Security of your wallet on LOBSTR

Modified on Fri, 28 Jun at 5:39 PM

The LOBSTR team cares about the security of our users and is committed to delivering the best possible experiences and protection for Stellar wallets when using the LOBSTR web and mobile apps. The security of the wallet's private keys is one of the most important things when it comes to crypto.

Secret key and Recovery phrase encryption

In order to be able to use LOBSTR, a user needs to create an account linked to their email address. They then create a Stellar wallet on that LOBSTR account that is both securely stored locally on-device, and uploaded to our server in an encrypted form.

We store the encrypted version of the Recovery phrase/Secret key on our server. Your Stellar Secret key is generated on the device, is encrypted client-side, and is never sent unencrypted to our server. We encrypt your Secret key and Recovery phrase using keys derived from your password via script and a per-key salt. This makes cracking your password computationally difficult, even in the case of a data breach.

Having an account allows us to sync the info and the wallet attached to the account across the platforms we support: website, iOS and Android app.

When a user logs into their account on another platform, the app downloads the encrypted version of the key from the server and stores it locally for further usage.

The keys themselves can only be decrypted and accessed by users on-device since that requires password (and 2FA) authentication. The transaction signing also happens locally on-device.

The main benefit for this approach is the huge UX improvement users get. Users are able to move freely between platforms and devices without the need to transfer their keys and info over.

No one else (including us) has the ability to administer your account and funds on your behalf, access your Recovery phrase, Secret key, Password, or the funds in your account. Also, we’re unable to check the correctness of your Security information such as Recovery Phrase, Secret Key, Password on our end.

Your Secret key and Recovery phrase are encrypted using tweetnacl.secretbox (xsalsa20-poly1305) to avoid timing channel attacks and guarantee that if your seed decrypts properly, it has not been tampered with. The encrypted Stellar Secret key and Recovery phrase may only be downloaded with proper user authentication, so you must have entered the correct password and 2FA code (if you enabled it) to even have the opportunity to decrypt your Secret key and Recovery phrase.

We don’t store passwords in raw format on our end. The passwords are using PBKDF2 with random salt and sufficiently high number of iterations.


We built LOBSTR Vault for those looking for additional security.

Vault further protects the wallets by using the Stellar network multisig. With Vault every transaction needs to be authorized and signed with additional keys. Vault keys are stored on the device only and not backed up anywhere. Vault is open-source, so anyone can verify how this solution works.

Learn more:

Multisig and LOBSTR Vault

Keeping your wallet secure

LOBSTR provides an adequate level of security for your account by default. However, we provide several options which can be enabled to further increase the level of security.

As a user, you are responsible for making sure your account has a strong password and enabling PIN or biometric protection to keep your app on-device secure.

Your password should satisfy the following requirements:

— Unique. Do not reuse passwords, this creates major security risks. If the same password is used across multiple services, an attacker who gains access to one account, can also log into every other account that uses the same password.

— Long and complex. We recommend passwords consisting of at least 10 symbols, including numbers, symbols, lowercase and uppercase letters.

— Stored securely. Make sure you don't store your password in plain sight, or accessible online (like in your email inbox).

The IP address confirmation is an extra security layer that protects LOBSTR accounts by requiring email confirmation when logging in from new IP addresses. The IP confirmation is enabled for all LOBSTR users by default and cannot be disabled.

We also recommend enabling the 2FA protection to increase the protection of your wallet.

LOBSTR has a built-in protection to limit access requests to users accounts and temporarily restricts access to accounts after a number of unauthorized attempts.

Learn more:

What is a Recovery Phrase on LOBSTR?

Switching to on-device key storage: Migration process overview

How to restore my secret key?

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article