Polkadot Vault (previously: Parity Signer) is a mobile app available for both iOS and Android which can turn any unused phone into a secure hardware cold wallet for Polkadot, Kusama, and other Substrate-based chains.

Parity provide some good tips for ensuring your Polkadot Vault device is securely airgapped here. HydraDX also provide some good tips regarding SIMs, passwords, and other security best practices here.

What follows is a guide on how to use Polkadot Vault with Talisman to safely secure your accounts, without compromising on your experience in the multi-chain Paraverse.

Step 1: Select your trust model

To sign transactions on a substrate blockchain like Polkadot, the signing device needs access to some information about the chain. We'll refer to this information as the metadata.

Without the metadata, the device would be limited to only signing a few specific transaction types on a few specific chains (as was the case with Ledger cold wallets circa 2023 - no crowdloans and no staking!).

With Polkadot Vault, the chain metadata can be transmitted to the device by scanning a QR code.

But we want to be sure that the metadata hasn't been tampered with.

To verify that it is genuine, the metadata is signed by a trusted individual. Generally this is someone who works at Parity (for metadata.parity.io) or Nova Wallet (for metadata.novasama.io).

As a Polkadot Vault and Talisman user, you have the choice to place your trust in either the metadata portals above, or alternatively in the security of your Talisman wallet itself.

The pros and cons of each approach are as follows:

Option 1: Trust the Metadata Portals

• Pro: At the time of writing, this is the ecosystem default

• Pro: For existing Polkadot Vault users, this doesn't require you to change your Vault at all

• Con: Doesn't support some parachains

• Con: Each metadata update must be signed by a human, which can mean after each chain runtime upgrade you will be unable to sign transactions for a short while

If you would prefer to use the metadata portals (or if you're already using Polkadot Vault with other wallets and you're just looking to use it with Talisman too), you can skip straight to Step 2 to continue setting up Polkadot Vault for use with Talisman.

Option 2: Trust the Talisman

• Pro: Works for every parachain, all the time

• Pro: Once set up, is very easy to use (the core Talisman team uses this approach as they prefer its superior UX)

• Con: You can only use Talisman to update your metadata, unless you reset your Polkadot Vault (so there is some wallet lock-in)

• Con: Requires some initial set-up (which is detailed below)

If you would like to try our preferred approach, you must first remove the pre-installed Verifier Certificate which ships with Polkadot Vault.

This certificate ensures that you can only update metadata for the Polkadot, Kusama and Westend chains when it has been signed by someone from Parity (and added to metadata.parity.io).

Instead, you will be signing your own metadata updates via some open source code in the Talisman wallet.

To remove the default verifier certificate, first BACK UP ANY ACCOUNTS YOU HAVE CREATED ON THE DEVICE. Removing the certificate will reset your Vault (and remove your accounts).

This bears repeating, so:

🚨 BACK UP ANY ACCOUNTS YOU HAVE CREATED ON THE DEVICE BEFORE PROCEEDING 🚨

Next, follow along with these steps:

The app will reset, and the default viewer certificate will be removed. You will now need to recover your keysets using your recovery phrase.

That's all that you need to do on your Polkadot Vault device.

Now that the default verifier certificate is removed, a new one will be automatically installed when you add your first chainspec in Step 4.

The signer for your chainspecs and chain metadata QR codes will by default be the first account created when you set up your Talisman wallet.

You can change the signer for chainspecs and chain metadata QR codes by going to your Talisman Wallet settings -> Recovery Phrases -> Open the ··· menu next to the intended recovery phrase and select Set as Polkadot Vault Verifier Certificate.

Continue to Step 2 to create or import your account(s) into your Polkadot Vault.

Step 2: Create or import your account(s) into your vault

Tap Add Key Set on the app and then:

• tap Add new Key Set if you would like to set up a new account with a new recovery phrase, or

• tap Recover Key Set if you already have a recovery phrase you would like use.

Follow the prompts to set up your account.

On the final page, Create Keys, we recommend that you deselect the default networks. If you leave them selected then three accounts will be created, one for each network. Each account will have its own derivation path i.e. //polkadot, //kusama and //westend.

Unless you specifically want a separate account for each network, we recommend that you instead create one single multi-network account.

You can do this by following along here, note that the derivation path is intentionally set to be empty:

Step 3: Connect your Polkadot Vault account(s) to Talisman

Open your Talisman and go to the Add Account section. Select Import Polkadot Vault and then Turn on Camera.

Next, scan the QR code on the Polkadot Vault app which is shown when you select your key set and then the Polkadot network account:

You will then be presented with a screen in your Talisman to enter a name for your account, and you will be given the option whether or not to restrict the account to a single network.

You should turn this option on if you use a different derivation path for each network. If you don't, or if you don't know what a derivation path is, it is best to leave this option turned off. More information on the difference between these options can be found in the appendix.

Step 4: Sign a transaction

This next step begins with the sign transaction prompt, so you will need to create a transaction to continue!

Pick your favourite dapp, or if you don't have one then you can use the send funds feature of your Talisman wallet. In this example we're going to send 1 DOT from one account to another.

FAQ / Troubleshooting

Errors in the Talisman UI

1010: Invalid Transaction: Transaction has a bad signature

We've seen this error intermittently on the Send Funds confirm screen, but have been unable to determine its cause yet. Our recommendation for now is to try and send the tokens again, it's likely to work on the second attempt.

If you are unable to send the tokens after a second attempt, please hop into our Discord and create a post in the #help-and-bugs channel so our team can be made aware of the issue.

Errors on the signer device

Please Download polkadot Network Metadata

Your device has no metadata for the network you're trying to sign a transaction on. This metadata is required in order for the device to add your signature into the transaction payload, which will be submitted to the chain.

To fix this, follow the instructions to update your network metadata in the Step 4: Sign a transaction section of this guide.

Something has gone wrong. (General verifier)

If you see an error titled Something has gone wrong and the description includes a message like so:

Network polkadot is verified by the general verifier which currently is public key: c46a22b9da19540a77cbde231975fd90485c72b4ecf3c599ecca6998f39bd57, encryption: sr25519. Received load_metadata message is verified by public key: <key-here>, encryption: sr25519. Changing the general verifier or changing the network verifier to custom would require wipe and reset of Vault.

This error occurs when you try to update the metadata for a chain using a different method to the one you used to set that chain up.

If you tried to update the metadata via a QR code with a Talisman logo in the middle, try using the Parity metadata portal (metadata.parity.io) or the Nova Wallet metadata portal (metadata.novasama.io) instead.

Vice versa, if you tried using a QR code from a metadata portal or one with a Parity/Nova Wallet logo in the middle, try switching to the Talisman option by using the dropdown:

Appendix: One Multi-Chain Account vs Many Single-Chain Accounts

When using Parity Signer or Polkadot Vault, there are two approaches you can take to organising your accounts on the signing device.

Talisman supports both approaches, but there are some caveats to consider, so we recommend a quick read through this guide to ensure a smooth and confusion-free experience.

Method 1 - One Account per Chain

The first method is to use a different account derivation path for each chain.

For example, your Kusama account might use the derivation path //kusama, while your Basilisk account might use //basilisk.

When using this method, it's best to import each account with the 'Restrict account to Network Name network' option switched on to prevent confusion and errors.

This will tell your Talisman wallet to only show each account when interacting with the chain it is configured for, which will help you avoid two possible error scenarios:

1. You won't be able to create invalid transactions (i.e. transactions on the wrong chain) with this account. These are transactions which if scanned by the signing device it will refuse to sign them.

2. Because the Receive funds view will only show this account for the one chain, you won't accidentally send tokens to this account on the wrong chain. You would want to avoid this, because as you cannot sign transactions on other chains with this account, if you send it some tokens on the wrong chain you won't be able to access them.

Method 2 - One Account for Every Chain

Alternatively, a single derivation path can be used for all networks with the 'Restrict account to Network Name network' option switched off.