OneKey Transfer is a feature within the OneKey App that securely moves your software wallet's private keys between your devices. This guide explains the multiple layers of security protecting your data.
Note on Wallets: This feature is currently for software wallets only. Support for hardware wallets is more complex and will be added in a future version.
Core Principles
Our security is built on three key promises:
Open-Source & Trustworthy
The code for our app and server is public. Anyone can review it to verify our security claims.
Server Code: https://github.com/OneKeyHQ/e2ee-server
Client Code: https://github.com/OneKeyHQ/app-monorepo
End-to-End Encryption (E2EE)
Your data is encrypted on your device and only decrypted on the destination device. No one in the middle—not even OneKey—can read it.
Server Zero-Knowledge
Our server only acts as a traffic controller to connect your devices. It has no access to, or knowledge of, the data being transferred.
How the Encryption Key is Constructed
Your data is locked with a key made from multiple, independent parts. An attacker would need to steal all parts from different places simultaneously to even attempt to break the encryption.
1. Dynamic Shared Key (ECDHE)
What it is: A temporary, one-time shared key created directly between your two devices at the start of the session.
Key Takeaway: This key is never transmitted or seen by the server. It makes the connection secure even if your Pairing Code is intercepted (e.g., via screen recording).
2. The Pairing Code
First 10 Characters: Sent to the server to identify which devices want to connect.
Last 40 Characters: Used as a secret ingredient for the final encryption key. This part is never sent to the server.
3. Additional Secret Ingredients
From Your Device (Local): Your device's lock password, a random number for the transfer, a unique ID for your app instance, and a built-in app secret (salt).
From the Cloud (Server): A temporary connection ID and another random number generated by the server for the session.
In short, this multi-source key composition creates an incredibly high security barrier. To have any chance of decrypting your data, an attacker would have to simultaneously breach the server (to hijack data, get cloud-side key parts, and tamper with the ECDHE key via a man-in-the-middle attack) AND screen-capture your app (to steal the pairing code and other local key parts).
Defenses & Verifications
We use several active measures to block attacks and ensure you are in control.
Server-Side Protection
Anti-Brute-Force:
Rate Limiting: A single device can only make a request once every 3 seconds, preventing rapid-fire attacks.
Attempt Limits: The Pairing Code can only be tried 10 times. After 10 failures, the session is terminated.
User-Controlled Verification
Lock Screen Password Check
What You Do: You must enter your phone's password to authorize the transfer.
Why It Matters: Ensures that someone who picks up your unlocked phone cannot steal your keys.
6-Digit Physical Verification
What You Do: After pairing, you must physically confirm that a 6-digit code matches on both of your device screens.
Why It Matters: This stops a man-in-the-middle attack. A hacker can't complete the transfer because they can't see the code on your second device.
One-Time-Use Pairing Code
What it is: The Pairing Code expires after one successful use.
Why It Matters: This features a "preemptive connection" defense. If a hacker steals your code and connects first, your own legitimate connection attempt will forcibly disconnect the hacker, ensuring only you can proceed.
Advanced Options
Thanks to our open-source code, you can further enhance the security and privacy of your data transfers:
Self-Host Your Server: Deploy our server code on your own server, then connect to it by selecting the "Custom Server" option in the app. This gives you complete control over your data.
LAN Transfer (Coming Soon): In a future version, the OneKey desktop app will be able to act as a Local Area Network (LAN) relay. This will allow your devices to transfer data without ever touching the public internet, achieving true physical isolation.