Key Management

Overview

The Othentic Stack provides various methods for managing and using keys. Operators can interact with the CLI using either raw keys or encrypted Keystore files, which offer an additional layer of security.

AVSs are networks that rely on continuous off-chain execution logic, with tasks ultimately settled on-chain. This requires automated signing, where operators submit transactions to AVS contracts while also engaging in peer-to-peer consensus.

Using the same key for both AVS registration and consensus introduces a security vulnerability, as the key must be stored on the task-performing machine in a potentially insecure format—either as raw text or within an encrypted Keystore file.

Depending on security requirements, Operators can either use a single key for all AVS operations or separate them into a Controller Key and a Consensus Key.

Key Roles and Separation

When registering as an Operator using the CLI, users are required to provide both keys separately.

Although the same key can be used for both the Controller and Consensus roles, it is strongly recommended to use encrypted Keystore files for enhanced security.

Controller Key

The Controller Key is used as an ECDSA key for the following purposes:

• Register as Operator in Eigenlayer contracts.

• Interact with the AVS as Operator:

  • Register as Operator in AVSGovernance contract.

  • Submit proof-of-tasks to AttestationCenter contract.

  • Request rewards from AttestationCenter contract.

  • Submit task aggregation result to AttestationCenter contract.

Consensus Key

The Consensus Key is used exclusively as a BLS key for:

• Attesting task validity or invalidity in the P2P networking layer.

Generating Keystore-Encrypted Keys

The othentic-cli simplifies key generation and encryption into Keystore files. If you already have raw keys generated using another tool, these can also be used directly in either raw format or as Keystore files.

To generate a new set of keystore-encrypted keys, use the command:

othentic-cli wallet encrypt
	--private-key <PRIVATE_KEY>
	--keystore-dir <KEYSTORE_PATH>

• PRIVATE_KEY: A raw 32-byte private key to encrypt as keystore. If not supplied, CLI will auto-generate a new private key and proceed to encrypt it.

• KEYSTORE_PATH: Path to the JSON-formatted Keystore file. If not supplied, a UUID-based filename will be auto-generated and saved under the .keystore directory.

Using Separate Controller and Consensus Keys

To leverage key separation for increased security, follow these steps:

1. Generate keys twice using the othentic-cli wallet encrypt command (as detailed above)

   1. Optionally, name the Controller key controller.json and the Consensus key consensus.json

2. Register as Operator for the AVS.

3. Store the Controller key securely.

4. Use Consensus key on the machine(s) running the node software. Configure the env variables by setting the PRIVATE_KEY to the Consensus Key and the OPERATOR_ADDRESS to the public address of the Controller Key.

Key Usage in CLI

Keys can be provided either at runtime or through environment variables.

Using Keystore files

At Runtime:

othentic-cli [SUB-COMMAND-1] [SUB-COMMAND-2]
	--keystore <KEYSTORE_PATH>
	--keystore-password <DECRYPT_PASSWORD>

• KEYSTORE_PATH: Path to the JSON-formatted Keystore file.

• DECRYPT_PASSWORD: Password to decrypt the Keystore file. If not supplied, you will be prompted to enter it at runtime.

Using Environment Variables:

In your .env file:

# .env
...
WALLET_KEYSTORE_PATH=.keystore/c54b33db-311c-4e32-9ed3-375e5c0b6f0c
WALLET_KEYSTORE_PASSWORD=123
OPERATOR_ADDRESS=0xabc
...

Using Raw Keys

At Runtime:

othentic-cli [SUB-COMMAND-1] [SUB-COMMAND-2]
	--private-key <RAW_PRIVATE_KEY>

Example:

othentic-cli node aggregator
	--private-key 81da2278784f2d3011513661fe5d7bebf7c6514d64667c4bf33a5b81221c5b37

Using Environment Variables

# .env file
...
PRIVATE_KEY=81da2278784f2d3011513661fe5d7bebf7c6514d64667c4bf33a5b81221c5b37
OPERATOR_ADDRESS=0xabc
...