Anchor hasn’t shown you the wrong key.

Copy this public key to a text file or someplace you can access it again, you’ll need it in later steps.

You can also come back to this screen inside Anchor to get the key again.

2. Load the PRIVATE key of your account into Anchor.

If you haven’t already, you’ll need to load the account you’d like to convert to the Ledger keys into Anchor. If you have your keys already loaded in Anchor, you can likely skip this step. One thing to note however is that there are 2 keys for each account, the OWNER and the ACTIVE keys. If you want to change both of these keys to the Ledger you’ll need to ensure you either have the OWNER key loaded, or both the OWNER and ACTIVE keys (if they are different).

Importing an account can be done through the “Manage Wallets” interface. You will want to:

  • Import Existing Account
  • Import via Private Key
  • Enter the Private Key
  • Select the account(s) to import

Now with the account you’d like to convert imported, select it using the account dropdown.

3. Change the PERMISSIONS of your account to use the PUBLIC key of the Ledger.

With the account you’d like to modify selected, go back into “Tools” and look for the “Permissions” section. This area lets you change which keys control your account, and we’ll be using it to update those keys to match that of the Ledger. Make sure you have the correct PUBLIC KEY from step 1 for this.

If you are changing both the OWNER and ACTIVE keys for the account, I would recommend you change the ACTIVE key first. By changing the ACTIVE key first, your OWNER key will remain as-is, so if something goes wrong while changing the ACTIVE key you’ll be able to recover your account with the OWNER key.

To change the ACTIVE key, click the purple Modify button on the active permission. A popup will appear that asks you for the new PUBLIC KEY to use for this permission.

Enter the PUBLIC KEY from Step 1 here, ensure it is correct, and submit the transaction. If this transaction is successful, the loaded account will now be controlled by the Ledger and its keys.

You can repeat this same process for the OWNER key - but I would first make sure the ACTIVE key is setup properly and perform at least a test transaction first to ensure everything is setup properly.

You can verify your accounts keys have been updated by visiting a block explorer like bloks.io or EOSAuthority.com and searching for your account name. Look at the “Keys” section of the block explorer and check if they match. One thing to note is that some explorers show the PUB_ format of keys instead of EOS, and if you click the icon next to the key it should swap between them. These two formats are compatible with each other - don’t let that throw you off.

Once you see your keys are updated successfully, you can move to the next step and setup Anchor to use the Ledger + New Permission.

4. Remove and re-import your account in Anchor.

As of writing this, Anchor does not automatically have a feature that switches from using a private key to using a Ledger for an already imported account. So, you’ll need to remove the account and then set it up again using the Ledger process.

To do this, go into the “Manage Accounts” section of Anchor. You’ll want to find the account/permission you just changed, and then use the dropdown on the right side of the account to remove the account. After the account is removed, you the import feature to import it, except this time instead of using a private key you’ll use the Ledger option:

  • Click “Import Existing Account”
  • Click the “Load from Ledger” option
  • This will find accounts associated to your ledger, select it, and then import.

You should now have your account loaded and this time it’ll use the Ledger. Any time you want to use this account, you’ll need your Ledger device connected with Anchor and all transactions will require approval from the Ledger device.

Perform a test transaction, try sending a small amount or voting for block producers, and see if it all works. Once you’re confident in it working, you can go back and change your owner key in the same process (if you’d like).

Questions? Feel free to ask below.

3 Likes

a guide on how to make an existing EOSIO account use a Ledger device
[] When can it be output?

Hi, thank you for this guide. If I link both accounts (active/owner) with the ledger, do I still need my original private key for anything or is it just the ledger which can be used to import/restore my accounts in case it´s needed? Thank you.

If you change both active and owner, your old keys will no longer be used for that account.

Might be worth hanging on to just incase you ever need it for another account, if you have any others, but that key won’t work for that account anymore.

what do you mean by “need it for another account”, like adding a second active account under that pk? I migrated the first two to ledger already, that´s where I plan to hold the majority of my tokens. I also have another hot wallet accounts (owner/active) which I intend to use for testing, but for those I have a separate private key.

There was a period of time where new EOSIO networks were launching and mirroring accounts from one another. The new networks would take a snapshot of accounts/public keys, and duplicate them on to the new network.

So for example, genesis EOS public keys were duplicated into Telos accounts. Holding on to your EOS genesis key gave you access to Telos accounts.

So for that reason, I always just recommend holding on to keys, even if you never use them anymore.

thank you Aaron for answering all my questions