Jul 18, 2019

Account and Key Security at Algorand Part II: Single-Key Accounts

By: Sharon Halevi

Part II: Single-Key Account Tutorial

How do I securely create a single-key account?

In Part I, we described ways to manage keys securely, explained how run a node on an offline machine, and outlined how to recover accounts on different machines. In Part II, we will describe how to use this information to create and transact with a single-key account.

Single-key account creation should always be done on an offline machine.

For step 1, the first thing you need to do is create a wallet. The command to create a wallet is

./goal wallet new <wallet name> -d <path to data directory>

After you come up with a password for the wallet to protect local kmd operations, the system will generate a wallet mnemonic that encodes the secret key for the wallet. This mnemonic should remain a secret, as it allows the recovery of the wallet and all associated accounts on another device. Wallet mnemonics are useful if you want to recover multiple single-key accounts without having to import them individually with account mnemonics. In cases like this, save the wallet mnemonic and guard it securely like an account key.

The command to set up a single-key account is

./goal account new -d <path to data directory>

This command can be modified to specify a wallet as follows:

./goal account new -w <wallet name> -d <path to data directory>

In order to import this account for future use, you must have the secret key mnemonic associated with the account. To see the secret key mnemonic, type the command

./goal account export -a <account address> -d <path to data directory>

Enter the password for the wallet, and make sure to save the account mnemonic, as it will allow you to recover the account by importing it into another wallet.

Recovering an account allows for its mnemonic to be exposed, so this should only be done offline.

For step 2, refer back to Part I for information on how to store keys.

How do I securely generate transactions?

For step 3, transaction generation, The network does not check for sufficient funds until the transaction is submitted at the very end. While the steps in the visual do not show this step at any given point, you must add funds sometime before submitting the transaction.


Transactions can be generated with or without importing the sending account in a wallet.

To generate the transaction offline use the command

./goal clerk send -o <name-of-transaction-file.tx> -a <amount> -f
<sending account public key> -t <receiving account public key> --
firstvalid <round number> --lastvalid <round number> --fee <fee> -d
<path to data directory>

During normal operation, while the transaction rate is not higher than the blockchain’s capacity, the minimum fee of 0.001 Algos should be sufficient. Otherwise, you must compete with the market and offer a high enough fee for the transaction to be included in a block.

To check what the current round number is for the firstvalid flag, visit Then, use the average seconds per round to estimate a lastvalid round for a transaction.


You should never import a single-key account onto an online node. As discussed in Part I, this exposes the secret key to potential attackers.

The command to generate a transaction on an online machine that does not contain the sending account

./goal clerk send -o <name-of-transaction-file.tx> -a <amount> -f 
<sending account public key> -t <receiving account public key> -d
<path to data directory>

One advantage to online generation has to do with ease of use, since you do not manually have to input the valid rounds and fee. Instead, the node can get that information from the network.

How do I sign a transaction?

For step 4, signing should always be done on an offline machine. After generating the transaction, the .tx file created is what you will sign.

If you generated the transaction online, save the .tx file created to the same USB with the installer file on it. Then, on your offline machine, move that .tx file into your node.

If you generated the transaction offline, you do not have to move the .tx file anywhere.

If the signing account is not already on the offline machine, you must import it to sign. To sign a transaction, type the command

./goal clerk sign -i <transaction-filename.tx> -o <signed-
transaction-name.tx> -d <path to data directory>

The signed transaction name can be whatever you want. For step 6, save that new file to the storage USB for recovery on an online machine.

How do I validate my transaction details before submitting?

Step 5, or verification that the transaction details are correct, should be done on an offline machine, as it is much less likely that the machine itself is compromised.

To check that the transaction has not been compromised before submitting the transaction, use the command

./goal clerk inspect <.tx filename> -d <path to data directory>

You should see the details of the .tx file. If any details are changed, like the amount number or receiving account, do not submit the transaction.

How do I submit a transaction?

For step 7, Once you have the signed transaction file, go back onto the online machine. For step 8, the command to submit a transaction is

./goal clerk rawsend -f <.tx filename> -d <path to data directory>

Now that you know how to create and transact from a single-key account, be sure to read Part III to learn how to perform the same operations from a multisignature account.