Change the FT4 key
In the Chromia network, the system uses the provider key by default for both controlling the financial FT4 account and operating the node. Chromia offers flexible options for users and providers who want to customize their account structure or security measures.
-
Change the FT4 auth descriptor to multisig: Set up a Chromia-native multisig configuration to distribute control across multiple signers, increasing security and flexibility. Multisig mitigates risks like the loss or compromise of a single key by requiring multiple signers for account operations. For detailed steps, refer to the Multisig guide.
-
Change the FT4 auth descriptor to an EVM key: Replace the provider key with an EVM MetaMask key, offering compatibility with Ethereum-based tools with the option of using a hardware wallet or MPC-based distributed key management solutions for enhanced security.
-
Create a separate staking FT4 account: Establish a dedicated account with its own key for staking, while the original provider FT4 account manages rewards and other operations.
The separate staking account method can be combined with either auth descriptor option for greater flexibility. For more information on FT4 auth descriptors, refer to the auth descriptors documentation.
Requirements
Before you start, make sure you have these tools ready:
- Chromia CLI
- Postchain Management Console (PMC)
- MetaMask extension and account (if you're opting for the EVM key method)
The mainnet's economy chain brid is: 15C0CA99BEE60A3B23829968771C50E491BD00D2E3AE448580CD48A8D71E7BBA
Switch FT4 key to an EVM key
Switching your FT4 key to a MetaMask key allows you to access your FT4 account via the Chromia Vault website and sign transactions with MetaMask.
-
Use
chr
andpmc
to configure your provider key for the mainnet. -
Use
chr
to fetch your provider account ID from the economy chain:chr query -brid 15C0CA99BEE60A3B23829968771C50E491BD00D2E3AE448580CD48A8D71E7BBA get_provider_account_id provider_pubkey=<provider pubkey>
-
Use
pmc
to replace the FT4 auth descriptor. The--account-id
option is now optional. The account ID will be automatically fetched using the provider's public key if not provided.Without specifying the
--account-id
:pmc economy auth-descriptor-evm-swap --evm-address=<your ethereum address>
If you prefer to explicitly specify the account ID:
pmc economy auth-descriptor-evm-swap --account-id <account id from previous step> --evm-address=<your ethereum address>
-
Test the key change by attempting a small transfer (e.g., 0.000001 CHR) from the old FT4 account to another account.
This step is specifically designed to confirm that the old FT4 account no longer has access and to validate that the key swap was successful. The transaction should fail if the setup has been updated correctly, as the old account should no longer have the necessary permissions.
chr tx --ft-auth -brid 15C0CA99BEE60A3B23829968771C50E491BD00D2E3AE448580CD48A8D71E7BBA ft4.transfer 'x"<from>"' 'x"<to>"' "1L"
-
After confirming the transfer, delete the file containing the MetaMask private key if it's no longer necessary.
-
Check if the UI on the Chromia Vault now displays the balance previously associated with the provider identity.