Public Computer Mode: Using CardanoWall on a Shared Device

You can use CardanoWall on a borrowed or shared computer, and public computer mode makes that safer — but only in one specific way. The mode stops the app from writing anything identity-related to the browser, so nothing about your session is left on the machine after you walk away. What it cannot do is protect you while you are still signed in. If the device is compromised, public computer mode does not change that.

So the rule is simple: treat a shared computer as higher-risk, turn on public computer mode, and never paste a high-value seed into a device you do not control.

What is public computer mode?

It is a session-only, lower-persistence browser mode you can turn on at unlock or when you create an identity.

When you do not own the device, you do not want CardanoWall leaving identity-related state behind for the next person. Public computer mode is the explicit toggle for that. It is built for moments like:

a library or hotel business-center computer;
a coworking-space or conference machine;
a shared newsroom workstation;
a borrowed laptop;
a device managed by an organization you do not fully trust.

The toggle itself is deliberately not saved anywhere. Persisting "I am on a public computer" would be a browser-storage write — exactly the thing the mode exists to avoid — and a reload on a shared machine should always return to the safe default of asking again.

What does public computer mode change?

It turns off every identity-related write to browser storage.

On a device you own and trust, CardanoWall caches some non-secret convenience data so future sessions are smoother. It can keep a copy of your encrypted vault in the browser so a reload needs only one passkey tap instead of a network fetch, and it can keep non-secret setup metadata during onboarding so an accidental reload does not break the flow. Importantly, the browser copy of the vault is the same encrypted ciphertext the server holds — age-encrypted and openable only by your passkeys — not a plaintext copy of your seed.

In public computer mode, all of those paths are suppressed: no remembered vault cache, no local-unlock shortcut, no version pin, and no onboarding metadata mirror. The gate sits at each storage choke point, so no part of the app can accidentally write something the mode is meant to withhold.

What remains is the in-memory unlock state. While you are signed in, your seed and the keys derived from it live in session memory only. They survive in-app navigation for the life of the tab; locking or signing out wipes them on a best-effort basis, and closing the tab or reloading tears the page down entirely. The whole point is to leave nothing behind. For a fuller picture of what the browser does and does not keep, see what CardanoWall stores in the browser.

What does public computer mode not change?

It does not make an untrusted computer trustworthy.

This is the part that matters most. A malicious script in your active session — from a hostile browser extension, a stored cross-site-scripting bug on the page, a keylogger, or remote-access software — can read what you type and what the app holds in memory while you are unlocked. That includes your Identity Seed if you paste it, and your private keys while the identity is active.

CardanoWall reduces this risk with a strict content-security policy, minimal scripts, and a rule that unlocking and decryption only happen on an explicit action you take — never automatically. Those measures lower the odds, but they cannot eliminate an attacker who is already running code in your session. That is an inherent limit of any browser-delivered cryptography, not a CardanoWall-specific gap. Public computer mode reduces what is left behind; it does not defeat an active compromise.

Should I paste my Identity Seed on a public computer?

Only if the exposure is acceptable, and for a high-value identity the honest answer is no.

The Identity Seed is the root of your Label 309 identity. Anyone who captures it can sign as you and decrypt every sealed record addressed to that identity, past and future. Typing it into a device you do not control is therefore a serious decision, not a routine one.

For a low-value identity or genuine emergency access, you might accept that risk for a short session. For anything that matters, use your own trusted device. Public computer mode is better than normal mode on a shared machine, but it does nothing to remove the core danger of entering a secret into a computer you do not own.

What about passkeys on a shared device?

It depends on whether the passkey is available there — and even then, the device risk does not disappear.

If your synced passkey reaches the device through your own passkey-provider account, you may be able to unlock without pasting the seed at all, which removes the seed-entry exposure. That is a real improvement. But the unlocked session still holds your derived private keys in memory, and the device may still be untrusted. A hostile local environment can simply target the live session instead of the seed you never typed.

Synced passkeys also inherit the security and recovery model of whoever provides them, while a hardware key carries different tradeoffs; synced passkeys versus hardware keys covers that choice. Either way, for sensitive identities, unlock only on a device you control. More on how passkeys protect the vault: how passkeys guard your identity vault.

When is public computer mode actually useful?

It is most useful for low-stakes work where the goal is simply to leave no leftovers.

Good fits include:

opening and checking a proof link;
viewing public, on-chain proof metadata;
verifying a non-sensitive file's hash locally;
reading non-sensitive account information;
a short session with a deliberately low-risk identity;
emergency access when no trusted device is at hand.

It is a poor fit for anything that exposes secrets or makes lasting changes:

revealing an Identity Seed;
decrypting sensitive sealed records;
signing records that matter;
managing shared or team identities;
adding passkeys;
changing recovery or security settings.

What should I do before leaving a shared computer?

End the session deliberately rather than just closing the lid.

Before you walk away:

lock the identity;
sign out;
close the tab and the browser window;
avoid downloading decrypted files, and delete any you did create;
clear the clipboard if you copied a secret into it;
do not let the browser save passwords or passkeys on the device.

A private or incognito window is a useful extra layer because it discards its own storage when closed, but do not mistake it for a security boundary against malware — it is not one.

What if I already used a risky device?

Decide whether your seed could have been exposed, and respond to that, not to a vague worry.

If you only viewed public records, there is usually little to do. But if you unlocked an identity, pasted or revealed a seed, or decrypted sensitive files on a device you cannot vouch for, take the possibility seriously.

If you cannot rule out seed exposure, treat the identity as compromised. There is no reset for a leaked seed — the response is to move to a fresh one:

create a new identity;
publish and share the new public keys out of band;
deactivate the old identity in CardanoWall;
stop using the old receive addresses;
where it helps, publish a superseding record that points to the new identity.

Note the asymmetry: removing a passkey re-encrypts your vault to the remaining factors and deletes the old ciphertext, so a removed passkey can no longer open the current vault — but that helps only if the seed itself was never exposed. A leaked seed is full compromise, and passkey removal does not undo it. The mechanics of retiring an identity are covered in active, deactivated, and deleted identities.

The short version

Public computer mode does one job well: it keeps CardanoWall from leaving identity-related state in the browser on a device you do not own. Turn it on for shared computers. Do not mistake it for protection against a machine that is already compromised.

If the identity matters, use a device you trust. And the safest shared-computer session is still the one where you never paste your seed and never unlock a high-value identity. For the broader question of what the service can and cannot observe, see what CardanoWall can see.