Meet Vault12 at the Mansion House Summit in London, September 13, 2024.

How to host your own Vault12 Guard ZAX relay node on Digital Ocean
Zax - secure messaging between you and your Guardians

Contents


 
Glossary
Vault12 Help

How to host your own Vault12 Guard ZAX relay node on Digital Ocean

An in-depth guide to running your own relay node to handle messaging among your network of Digital Vault Guardians

This two-part article explains how to run your own Zax relay node on the Digital Ocean platform to achieve completely private and dedicated communications among your Vault Guardians. Custom URL Relay hosting is an optional, advanced Guard feature.

If you're just learning what Zax secure messaging is, we have another article explaining that.

PART 1: Installing and verifying a test Relay Node

1. Start a new Droplet with the pre-installed Ruby

  • Navigate to the Digital Ocean Control Panel Dashboard and choose the appropriate project from the left menu.
  • Click on Create > Droplets to initiate the setup process.
Image of Digital Ocean Create Droplets menu
  • Choose region and/or datacenter according to Droplet recommendations (closest region), or according to your preferences.
  • Under Choose an Image, select Marketplace and then opt for the Ruby On Rails image.
Image of Selecting Ruby on Rails in Digital Ocean
  • Ensure that it's the appropriate version (e.g., Version 7.0.4.2 or newer, OS Ubuntu 22.04).
Image of Ruby on Rails version number
  • The minimal options are fine for individual use:
Image of virtual machine type and options
  • For authentication, choose the SSH Key option and select your preferred SSH key. You can backup your SSH keys to the Vault12 Guard app.
  • Click Create Droplet, and wait for the Droplet to be provisioned and started.

2. SSH into the Droplet

Once the Droplet is ready:

  • Check the Droplet's public IPv4 address (orange arrow).
  • Access it via SSH by launching Droplet Console (red arrows), or by using any other SSH client with the following command:
ssh root@your_droplet_ipv4
Image of Droplet Console

3. Install Redis

Install Redis on the Droplet by following steps below, or the original guide by Digital Ocean:

  • To install Redis package run:
apt install redis-server
  • To update Redis configuration edit /etc/redis/redis.conf and set the supervised directive (approximate line number 236) to supervised systemd. For example, by means of nano editor:
nano -l /etc/redis/redis.conf
  • Restart Redis service to apply the changes: 
systemctl restart redis.service

4. Install and configure Zax

  • In the SSH console, sign in as the predefined rails user:
su - rails
  • Clone Zax repository, navigate into the directory and run the script to install dependencies:
git clone https://github.com/vault12/zax.git
cd zax
./install_dependencies.sh
  • Whitelist your hostname for production use

By default, Rails 6 applications reject all requests that are not made to the configured host. So you need to uncomment and modify the production configuration file config/environments/production.rb.

Uncomment the line (approximate line number 11) containing the following text:

11 | # config.hosts << "zax.example.com"

and insert your own IP address (IPv4) or hostname, so that it looks similar to this:

11 | config.hosts << "64.1.1.255" # use your Droplet's IP address (ipv4) or hostname.

Exit from the rails user session by entering exit.

5. Modify Rails service to serve Zax

Open rails service config:

/etc/systemd/system/rails.service

and update the WorkingDirectory and ExecStart directives as follows:

WorkingDirectory=/home/rails/zax/
ExecStart=/bin/bash -lc 'rails s --binding=localhost --environment production'

Save the changes and exit the editor.

6. Configure Nginx

  • Edit the following Nginx configuration file:
/etc/nginx/sites-available/rails

and replace the server_name _; with the correct address (IPv4) or host name (e.g., server_name 64.1.1.255;).

  • Allow Nginx Full through the firewall and delete the rule for Nginx HTTP:
ufw allow 'Nginx Full'
  • Reload the systemd daemon and restart the Rails service to apply the changes:
systemctl daemon-reload
systemctl restart rails.service

7. Verify the installation

Open in a browser the IPv4 IP address you used above, like http://64.1.1.255. (At this step you will use http instead of https, since you have not yet configured your Nginx and DNS domain name with an SSL certificate to be used for secure HTTPS connections).

You should be able to see the dashboard of your own Zax relay, similar to this dashboard:

https://vault12.github.io/zax-dashboard/

8. Add the URL of your relay to the Vault12 Guard app

Now you are ready to verify that your newly created Zax relay can connect to your Vault12 Guard app:

  • In Guard, go to Settings / Advanced / Relay hosting.
  • Select Custom URL and enter the Droplet's IPv4 address URL (like http://64.1.1.255). Again, remember to choose http instead of https at this step until you have secured your Nginx and DNS domain name with an SSL certificate.

The green indicator should indicate that the app is connected to your relay. Note that when you leave this screen, the app might request to restart.

Image of Guard Relay hosting settings screen

At this point, the Zax relay is functional. However, for security purposes it is necessary to add some standard layers of network defense to your Droplet. Please continue on to Part 2, below, for important additional steps needed to secureyour Zax relay and run it in a production environment.

-------------

PART 2: Running Zax securely (Production Use)

1. Disable the Zax Dashboard frontend

For safety and privacy reasons, you may prefer to disable access to the Zax Dashboard of your private relay. To do this:

  • Sign in as the predefined rails user:
su - rails
  • Set the public_file_server variable to false on line 64 in the production configuration file:
config/environments/production.rb

This action will prevent the Ruby server from serving files from the public/ directory.

  • Exit from the rails user session by entering exit.

2. Add a DNS record for your domain with your registrar

To configure DNS for your domain, log in to your domain registrar's website and access the DNS management section. Add a DNS A record by specifying your domain name and your Droplet's IP address. Save the changes and wait for DNS propagation, which may take some time.

3. Secure Nginx with Let's Encrypt

1. Obtain SSL certificate using Certbot with Nginx plugin:

certbot --nginx -d zax.example.com

2. Delete the rule for Nginx HTTP:

ufw delete allow 'Nginx HTTP'

3. Reload the systemd daemon and restart the Rails service to apply the changes:

systemctl daemon-reload
systemctl restart rails.service

4. Put an URL address of your relay to Vault12 Guard app

Now you are all set to switch your Vault12 Guard app to work with your secure Zax relay:

  • In Guard, go to Settings / Advanced / Relay hosting

The previous custom URL (using http) should now be red, since you have disabled unencrypted HTTP access to Nginx.

  • Update Custom URL to use your Droplet's new HTTPS URL.

The green indicator should now indicate that Guard is connected to your secure custom relay. Note that when you leave this screen, the app might request to restart.

Image of Vault Relay hosting settings screen with custom URL for Zax relay
  • You may also need to delete any default public relay URLs shown in order to keep your network of Guardians running fully privately.
  • Now that your custom relay is working, all of your Guardians should configure the Guard app on their devices to connect only to your custom relay to keep all communications within your private Guardianship circle. (They would make this change in Settings / Advanced / Relay hosting in the same way that you did.)
Congratulations!


https://www.linkedin.com/company/vault12
https://twitter.com/_vault12_
Vault12 Help

How to host your own Vault12 Guard ZAX relay node on Digital Ocean

An in-depth guide to running your own relay node to handle messaging among your network of Digital Vault Guardians

zax relay nodezax
Discover More
avatar-icon

Vault12

Vault12 is the pioneer in crypto inheritance and backup. The company was founded in 2015 to provide a way to enable everyday crypto customers to add a legacy contact to their cry[to wallets. The Vault12 Guard solution is blockchain-independent, runs on any mobile device with biometric security, and is available in Apple and Google app stores.

Full Bio >
avatar-icon

Art Krotou

Art is a crypto-security expert and researcher with serial entrepreneurship background. Having a degree in physics and experiences in multiple cutting-edge industries like fintech, secure hardware and semiconductors, and identity gave him a unique multi-faceted perspective on the problem of key management for individuals in the crypto networks and the evolution of the internet in general.

In his current work, he is specifically researching how cryptographic keys can be inherited without posing a threat to 3rd parties in edge cases. In addition, he advocates for "fault-tolerance via secrets automation". He discusses the quantitative impact of user experience factors on the uptake of non-custodial solutions.

As one of his most notable accomplishments, he co-founded and led through the early years of the company that contributed to the complex technology behind Apple's recent M-series CPUs. He is also the creator of the most friendly and aesthetically pleasing, but nonetheless super secure and fault-tolerant hardware wallet - U•HODL.


Check out his curated series of "Vault12 Learn" contributions below, and follow him on Twitter and LinkedIn for more sharp insights.

Full Bio >
star-background

Backup and Inheritance for Bitcoin

vault12-guard
Get the Vault12 app onto your phone
QR code Vault12 Crypto/NFT InheritanceDownload Vault12 on App StoreDownload Vault12 on Google Play
Vault12 app mockup
Scroll down
Close

Vault12 Product Demo

Get The Vault12 App Onto Your Phone

Download Vault12 on App StoreDownload Vault12 on Google Play
You will lose your Bitcoin and other crypto when you die...

You will lose your Bitcoin and other crypto when you die...

...unless you set up Crypto Inheritance Management today.

It's simple—if you don't worry about it, nobody else will—not your software or hardware wallets vendors, not your exchanges, not your wealth managers. So you have to think about how to protect the generational wealth you have created and reduce the risks around passing that wealth on to your family and heirs. What are the challenges with crypto inheritance?

  • Crypto Wallets are difficult to use and do not offer crypto inheritance management. In fact, most of them tell you to write down your seed phrase on a piece of paper which is practically useless.
  • Some people back up their wallet seed phrases or private keys on paper, local devices like hardware wallets or USBs, or in the cloud - all of these options have severe drawbacks from hacking, to accidental loss, to loss of cloud services. No one wants that to happen to their crypto generational wealth.
  • Software wallets operate on specific blockchains, yet your crypto assets span multiple blockchains, for inheritance to work, you must be able to manage inheritance across every blockchain - now and forever.
Vault12 is the pioneer in crypto inheritance management, watch our explainer video or Inheritance demo today.

View Demo

Learn More
Screenshot of Vault12 Guard apps - Add an Asset screen

Crypto Inheritance Management: Get ready today

Vault12 is the pioneer in Crypto Inheritance Management that delivering an easy-to-use and secure method for assigning a legacy contact to your crypto wallets. This enables you to pass on your wallet seed phrases and private keys — including Bitcoin (BTC), Ethereum (ETH) — to future generations. Designed for everyday people, and strong enough for Crypto OGs.

This innovative, decentralized system enables users to appoint a person or mobile device as Guardian. The designated guardian is entrusted to protect the user's comprehensive collection of wallet seed phrases and private keys, safely stored within a decentralized digital Vault. No information is stored on cloud servers, or Vault12 servers and nothing is stored on local devices making it less of a target.

The Decentralized approach reduces points of failure and removes the necessity for regularly revising wallet inventories or modifying instructions for your lawyers, often leading to privacy breaches. It is the best way to preserve crypto generational wealth.

Learn More

Download

Screenshot of Vault12 Guard app - Adding data into the Vault

Take the first step and back up your crypto wallets.

Designed to be used alongside traditional hardware and software crypto wallets, Vault12 Guard helps cryptocurrency owners back up their wallet seed phrases and private keys (assets) without storing anything in the cloud or any single location. This increases protection and decreases the risks of loss. Making sure you have an up to date back up is the first step in crypto inheritance management.

The Vault12 Guard app enables secure decentralized backups and provides inheritance for all your seed phrases and private keys across any blockchain, including Bitcoin, Ethereum, ERC-20, and other crypto wallets.

Note: For anyone unfamiliar with cryptocurrencies, Vault12 refers to wallet seed phrases and private keys as assets, crypto assets, and digital assets. The Vault12 Guard app includes a software wallet that works alongside your digital Vault. The primary purpose of this is to guard your Bitcoin (BTC) or Ethereum (ETH) wallet seed phrases, private keys, and other essential data, now and for future generations.

Learn more

Download

Add a legacy contact for your crypto.
Download Now