Search posts...
Secure your Nsec with Amber
Other

Secure your Nsec with Amber

QnA
QnA
7 min read

One of the first things most people learn when getting started with Nostr is the importance of their private key, or ‘nsec’. The nsec is the key to their Nostr world. Whoever controls an nsec, controls that account. Lose access to the nsec and you lose access to that account and its social graph.

So the nsec is very important and should be treated very carefully, but what happens if we want to use or test multiple Nostr clients? Newer clients might be malicious, or have unknown security vulnerabilities, so simply go pasting our nsec everywhere just to see if we like a new app is not the best idea!

Thankfully there are solutions for nsec management that allow us to do exactly that, without having to expose our all important nsec to each and every app we want to interact with. The most commonly used to date are browser extensions like Alby or nos2x. Typically these types of browser extensions do not work on mobile platforms.

Enter Amber…

Amber Hero Amber Event Signer

What is Amber?

Amber is a free and open source Android application that serves as a dedicated ‘Nostr event signer’. Amber allows users to keep their nsec segregated in a single, dedicated app. The goal of Amber is to have your smartphone act as a NIP-46 signing device without any need for servers or additional hardware.

At its core Amber serves two main purposes:

  1. Securing your nsec(s)
  2. Using this nsec to sign events for other Nostr clients on your phone

Got an iPhone? Check out nsec.app

Getting Started

  1. Download Amber to your phone. It is available from Zap Store, Obtanium, GitHub or F-Droid
Download Amber ⬇️ Support Amber ⚡️


  1. When opening Amber for the first time, you’ll have the option to create a new Nostr account (nsec) or import an existing one.

Getting Started Getting Started

  1. If you do not currently have a Nostr account, Amber will help you generate and secure a brand new nsec. Amber allows you to download an encrypted file containing your nsec as well as the option to download a human-readable version of the nsec in the form of 12 English words, similar to a Bitcoin seed.

Amber New Account Creating a new account

Skip this step if you have an existing nsec that you want to import to Amber.

  1. To import an existing nsec, choose ‘Use your private key’. You can then paste the nsec from an existing client, or scan a QR code of it if you have one available to you.

Import nsec Importing an nsec

  1. Once you have created or imported your nsec, Amber will ask for some basic permissions. You can allow the app the approve basic actions, or enable more granular selection for each client you subsequently connect. Once you tap ‘Finish’, you’ll see that the account is now ready.

If you have or require more than one Nostr account, you can repeat these steps for each one. All accounts can be viewed by tapping the profile image in the bottom right corner of the screen.

Account Active Account Active

  1. That’s it, Amber is now ready to sign events. Amber allows multiple ways to connect other clients to it, but most will have a very simple ‘Login with Amber’ button. Let’s demo this in practice with Amethyst, the most popular Android-only client.

The opening screen of Amethyst shows the ‘Login with Amber’ option. Tap that.

Account Created Connecting Amethyst to Amber

  1. Amber will then open automatically and ask you to define the level of autonomy you’d like to have with Amethyst. This setting defines how often Amber will require you to manually authorize each event.

For example, you might want Amber to automatically sign every like or repost you do in Amethyst, but then be asked to manually approve all direct messages sent from your account. These permissions can be customized in the settings at any time.

Seting permissions Setting permissions

  1. Let’s assume that upon setup, we did not grant Amber the ability to automatically sign short text notes for us. Let’s look at how simple the authorization flow is. Type a new short note in Amethyst and press ‘Post’.

Amethyst will instantly send the request to the Amber app on your phone, with no third party server involved. Amber will open and ask you to approve the event. When you do, Amber signs the event with the nsec it stores for you and automatically send the signed event back to Amethyst to be posted. The whole process takes just a few seconds.

Authorizing an event Authorizing an event

Using Amber with a Web Client

  1. Next let’s take a look at how you can use Amber on your phone to sign events on a web app running on your computer. For this example, we’ll be using Coracle. Open Coracle and click ‘Log In’, then choose ‘Use Remote Signer’. Coracle will then display a QR code.
Coracle Log In

Coracle Remote Signer Log In

  1. Open Amber and navigate to the Applications page, tap the + icon, then scan the QR code being displayed by Coracle.

Getting Started Coracle QR log in

  1. Just as it did earlier with Amethyst, Amber will now ask you to grant some basic permissions for the Coracle connection. Once again, these permissions can be customized at any time in the settings. Once granted, you’ll notice that Coracle automatically logs in to your feed.
Coracle Log In

Logged in to Coracle

But wait, how did that happen? The nsec is in Amber on your phone, and Coracle is running on your computer. The two might not even be in the same location or on the same network!? The communication is happening over the Nostr protocol, via relays. Which relays are used for this communication can be configured in the Amber settings.

  1. Let’s test out a short note on Coracle to demonstrate the signing process. Click ‘Post +’ in the top right corner, draft your note and then click send.
Coracle Log In

Logged in to Coracle

  1. Amber will send a push notification to your phone. Tapping the notification will open Amber for you to approve the event.

Getting Started Coracle QR log in

  1. Once the event is approved in Amber, Amber will automatically send the signed event back to Coracle for publishing.
Coracle Log In

Logged in to Coracle

Summary

You can view Amber as a vault for your Nostr private keys (nsec). It allows you to explore the entire ecosystem without exposing your nsec to every new app you try. Amber is an incredibly simple yet powerful tool that belongs on the Android phone of every Nostr user.

At the time of writing, using Amber as a remote event signer is supported by the following popular Nostr clients:

  1. Amethyst (mobile)
  2. Coracle (web)
  3. 0xChat (mobile)
  4. Fountain (mobile)
  5. Zap Store (mobile)
  6. Keychat (mobile)
  7. Freeflow (mobile)
  8. Highlighter (web)
  9. Chachi Chat (web)
  10. Habla (web)
  11. Shopstr (web)
  12. Plebeian Market (web)
  13. Snort (web)
  14. Nostrudel (web)

Private keys should be exposed to as few systems as possible as each system adds to the attack surface

– NIP-46

If you found this post useful, please share it with your peers and consider following and zapping me on Nostr. If you write to me and let me know that you found me via this post, I’ll be sure to Zap you back! ⚡️

Follow Me ✅
Secure your Nsec with Amber
Older post

Your First Steps

Related

What is the 'Other Stuff'?
Other

What is the 'Other Stuff'?

Nostr isn’t just a Twitter replacement. It’s a foundation for whatever ‘other stuff’ you can dream up.

4 min read
Nostr Utilities
Other

Nostr Utilities

A run down of some popular Nostr utility categories.

5 min read