Louferlou
Privacy on Bitcoin4.7(140)
Intermediate
Understand and master the principles of privacy protection when using Bitcoin
What is the Key Teleport feature offered by Coinkite with its flagship ColdCardQ device?
Key Teleport lets you securely transfer confidential data between 2 ColdCardQs. The transmission channel doesn't even need to be encrypted, and can be public.
This can be used to transfer:
- gW-0 phrases (ColdCard Q's seed master or the secrets stored in ColdCardQ's seed Vault.
- confidential notes and passwords: this can be any secret or the entire [Secure Notes & Passwords] directory (https://coldcard.com/docs/secure_notes/) on your ColdCardQ.
- a backup of your entire ColdCardQ: the ColdCardQ receiving this backup must not have a seed Master for this to work.
- gW-3 (Partially Signed Bitcoin Transactions) as part of a multi-signature scheme.
This requires you to have upgraded your device firmware to version v1.3.2Q or higher.
How do I use Key Teleport?
1- To transfer any type of data
Here, we'll look at the transfer of seed sentences, notes, passwords, or an entire transfer of a ColdCardQ backup. The case of PSBT transfers for multi-signature transactions will be dealt with later.
Prepare the device to receive the secrets
In the "Advanced / Tools" menu on your ColdCardQ, select "Key Teleport (start) ".
On the next screen, an 8-digit password is proposed, here "20420219". You will need to communicate this password to the sender. Use sms, for example, to send this password, or your favorite secure messaging system, or even a voice call.
Then click on the "Enter" button on your ColdCardQ to move on to the next step.
A QR code is generated on the screen. Once again, you'll need to communicate this QR code to the ColdCardQ "sender". The easiest way to do this is via a video call.
DO NOT SEND THIS QR CODE VIA THE SAME TRANSMISSION CHANNEL USED TO SEND THE PREVIOUS 8-DIGIT PASSWORD.
For those of you who are interested, let's try to understand the underlying mechanism that allows secrets to be transferred over unsecured channels
What we're actually doing here is initiating a transfer of secrets via the Diffie-Hellman method, covered in the BTC204 course I've included below
We currently have:
- generated an ephemeral key pair (public/private respectively Ka and ka with Ka=G.ka, G being the ECDH generator point), and an 8-digit password.
- used this password to encrypt the public key (Ka) via AES-256-CTR, then transmitted this password via a communication channel A to the "sending" ColdCardQ.
- finally, we transmitted the encrypted packet to the sender via the QR code above, using a second communication channel B different from the 1st.
Prepare the device that will send the secrets
From the sending device, click on the "QR " button to scan the QR code sent to you by the receiving device, then enter the 8-digit password communicated to you in the previous step via a separate channel. We are now ready to start sending data from the "sending" device.
Please do not enter the 8-digit password incorrectly, as no error message will be displayed and the process will continue. However, the final data transfer will fail and you will have to start again.
For the more curious among you, let's take another look at what we're up to in terms of cryptography and secret transfer:
- we imported the encrypted data by scanning the QR code on the receiving device.
- then we decrypted them using the 8-digit password transmitted to us via a secondary channel.
- we are therefore in possession of the public key (Ka) generated by the receiver initially.
- We then generate a new ephemeral key pair (Kb/kb, with Kb=G.kb) on the sending device, which we use to apply ECDH to Ka. We therefore perform the operation kb.Ka=Ks , where Ks is called "Session Key".
You are now asked to choose the nature of the secrets to be transmitted between the 2 ColdCardQs (confidential notes, password, full backup, seeds contained in your vault, seed device master).
Here our secret will be a short message by choosing "Quick Text Message ". Type your message (for us "Plan ₿ Academy rocks") then press "ENTER ".
The device then generates a new random password called "Teleport Password " , in the example "NE XG BT SK".
Press "ENTER " and you'll be presented with a new QR code. Have it scanned by the receiving device. And on a different communication channel, transmit the "Teleport Password " to the receiver.
Here again, for the curious, during this stage:
- after selecting the secrets to be transmitted, we generate a new random password called "Teleport Password".
- we then encrypt the secrets via AES-256-CTR using the "Session Key", "Ks", generated in the previous step.
- we prefix the packet already encrypted with the "Session Key " with our Kb public key, then add a further layer of AES-256-CTR encryption with the "Teleport Password ". The whole thing is then encoded as a QR code
Finalize the transfer of secrets to the receiving device
Press the "QR " button to scan the QR code presented by the sending device through the visio channel. You will be asked to enter your "Teleport Password " for us "NE XG BT SK".
The data is then decrypted and made intelligible to the receiving device. The message received is indeed "Plan ₿ Academy rocks". That's all.
What actually happened during this last stage :?
- we have decrypted the data transmitted by the sender using the "Teleport Password".
- we therefore have the public key Kb and our secret message encrypted by the "Session Key ", "Ks". But how can we do this since, as the receiver, we don't know Ks, which was created by the sender?
- We need to apply our private key "ka" from the initial step "Prepare the device that will receive the data" to the public key Kb.
- In fact, by calculating ka.Kb = ka.kb.G=kb.ka.G=kb.Ka=Ks, we find Ks. Which is finally used to decipher the secret message.
2- To transfer PSBT to Multisig (advanced)
This presupposes that your Wallet Multisig has already been created and that your ColdCardQ device has already been preset to be able to perform multi-signature transactions. If this is not the case, explanations are available here on the Coinkite website.
A quick reminder of what a multi-signature Wallet (Multisig) is.
Usually, to spend your Wallet funds, only one private key is needed to unlock the UTXOs associated with your addresses.
In the case of a Wallet Multisig, up to 15 private keys and therefore 15 signatures may be needed to spend the funds. This is known as an "M out of N" wallet, with N between 1 and 15 and M the number of signatures required for the funds to be spendable. For example, a Wallet Multisig 3 out of 5 will require at least 3 signatures out of a possible 5.
The challenge is then to coordinate between signatories to sign a "PSBT" for "Partially Signed Bitcoin Transaction" in turn. In this context, "Key Teleport" can be used to transmit the PSBT between co-signers in a simple and confidential way. A simple video call between co-signers will do the trick.
Here's how it's done on a Multisig 3 of 4.
Signatory 1:
Signatory 1 imports and signs the PSBT. Finally, he clicks on "T " to use "Key Teleport " to transmit the PSBT to signatory 2.
After selecting signatory 2 by clicking on "ENTER ", a "TELEPORT PASSWORD" (here JJ YC AB 6A) is provided, which must be transmitted to signatory 2 via another communication channel. For example, an SMS or a voice call, but not a video call.
Press "ENTER " again and a QR code representing the PSBT signed by 1 then encrypted by the "TELEPORT PASSWORD" appears.
Signatory 2:
Signatory 2 scans the QR code presented to him by signatory 1. Then enters the "TELEPORT PASSWORD" transmitted over the secondary communication channel to decrypt the transmitted data.
Signatory 2 signs the transaction and then clicks on "T " to transmit the PSBT to signatory 3 via "Key Teleport".
Clearly, 2 signatures have already been applied. All that's missing is that of signatory 3 for the transaction to be valid. Select signatory 3 by clicking on "ENTER ".
And a new "TELEPORT PASSWORD" is created, followed again by a QR code encoding the PSBT signed by 1 and 2 and then encrypted by this new "TELEPORT PASSWORD" (GW YQ K3 LL).
Signatory 3:
Repeat the same step as above.
Signatory 3 scans the QR code presented to him by signatory 2. Then enters the "TELEPORT PASSWORD" transmitted by the secondary communication channel.
Signatory 3 signs the transaction and this time, since 3 out of 4 signatures have been applied, the transaction is indicated as finalized, and is ready for distribution via various media (SD Card, NFC, QR etc.).
If your ColdCardQ's "Push Tx" feature is activated, simply affix your ColdCardQ to the back of any NFC-enabled Internet-connected device (smartphone/tablet) to broadcast the transaction over the Bitcoin network.
For PSBT transfers from one signatory to another, "Key Teleport" is simply used via a "Teleport Password" at each stage, which encrypts the PSBT as it is transferred from one signatory to another. As the transmitted data cannot be used to steal funds, there's no need for a Diffie-Hellman as is the case when sending highly confidential secrets (seed, password etc...).
Source: ColdCard official website
Did this work well for you?
0
0
Author
This tutorial has been written by Louferlou
You can say thanks by tipping the professor.
Fascinated by the new prospects offered by Bitcoin in terms of freedom and individual sovereignty, I devote my time to exploring and testing innovations that enable everyone to appropriate this technology without any prior technical expertise. If I can do it, anyone can.
miningdiyguides
Credits
This tutorial has not been proofread yet
0/3Proofreading status
The original content has been translated by AI, but human review is necessary to ensure its accuracy.
2 312 sats1 156 sats578 satsEvery content on the platform is the result of a collaborative effort: each lesson, translation, and revision is made possible by the work of contributors. For this reason, we are always looking for proofreaders who can review our content in many languages. If you want to participate in the proofreading process, please reach out in our Telegram group and read our tutorial. We remind you that this content is open-source - licensed under CC BY-SA - so it can be freely shared and used, as long as the original source is credited.