Create key share groups
After creating a vault, you now need to create key share groups. There are 3 types of key share groups: Main Group, Signing Group, and Recovery Group.
| Main Group | Signing Group | Recovery Group | |
|---|---|---|---|
| Primary Purposes |
| Sign transactions |
|
| Required / Optional | Required | Optional | Optional |
| Max Quantity per Vault | 1 | 1 or more | 1 (recommended) or more |
Main Group
Creating a Main Group is mandatory before you can create an MPC Wallet. You may begin to use the MPC Wallet once the Main Group is successfully created. As best security practices and to ensure the utmost safety for your assets, it is a good idea to set up your Signing Group and Recovery Group as soon as you can, and back up all key share groups. You can create multiple Signing Groups to cater to your business requirements, but it is recommended to create only one Recovery Group. (Best security practices for your key share groups available soon on our Developer Hub.)
Create a Main Group
When creating the Main Group for your MPC vault, you have the option to choose either mobile co-signer or API co-signer. Make sure you understand the primary purposes and prerequisites of each co-signer type in the table below before proceeding further.
| Co-Signer Type | Mobile Co-Signer | API Co-Signer |
|---|---|---|
| Primary Purposes | The mobile co-signer is a team member who is assigned to securely sign transactions initiated through the Cobo Portal. Their TSS Node ID is generated by their Cobo Guard app and will be automatically filled. | The API co-signer is a server node which is used to automatically sign transactions initiated through the API. Its TSS Node ID is generated using the provided TSS Node software package and must be done before setting up the wallet. See TSS Node Technical Setup for further instructions. |
| Prerequisite Steps | Your chosen key share holders need to: | Your chosen key share holders need to provide you with their generated TSS Node ID. See TSS Node Technical Setup for further instructions. |
After you’ve chosen a co-signer type and set up the prerequisites, follow the instructions below to create a Main Group. Note: Only the users who have been assigned the Operator user role in the organization can create a Main Group.
- Log in to Cobo Portal.
- Click
> MPC Wallets. - Select your vault and then click Create Main Group under the vault name.
-
On the Create Main Group dialog, navigate to the Key Share Holder 2 section, and then complete the following configurations:
-
To use Mobile Co-Signer, select a Holder (the TSS Node ID will be filled in automatically), then click Confirm.
-
To use API Co-Signer, enter a Holder name, fill in the TSS Node ID generated using the TSS Node software package, then click Confirm. See TSS Node Technical Setup for further instructions.
-
-
Inform the relevant key share holder to confirm on their end.
- Notes:
- If using mobile co-signer, a Confirmation page appears on Cobo Portal. Please remind the selected key share holder to to confirm in their Cobo Guard. On the selected key share holder’s Cobo Guard app, tap the Security Verification message to open the Security Verification page. Review the information, then click Yes, it is me. A Become Key Holder message will soon then be sent to the key share holder’s Cobo Guard, click it to open the Become Key Holder page, review the information, then click Approve. Selected key share holder should now tap the Generate Key Shares banner on their Cobo Guard to enter the My Account page, tap Pending Key Generation under Key Shares to enter the Key Shares page. On the Key Shares page, click Start to enter the Generate Key Shares page. The key generation process will begin. Click OK when the Key Generation Success message is displayed on Cobo Guard.
- If using API co-signer, ensure to bring the TSS Node online within 24 hours. The confirmation process is completed as soon as the TSS Node goes online.
- Notes:
-
Once the key generation process is completed in step 5, the Group Status will show as Active.
You might need to refresh the Cobo Portal page to see the updated result.A default wallet will be automatically created for this vault upon successful key generation.
Signing Group
Signing Groups are created using the Main Group. You can create multiple Signing Groups for different members depending on your business needs.
Create a Signing Group
Similar to creating the Main Group, you have the option to choose either mobile co-signer or API co-signer when creating the Signing Group. Make sure you understand the primary purposes and prerequisites of each co-signer type before proceeding further.
After you’ve chosen a co-signer type and set up the prerequisites, follow the instructions below to create a Signing Group. Note: Only the users who have been assigned the Operator user role in the organization can create a Signing Group.
- Log in to Cobo Portal.
- Click > MPC Wallets.
- Select your vault and then click
on the upper right hand corner. - In the Key Group Management page, click Signing Groups > Create Signing Group.
- The Signing Group creation process is the same as the Main Group creation process. See Create Main Group for detailed instructions.
Manage Signing Group
Convert Signing Group into Main Group
In certain situations, you may want to convert a Signing Group into the Main Group. For example, if the current owner of the Main Group is leaving the organization and you need to assign a new person to own the Main Group, you may choose to convert a specific Signing Group into the new Main Group.
Follow the instructions below to convert a Signing Group into a Main Group.
- Log in to Cobo Portal.
- Click > MPC Wallets.
- Select your vault and then click on the upper right hand corner.
- In the Key Group Management page, click Signing Groups and then select the Signing Group to be converted.
- Click Upgrade to Main Group.
-
Click Confirm to upgrade the Signing Group to the Main Group.
-
The Signing Group is now the Main Group. Note: If there was only one Signing Group before the conversion, the list of Signing Groups will become empty post-conversion.
Delete a Signing Group
Follow the instructions below if you want to delete a Signing Group.
- Log in to Cobo Portal.
- Click > MPC Wallets.
- Select your vault and then click on the upper right hand corner.
- In the Key Group Management page, click Signing Groups and then select the Signing Group to be deleted.
- Click Delete Group.
-
Click Confirm to delete the specified Signing Group.
-
The specified Signing Group is now deleted.
Recovery Group
Recovery Groups serve two main purposes: Recover the whole private key and create a new Main Group if your Main Group and backup copy are lost or compromised. To learn more about backup and recovery, see Back up key share groups and Recover key shares.
Similar to creating the Main Group and Signing Group, you have the option to choose either mobile co-signer or API co-signer when creating the Recovery Group. Make sure you understand the primary purposes and prerequisites of each co-signer type before proceeding further.
After you’ve chosen a co-signer type and set up the prerequisites, follow the instructions below to create a Recovery Group. Note: Only the users who have been assigned the Operator user role in the organization can create a Recovery Group.
Create a Recovery Group
Note: You must first create the Main Group before creating a Recovery group. Follow the instructions below to create a Recovery Group.
- Log in to Cobo Portal.
- Click > MPC Wallets.
- Select your vault and then click on the upper right hand corner.
- In the pop-up window, select a Recovery Group mode and click Confirm.
- With Cobo Participation: A 2-3 signature scheme will be used. Cobo holds one key share, and the remaining two key shares are held either exclusively by your Organization or jointly with a third party.
- Without Cobo Participation: A 2-2 signature scheme will be used. Cobo does not hold any key shares. The two key shares are held either exclusively by your Organization or jointly with a third party.
- If you select With Cobo Participation, follow the instructions below to complete the creation:
- Select either Self Recovery or Third-Party Recovery. Self Recovery requires key shares held by Cobo and your Organization, while Third-Party Recovery requires key shares held by Cobo, your Organization, and your trusted third-party.
- Select your key share holders.
- To use Mobile Co-Signer, select a Holder (the TSS Node ID will be filled in automatically).
- To use API Co-Signer, enter a Holder name, fill in the TSS Node ID generated using the TSS Node software package.
- If you select Without Cobo Participation, follow the instructions below to complete the creation:
- Select either Self Recovery or Third-Party Recovery. Self Recovery requires key shares held by your Organization, while Third-Party Recovery requires key shares held by your Organization and your trusted third-party.
- Select your key share holders.
- To use Mobile Co-Signer, select a Holder (the TSS Node ID will be filled in automatically).
- To use API Co-Signer, enter a Holder name, fill in the TSS Node ID generated using the TSS Node software package.
- Click Confirm.
- The status will show “Pending Key Holder Confirmation”. Inform all key share holders to confirm on their ends. See Generate and back up your key shares for instructions on how key share holders can conduct this confirmation process.
- Once all key share holders have confirmed on their Cobo Guard apps, wait for the key generation process to conclude, then the Recovery Group will be created.
Delete a Recovery Group
Follow the instructions below if you want to delete a Recovery Group.
- Log in to Cobo Portal.
- Click > MPC Wallets.
- Select your vault and then click on the upper right hand corner.
- In the Key Group Management page, click Recovery Groups and then select the Recovery Group to be deleted.
- Click Delete Group.
- Click Confirm to delete the specified Recovery Group.
- The specified Recovery Group is now deleted.