Backup and recover your Cryptnox Wallet Smart card seed on AWS: PART 1

A secure cloud based seed backup and recovery solution

Crytpnox is a Swiss company developing and producing hardware wallets (cold storage) in smart card format.
In this article, we will explain how to backup and recover a random 32 bytes seed securely on Amazon Web Services.
You can purchase a Cryptnox Hardware Wallet SmartCard on Amazon or on the Cryptnox Shop.

You should N-E-V-E-R store your seed on your cloud drive (repeat this twice), and this guide is exactly NOT about this, as it is not using any cloud drive solution. Instead, though it is a cloud based, it takes full advantage of the highest enterprise cybersecurity protection of Amazon Web Services by mixing two of its services: AWS Key Management Services and AWS Secret Manager.

We will perform a full Cryptnox Hardware Wallet Card initialization, backup.
We will also reset the card and perform a full recovery from AWS (to confirm the recovery performed well)

Part 1: Setting up your AWS access and credential

For this implementation, we will apply best practice and create a specific user in your AWS Identity and Access Management (IAM) for this access:

Go in your Root AWS, go to Console Home -> IAM (Identity Access Management) -> Users -> Add User

You should be on this screen:

In our case, we will name it CryptnoxBackup, and check “Acces key — Programmatic access”

Then -> Next:Permissions

Then: Attach existing policies directly -> Create Policy -> Json

Copy and replace existing text with:

{“Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”,”Effect”: “Allow”, “Action”: [ “kms:GenerateDataKey”, “iam:GetUser” ], “Resource”: “*” } ]}

Your screen should look like:

Then ->Next: Tags ->Next: Review

Name it “GenerateDataKey” and then -> Create Policy

Same process for:

{“Version”: “2012-10-17”,”Statement”: [{“Sid”: “VisualEditor0”,”Effect”: “Allow”,”Action”: [“kms:Decrypt”,”kms:Encrypt”,”kms:Sign”],”Resource”: “*”}]}

And Name it “kms_encrypt_decrypt”.

Then back to the Add User / Set Permission page and we will have to add FOUR policies. The two we created:

GenerateDataKey
kms_encrypt_decrypt

And two more AWS pre-defined:

SecretsManagerReadWrite
AWSKeyManagementServicePowerUser

Then finish creating new user. The permissions should look like :

Then go to: Security Credentials -> Create access key -> Download .csv file, and save it to your Icloud drive. We will need it on your IOS phone for AWS credentials.

Note: you need to create a second key because of a .csv file format bug with the default key that cannot be imported.

Then go to PART 2 !