Security best practices
Overview
- List of security best practices on how to securely use the Ledger Vault platform and Ledger devices.
Authorized user's systems
Secure and effective transaction
The Vault Services authorized users bear sole responsibility for entering the required information to perform Transactions.
Ledger is not responsible for any security problems, misuse, or malicious attacks that are due to the Authorized User's insecure systems or any other action from the user, inappropriate browsing practices, or any other breach of security.
Before sending large amounts, you should always send a small amount first to verify the transaction was properly received by the recipient.
Always verify that the address of your account displayed in the Ledger Vault interface is similar to the address displayed on your Ledger Hardware Device screen.
Internet access
The Customer should troubleshoot problems related to the Internet connection, or problems with the setup of the Internet on the Customer’s side.
Ledger hardware devices and PINs
The Shared Owners, Wrapping Key Custodians, Administrators and Operators are fully responsible for the security and the use of its Ledger Hardware Devices. In particular, it is the sole responsibility of these users to prevent an unauthorized party from using its Ledger Hardware Device and PIN to initiate a transaction.
Therefore, the Vault Platform users must take the utmost care to protect their Ledger Hardware Devices physically from unauthorized borrowing, loss, and theft. They must also take all necessary measures to prevent any unauthorized disclosure of the Ledger Hardware Devices’ PIN.
What the user must do
The Vault Platform users must ensure that they abide by the following non-limitative safeguards:
- Ensure that the Ledger Hardware Devices are not shared among users.
- Store the Ledger Hardware Devices in a locked safe or with the user when it is not in use.
- Revoke any unused or lost Ledger Hardware Devices.
- Store the Ledger Hardware Devices seed in a locked safe.
- Use a strong PIN (8 digits)
What the user must not do
The authorized user must never:
- Lend the Ledger Hardware Devices to others.
- Leave the Ledger Hardware Devices inserted in the PC when the Platform is not being accessed and the Vault Services are not being used by an authorized person.
- Write down any PIN or communicate a PIN to any other party
- Use a weak PIN (avoid 00000000, 12345678, birthday date, etc.)
- Allow anybody to watch over its shoulder when it types in its PIN. In case of any doubt, change the PIN.
- Leave the seed unchecked.
User roles
What the user must do
The authorized user must:
- Define three different people to hold the Shared-Owner and Wrapping Key Custodian roles.
- Notify Ledger in cases of dismissal, death etc. of any user of the Ledger Vault platform.
What the user must not do
The authorized user must never:
- Allow one person to hold multiple roles.
Recovery sheets
The following guidelines apply for the security of Recovery Sheets:
| Roles | Shared Owners | Wrapping Key Custodians | Administrators | Operators |
|---|---|---|---|---|
| Tasks | Create seeds during the key ceremony Disaster Recovery |
Create the Wrapping Key Perform HSM firmware updates |
Create users and accounts Confirm account and user creation Define transactions and admin rules |
Create transactions Confirm transactions View transactions |
| Frequency | Once normally or twice in case of disaster recovery | Quarterly | Ad-hoc / weekly | Daily |
| Criticality | High | High | High | Normal |
| Ledger Hardware Device Security | Physical safes geographically distributed | Physical safes geographically distributed | With the authorized user at home or the office | With the authorized user at home or the office |
| Recovery Sheet | Physical safes, geographically distributed and reachable to the Shared Owner only. The safe should be accessible by another trusted person in case of events such as dismissal or death of the Shared Owner. | Physical safes, geographically distributed and reachable to the Wrapping key custodian only. The safe should be accessible by another trusted person in case of events such as dismissal or death of the Wrapping key custodian. | Physical safes reachable within hours by administrators only. The safe should be accessible by another trusted person in case of events such as dismissal or death of the Administrator. | No recovery seed created. |
| Governance | To generate the Master Seed you must combine the seeds of the three Shared-Owners | To generate the Wrapping Key you must combine the seeds of the three Wrapping Key Custodians. | To create accounts in the Ledger Vault platform, the defined quorum of Administrators must be met to authorize the creation (e.g. 2 out of 4 Administrators) | To create transactions in the Ledger Vault platform, the defined quorum of Operators must be met create the transaction (e.g. 2 out of 4 Operators) |
General security safeguards
What you must do
The Customer must protect the systems used for Ledger Vault in line with industry security practices, such as:
- The firewall must be both a physical one to protect incoming traffic, and a PC-local one to ensure that only authorized programs communicate with the outside world.
- Ensure that all software applications that run on the PC are regularly updated and patched. This includes the operating system, the Internet browser, and additional plugins such as Shockwave, QuickTime, Real Player, etc.
- Restrict outgoing traffic from the PC to business-critical websites, as well as to legitimate websites required for software updates.
- Use up-to-date virus scanners and malware scanners to protect the PC on which the Vault Services are used and the Platform accessed from malware such as viruses, worms, keyboard loggers, trojans, and rootkits.
- Use a strong password to lock the session.
- Always lock the computer
- Do not share the environment is physically secure. Keep doors and windows closed/locked; don't leave devices lying around.
- Remove all services/software from the computer that you do not need.
- The user must ensure the computer it uses to access the Ledger Vault Platform is secure.
The Customer must ensure that all users are following secure browsing practices, such as:
- IMPORTANT: Be suspicious of emails that appear to come from Ledger, and NEVER provide the Ledger Hardware Device’ PIN or recovery words if asked. Ledger NEVER asks for a Ledger Hardware Device’ PIN or recovery words in an email.
- Reserve certain PCs to access websites of the same criticality as the Platform and only access those sites from those PCs.
- Always restart the browser instance before and after accessing the Vault platform.
- Verify the Vault Services server's SSL certificate authenticity at each log on to the Vault platform, as described in the Ledger Vault User Guide.
- Use up-to-date computers.
- Install the latest security updates and antivirus.
- Use a strong password to lock your session.
The user must implement the following management principles to alleviate the risks to its system:
- Establish user management practices to ensure that only authorized users are created and remain on the system.
- Because users change roles or leave the company, the customer must maintain an accurate and up-to-date list of users and related permissions.
- Reconcile daily traffic to detect mismatches between authorized and actual traffic, both sent or received.
What you should not do
- The user must not click links in emails that appear to come from Ledger or anyone else, even if the link seems perfectly valid from a business perspective. Such phishing attacks may lead to a rogue site that can steal information or infect the PC. If the user can confirm a business need for visiting the site, then the user should type the link within the browser as it was visible in the email.
- The user must not browse any other website at the same time as it accesses the Platform.
- The user must not accept a pop-up that asks to download and install executable software.
- The customer must not delegate all the critical roles (Shared Owner, Wrapping Key Custodian, Administrator) to a single person who can then use multiple Ledger Hardware Device.
Support
The Support team assists the Customer whenever there is an issue on the Ledger Vault Platform.
The Support team of Ledger will never ask the Customer to provide the private keys or to create transactions.
What the user must do
The authorized user must:
-
Contact Ledger’s Support team either:
- By creating a ticket on https://support.vault.ledger.com , or
- By calling the Support
- Use the account created for them by the Support team.
What the user must not do
The authorized user must never:
- Provide their private key.