What is Vault?

Vault is an app for an air-gapped device, it turns an offline device — usually a smartphone — into a secure hardware wallet. Vault offers you a way to securely generate, store, manage and use your blockchain credentials.

Should I use Vault?

Vault is optimized for the highest security requirements. If you already manage many accounts on multiple networks, Vault is great for you. If you have little experience with blockchain networks but still want good security affordances, you might find the learning curve steep. We strive to make Vault as intuitive as possible; get in touch via signer@parity.io or GitHub Issues if you can help us get there!

How does an offline device communicate with the outside world?

Communication happens through scanning and generating QR codes. Scanned with Vault input-QRs interact with keys stored in Vault to, generate response-QRs on behalf of those keys. Usually, input-QR is a blockchain transaction, and a response-QR is a signature for this transaction. There are tried and true cryptographic algorithms that power these QR codes, as well as some smart engineering that make your dedicated device safe to use.

How do I keep my keys secure?

Vault is a safe way to use your keys. However, that alone won't be enough to keep your keys secure. Devices break and get lost. This is why we always recommend backing up your seed phrases and derivation paths on paper. We are such big fans of paper backups that we even support a special tool to power your paper backup game by splitting your backups into shards called Banana Split.

How do I know I am not interacting with malicious apps or actors?

The Vault does not interact with a network. The app itself does not have a way to check if an app or an account you're interacting with is malicious. If you use Vault with PolkadotJS Browser Extension, PolkadotJS Apps, or Signer Component Browser Extension they will rely on a community-driven curated list of potentially less-than-honest operators: https://polkadot.js.org/phishing/# to prevent you from interacting with certain sites and addresses. However, there are no limitations on the use of Vault with other tools.

I want to play with Vault to get a better feeling of how it works. Is there a way to do it without spending valuable tokens?

Yes. In Vault, you should add a key for an address on Westend network and request test tokens for that address, see the step-by-step guide on Polkadot Network Wiki.

You can use test tokens in the same way you would use value-bearing tokens.

For example with PolkadotJS Apps you can create a transaction on behalf of your account, generate a signature with Vault and submit it to the network. All of this without keys ever leaving your offline device.


What networks does Vault support?

From-the-shelf Polkadot Vault supports Polkadot, Kusama, and Westend networks. But it's not limited to these networks. More experienced users can generate metadata for any network to expand the capability of Polkadot Vault.

How can I update metadata version for a network?

Parity verifies and publishes recent metadata versions on Metadata Update Portal. With off-the-shelf Vault you can scan one of the multipart QR-"movies" same way you scan transaction QR:
in Vault open scanner, scan the QR for the respective network and accept new metadata.

Currently, Metadata Update Portal follows Polkadot, Kusama, and Westend network metadata updates. Parity is open to collaboration with participants of other networks and is currently exploring safe and more decentralized ways of publishing verified metadata.

If you want to update networks that you've added manually, please follow the Add Metadata steps in Add New Network guide.

Why do I need to update network metadata versions at all?

It's a safety feature. Substrate-based blockchain networks can be updated and otherwise changed; without recent metadata version of a network Vault won't be able to parse a transaction correctly, and you won't be able to read it and verify what you sign. Given that Vault is an app for an air-gapped device, you have to update the network version by using camera.

How can I add a new network to Vault?

Parity verifies and publishes network specs on Metadata Update Portal. To add one of the listed networks, in Metadata Update Portal click "Chain Specs", scan the network specs QR same way you scan transaction QR: in Vault open scanner, scan the QR and accept new network spec. Then scan the multipart QR-"movie" containing recent metadata for this network.

Can I add a network that does not have network specs and metadata QR published anywhere?

Yes. Follow the Add New Network step-by-step guide.

Currently, the process requires you to have rust, subkey and parity-signer repository on your machine.

Seeds and keys

Can I import my keys from polkadot{.js} apps or extension to Polkadot Vault?

Yes. Keys are compatible between polkadot{.js} and Polkadot Vault, except for the keys generated with Ledger (BIP39). To import seed keys into Polkadot Vault, you need to know:

  1. Seed phrase
    It should always be backed up in paper!
  2. Network you are adding address to and whether Polkadot Vault installed on your device has metadata for the respective network.
    If (2) is not one of the default built-in networks, you will need to add network yourself or find a distribution center for adding networks.
  3. Derivation path
    Only if you are importing a derived key, usually keys generated with polkadot{.js} are seed keys.

In Polkadot Vault go to Keys, then press "Plus" icon in the top right of the screen, select "Recover seed", enter display name to identify your seed, press "Next", enter the seed phrase. Done, you've got your seed key imported!
If you are importing a derived key select the seed from which your key is derived, select account's network, press "Plus" icon next to "Derived keys", enter your derivation path.

What is the difference between seed key and derived key? Why should I use derived keys?

A seed key is a single key pair generated from a seed phrase. You can “grow” as many derived keys from a single seed by adding derivation paths to your seed phrase.

Learn more about types of derivation paths on substrate.io.

Derivation path is sensitive information, but knowing the derivation path is not enough to recover a key. Derived keys cannot be backed up without both of the ingredients: seed phrase (can be shared between multiple keys) and a derivation path (unique for each of the keys “grown” from that seed).

The main reason to use derived keys is how easy it is to back up (and restore from a backup) a derivation path compared to seed phrase.

What is an identicon, the image next to my keys?

An identicon is a visual hash of a public key — a unique picture generated from your public key. The same public key should have the same identicon regardless of the application. It is a good tool to distinguish quickly between keys. However, when interacting with keys, i.g. verifying a recipient of a transaction, do not rely only on identicons, it is better to check the full public address.

How can I rename one of my seeds?

Due to security considerations, you cannot rename a seed. Please back up the seed and derived keys, remove it and add the seed again with a new name instead.