Comment on page
Should I import my XRP Ledger account into Xumm?
Importing your account secret might not make sense
Xumm is an excellent application for making payments on the XRP Ledger (XRPL), interacting with the XRPL ecosystem and for safely storing your private keys. For many people, moving their existing XRPL accounts over to Xumm seems like a good idea. Xumm is convenient, easy to use, and very secure, so why not import your account into Xumm to take advantage of all its features...?
Hardware wallets are largely about long term storage of your assets.
A hardware wallet stores the private keys for an XRP Ledger account on a device that is not connected to the internet. Transactions can only be signed on the XRPL account if the signer is in possession of the hardware device. Storing private keys 'offline' limits some potential attack vectors on an account.
Xumm is largely about enabling interaction with the XRP Ledger ecosystem.
Xumm stores the private keys for an XRP Ledger account on a mobile device. (Which is presumably connected to the internet at various times.) It allows a user to sign transactions on their XRPL account via their phone. By storing private keys on a device that is 'on line', it exposes an account to other types of potential attack vectors.
Any time private keys are entered into any software there are potential risks. Spyware, malware, key-loggers, screen capture software, viruses, and many more attack vectors can come into play when entering your private keys.
If you are planning on importing an existing XRPL account into Xumm, please take the time to consider some of the risks associated with doing this.
This section asks questions which are intended to make you think about the nature of your XRPL account, how it was created and how private keys are stored. If you are not sure what the answers are to some of them, contact your current wallet and ask them. You should have a general understanding of these concepts before you import your account into any software application. (or hardware device)
- Do you trust the company/service that generated the keys?
- What was the source of entropy that was used to generate your keys?
- Has that source been audited?
- Can your keys be viewed using your current wallet?
- Was you account managed by a previous wallet?
- Are your private keys stored online? (ie. in a "cloud backup"?)
- Which encryption method was used to store your keys?
- Are you planning to participate in the XRP Ledger community?
- Do you want to be able to access your hardware wallet account using Xumm?
While importing private keys into Xumm is certainly easy to do, you should consider why you are taking the risk of importing them into Xumm when there is a much safer option...🤔
The safest way to protect your funds is to create a new XRPL account using Xumm, then move your assets to your new account. There are a number of benefits to doing this:
- Accounts generated by Xumm use a world-class algorithm to generate a set of eight, six-digit Secret Numbers used to access the account. Our algorithm has been audited and tested hundreds of thousands of times. You can trust that your Secret Numbers will not be duplicated by any other software or service.
- Xumm only displays the account secret once, when an account is generated. There is no way to access or view it after it is initially displayed. No one, other than you will ever see the account secret after the account is created.
- After a new account is generated, the account secret is encrypted and immediately stored in Xumm. The algorithm we use to encrypt it is exceptionally secure.
- If something were to ever go wrong, it is much easier to narrow down the source of the issue if the account was generated in Xumm.
Consider the reason why you want to do this. For most hardware wallets, the main selling feature is that they generate and store the private keys for an account 'off line'. This means that an XRPL account managed by a hardware wallet is protected from some potential attack vectors.
By importing your hardware wallet account into Xumm, you are bringing your private keys into a software wallet (Xumm) which is 'on line'. (ie. Xumm is installed on a mobile device which is most likely connected to the internet at various times throughout the day.) Doing this will negate the main selling feature of your hardware wallet. Are you sure this is what you want to do?
If so, this article explains how to do this:
Rather than importing your private key for your hardware wallet account directly into Xumm, it is possible to create a second XRPL account, configure a regular key it, then import your hardware wallet account into Xumm in 'read only' mode. Doing this keeps your secret keys 'offline" but still allows signing access to your account.
As long as you understand that doing this will allow you to access your hardware wallet account directly using Xumm, this is a better option than entering your private key into Xumm.
A regular key will "link" your hardware wallet account to a second XRPL account that will be managed by Xumm. This second XRPL account will not contain any funds and does not need to be activated with 10 XRP, but it will allow you to sign transactions on your hardware wallet account using Xumm.
This means you will have full and direct access to your hardware wallet account with Xumm and you will not need your physical hardware wallet to access the account.
If this is what you would like to do, here are the instructions:
The XRPL accounts that were created during the CasinoCoin swap used a process that some people might find a little difficult to understand. If you ever need to import one of those accounts, there is a special set of instructions to assist you: