Disable Master Key Pair
This page describes how to disable the master key pair that is mathematically associated with an account's address. You should do this if your account's master key pair may have been compromised, or if you want to make multi-signing the only way to submit transactions from your account.
To disable the master key pair, you must use the master key pair. However, you can re-enable the master key pair using any other method of authorizing transactions.
Prerequisites
To disable the master key pair for an account, you must meet the following prerequisites:
- You must have an XRP Ledger account and you must be able to sign and submit transactions from that account using the master key pair. See also: Set Up Secure Signing. Two common ways this can work are:
- You know the account's master seed value. A seed value is commonly represented as a base58 value starting with "s", such as
sn3nxiW7v8KXzPzAqzyHXbSSKNuN9
. - Or, you use a dedicated signing device that stores the seed value securely, so you don't need to know it.
- You know the account's master seed value. A seed value is commonly represented as a base58 value starting with "s", such as
- Your account must have at least one method of authorizing transactions other than the master key pair. In other words, you must do one or both of the following:
Steps
1. Construct Transaction JSON
Prepare an AccountSet transaction from your account with the field "SetValue": 4
. This is the value for the AccountSet flag "Disable Master" (asfDisableMaster
). The only other required fields for this transaction are the required common fields. For example, if you leave off the auto-fillable fields, the following transaction instructions are enough:
{ "TransactionType": "AccountSet", "Account": "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "SetFlag": 4 }
LastLedgerSequence
field so that you can reliably get the outcome of the transaction in a predictable amount of time.2. Sign Transaction
You must use the master key pair to sign the transaction.
rippled
server. You should adapt these instructions if you are using another secure signing configuration.Example Request
{ "command": "sign", "tx_json": { "TransactionType": "AccountSet", "Account": "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "SetFlag": 4 }, "secret": "s████████████████████████████" }
Example Response
{ "result": { "deprecated": "This command has been deprecated and will be removed in a future version of the server. Please migrate to a standalone signing tool.", "tx_blob": "1200032280000000240000017C20210000000468400000000000000A732103AB40A0490F9B7ED8DF29D246BF2D6269820A0EE7742ACDD457BEA7C7D0931EDB7446304402204457A890BC06F48061F8D61042975702B57EBEF3EA2C7C484DFE38CFD42EA11102202505A7C62FF41E68FDE10271BADD75BD66D54B2F96A326BE487A2728A352442D81144B4E9C06F24296074F7BC48F92A97916C6DC5EA9", "tx_json": { "Account": "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "Fee": "10", "Flags": 2147483648, "Sequence": 380, "SetFlag": 4, "SigningPubKey": "03AB40A0490F9B7ED8DF29D246BF2D6269820A0EE7742ACDD457BEA7C7D0931EDB", "TransactionType": "AccountSet", "TxnSignature": "304402204457A890BC06F48061F8D61042975702B57EBEF3EA2C7C484DFE38CFD42EA11102202505A7C62FF41E68FDE10271BADD75BD66D54B2F96A326BE487A2728A352442D", "hash": "327FD263132A4D08170E1B01FE1BB2E21D0126CE58165C97A9173CA9551BCD70" } }, "status": "success", "type": "response" }
Look for "status": "success"
to indicate that the server successfully signed the transaction. If you get "status": "error"
instead, check the error
and error_message
fields for more information. Some common possibilities include:
"error": "badSecret"
usually means you made a typo in thesecret
of the request."error": "masterDisabled"
means this address's master key pair is already disabled.
Take note of the tx_blob
value from the response. This is a signed transaction binary you can submit to the network.
3. Submit Transaction
Submit the signed transaction blob from the previous step to the XRP Ledger.
Example Request
{ "command": "submit", "tx_blob": "1200032280000000240000017C20210000000468400000000000000A732103AB40A0490F9B7ED8DF29D246BF2D6269820A0EE7742ACDD457BEA7C7D0931EDB7446304402204457A890BC06F48061F8D61042975702B57EBEF3EA2C7C484DFE38CFD42EA11102202505A7C62FF41E68FDE10271BADD75BD66D54B2F96A326BE487A2728A352442D81144B4E9C06F24296074F7BC48F92A97916C6DC5EA9" }
Example Response
{ "result": { "engine_result" : "tesSUCCESS", "engine_result_code" : 0, "engine_result_message" : "The transaction was applied. Only final in a validated ledger.", "tx_blob" : "1200032280000000240000017C20210000000468400000000000000A732103AB40A0490F9B7ED8DF29D246BF2D6269820A0EE7742ACDD457BEA7C7D0931EDB7446304402204457A890BC06F48061F8D61042975702B57EBEF3EA2C7C484DFE38CFD42EA11102202505A7C62FF41E68FDE10271BADD75BD66D54B2F96A326BE487A2728A352442D81144B4E9C06F24296074F7BC48F92A97916C6DC5EA9", "tx_json" : { "Account" : "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "Fee" : "10", "Flags" : 2147483648, "Sequence" : 380, "SetFlag" : 4, "SigningPubKey" : "03AB40A0490F9B7ED8DF29D246BF2D6269820A0EE7742ACDD457BEA7C7D0931EDB", "TransactionType" : "AccountSet", "TxnSignature" : "304402204457A890BC06F48061F8D61042975702B57EBEF3EA2C7C484DFE38CFD42EA11102202505A7C62FF41E68FDE10271BADD75BD66D54B2F96A326BE487A2728A352442D", "hash" : "327FD263132A4D08170E1B01FE1BB2E21D0126CE58165C97A9173CA9551BCD70" } }, "status": "success", "type": "response" }
If the transaction fails with the result tecNO_ALTERNATIVE_KEY
, your account does not have another method of authorizing transactions currently enabled. You must assign a regular key pair or set up multi-signing, then try again to disable the master key pair.
4. Wait for validation
On a live network (including Mainnet, Testnet, or Devnet), you can wait 4-7 seconds for the ledger to close automatically.
If you're running rippled
in stand-alone mode, use the [ledger_accept method][] to manually close the ledger.
5. Confirm Account Flags
Confirm that your account's master key is disabled using the account_info method. Be sure to specify the following parameters:
Field | Value |
---|---|
account | The address of your account. |
ledger_index | "validated" to get results from the latest validated ledger version. |
Example Request
{ "command": "account_info", "account": "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "ledger_index": "validated" }
Example Response
{ "result": { "account_data": { "Account": "rf1BiGeXwwQoi8Z2ueFYTEXSwuJYfV2Jpn", "AccountTxnID": "327FD263132A4D08170E1B01FE1BB2E21D0126CE58165C97A9173CA9551BCD70", "Balance": "423013688", "Domain": "6D64756F31332E636F6D", "EmailHash": "98B4375E1D753E5B91627516F6D70977", "Flags": 9633792, "LedgerEntryType": "AccountRoot", "MessageKey": "0000000000000000000000070000000300", "OwnerCount": 9, "PreviousTxnID": "327FD263132A4D08170E1B01FE1BB2E21D0126CE58165C97A9173CA9551BCD70", "PreviousTxnLgrSeq": 53391321, "RegularKey": "rD9iJmieYHn8jTtPjwwkW2Wm9sVDvPXLoJ", "Sequence": 381, "TransferRate": 4294967295, "index": "13F1A95D7AAB7108D5CE7EEAF504B2894B8C674E6D68499076441C4837282BF8", "urlgravatar": "http://www.gravatar.com/avatar/98b4375e1d753e5b91627516f6d70977" }, "ledger_hash": "A90CEBD4AEDA24470AAC5CD307B6D26267ACE79C03669A0A0B8C41ACAEDAA6F0", "ledger_index": 53391576, "validated": true }, "status": "success", "type": "response" }
In the response's account_data
object, compare the Flags
field with the lsfDisableMaster
flag value (0x00100000
in hex, or 1048576
in decimal) using bitwise-AND (the &
operator in most common programming languages).
Example code:
// Assuming the JSON-RPC response above is saved as account_info_response const lsfDisableMaster = 0x00100000; let acct_flags = account_info_response.result.account_data.Flags; if ((lsfDisableMaster & acct_flags) === lsfDisableMaster) { console.log("Master key pair is DISABLED"); } else { console.log("Master key pair is available for use"); }
This operation has only two possible outcomes:
- A nonzero result, equal to the
lsfDisableMaster
value, indicates the master key has been successfully disabled. - A zero result indicates the account's master key is not disabled.
If the result does not match your expectations, check whether the transaction you sent in the previous steps has executed successfully. It should be the most recent entry in the account's transaction history (account_tx method) and it should have the result code tesSUCCESS
. If you see any other result code, the transaction was not executed successfully. Depending on the cause of the error, you may want to restart these steps from the beginning.