This is a preliminary, basic guide. More to come soon.
Blockstream Jade uses a unique security model to protect your device from physical attacks by communicating with a blind oracle to unlock your device - essentially functioning as a virtual secure element. By default Jade will communicate with Blockstream's blind PIN oracle, however users also have the choice to run their own. This guide is recommended for more technical users who are comfortable with command-line, though it should be fairly simple to set up for many skill levels.
Note: This guide follows the basic process for setting up a personal PIN server on a Mac, however the process should be fairly similar for other devices as well. Your Jade can only be unlocked using this device if you follow the instructions below, while more advanced users should understand how to set up a blind PIN server for remote access (via Tor to a Raspberry Pi for example) , by adjusting the --set-url
argument found in the python script below.
Blind Oracle Setup
1.
Open a terminal window on the device you would like to run your blind oracle on and enter the following:
$ git clone https://github.com/Blockstream/blind_pin_server.git
$ cd blind_pin_server
2.
Next we'll need to generate a new key using the commands below:
$ python3 -m venv venv
$ . venv/bin/activate
$ pip install --require-hashes -r requirements.txt
$ PYTHONPATH=.. python -m blind_pin_server.generateserverkey
3.
Run the command below to build the docker image:
$ docker build -f Dockerfile . -t dockerized_pinserver
4.
Next, prepare a PIN directory:
$ mkdir pinsdir
5.
Run the docker image (copy all of the following and paste in one line):
$ docker run -v $PWD/server_private_key.key:/server_private_key.key -v $PWD/pinsdir:/pins -p 8096:8096 dockerized_pinserver
Point Jade to Personal Blind Oracle
Jade will need to be uninitialized in order to set a new blind oracle. If your Jade is already set up, you will need to perform a factory reset and restore using your recovery phrase as your wallet will be deleted. Your funds will be lost if you do not have the correct backup materials.
1.
Open a new terminal window and enter the following:
$ git clone https://github.com/Blockstream/Jade.git
$ cd Jade
2.
Plug in your uninitialized Blockstream Jade and enter the command below:
$ python3 set_jade_pinserver.py --serialport <ENTERJADESERIALPORT> --set-pubkey ../blind_pin_server/server_public_key.pub --set-url http://127.0.0.1:8096
Tip: You can find the system location to enter for the --serialport argument on the Devices tab of Blockstream Green. For example: --serialport /dev/cu.usbserial-01ETCB87
. Make sure to close Green afterwards otherwise you will be unable to run the command above.
3.
Confirm your pubkey and URL on Jade' screen.
4.
Your Jade will now communicate with the PIN server running on your device instead of Blockstream's. If you are able to then initialize Jade and enter a PIN, everything is set up properly.
Note: If you experience errors when setting your PIN, you may factory reset your device to return to using the default Blockstream blind PIN server.