Security suggestions

[ltfschoen]

Some security suggestions that come to mind that you may consider including in this repo include:

• Storing the stash, controller, and session keys in a file instead of exposing them in the Bash history

  • https://github.com/luboremo/Edgeware-seed-generating-script-SSSS

• Guides on how to use IP failover with a script to protect against double-signing (i.e. say you have two nodes, then IP failover should prevent node 1 and node 2 signing the same block). Credit: @fress

  • https://www.linode.com/docs/platform/manager/remote-access/#configuring-ip-sharing
  • https://medium.com/hackernoon/a-serverless-failover-solution-for-web-3-0-validator-nodes-e26b9d24c71d

• Securely adding or rotating session keys with Edgeware

  • https://github.com/hicommonwealth/edgeware-node#session-key-setup

• Storing your Aura pubkey (session key) in a file instead of typing it into the command line --node-key-file "/root/edgeware/keys/mysessionkeyfile" (instead of --node-key). Note that these are flags of the substrate binary

• Storing a keystore password in a password file and then loading it with --password-filename /root/edgeware/keys/mypasswordfile instead of using --password "mypassword". Note that these are flags of the substrate binary.

[burdges]

We've some RPCs being developed that should improve this stuff, presumably including hiding session key management from the validator operator.

[ltfschoen]

I only just noticed that subkey supports password-protecting the keys https://substrate.dev/docs/en/next/ecosystem/subkey#password-protected-keys. I don't think that feature was available a few months ago when I created my Edgware keys, so it may be worthwhile highlighting that to users.

[ltfschoen]

Add link to https://github.com/w3f/polkadot-secure-validator

[ltfschoen]

Add link to https://guide.kusama.network/en/latest/try/validate/, which includes a link to https://guide.kusama.network/en/latest/try/secure-validator-setup/ in the first paragraph.