🔑Key Management

Create, encrypt and manage private keys using the Othentic CLI

Intro

The Othentic Stack supports multiple methods for managing and using keys.

Depending on security requirements, Operators can use a single key for all AVS operations or separate them into a Controller Key and a Consensus Key.

For each method, Operators can interact with the CLI using either raw keys or encrypted Keystore Files, offering an additional layer of security.

Key Separation

Operators can use a Controller Key to register on Eigenlayer contracts and secure the AVS with a delegated economic stake, and a separate Consensus Key to participate in peer-to-peer Consensus within an AVS.

When registering as an Operator using the CLI, users supply both keys separately, encrypted in Keystore files or as raw text.

Users can provide the same key for both Controller Key and Consensus Key, but we strongly recommend that Operators register using encrypted Keystore files.

Controller Key

The Controller Key is used only as an ECDSA key:

Register as Operator in Eigenlayer contracts.
Interact with the AVS as Operator:
- Register as Operator in AVSGovernance contract.
- Submit proof-of-tasks to AttestationCenter contract.
- Request rewards from AttestationCenter contract.
- Submit task aggregation result to AttestationCenter contract.

Consensus Key

The Consensus Key is used only as a BLS key. Operators use it to attest task validity/invalidity in the P2P networking layer.

Generating Keys

The othentic-cli generates new keys and directly encrypts them into keystore files.

If you've previously generated keys using another tool and have them in raw format, you can use either raw private keys or keystore files.

To generate a new set of keystore-encrypted keys, use the command:

othentic-cli wallet encrypt
	--private-key <PRIVATE_KEY>
	--keystore-dir <KEYSTORE_PATH>

PRIVATE_KEY: raw 32-byte private key to encrypt as keystore. If not supplied, it will auto-generate a new private key and proceed to encrypt it.
KEYSTORE_PATH: path to the JSON-formatted Keystore file. If not supplied, it will auto-generate a UUID for the file and place it under a .keystore directory.

Using Separate Controller and Consensus Keys

To benefit from the separation of the Controller and Consensus keys, follow these steps:

Generate keys twice using the othentic-cli wallet encrypt command; see above.
1. Optionally, name the Controller key controller.json and the Consensus key consensus.json
Register as Operator for the AVS.
Store the Controller key securely.
Use Consensus key on the machine(s) running the node software.

Key Usage in CLI

You can provide keys either at runtime or through environment variables.

Using Keystore files

At Runtime

othentic-cli [SUB-COMMAND-1] [SUB-COMMAND-2]
	--keystore <KEYSTORE_PATH>
	--keystore-password <DECRYPT_PASSWORD>

KEYSTORE_PATH: Path to the JSON-formatted Keystore file.
DECRYPT_PASSWORD: Password to decrypt the Keystore file. If not provided, you'll be prompted to enter it at runtime.

Using Environment Variables

In your .env file:

# .env
...
WALLET_KEYSTORE_PATH=.keystore/c54b33db-311c-4e32-9ed3-375e5c0b6f0c
WALLET_KEYSTORE_PASSWORD=123
...

Using Raw Keys

At Runtime:

othentic-cli [SUB-COMMAND-1] [SUB-COMMAND-2]
	--private-key <RAW_PRIVATE_KEY>

Example:

othentic-cli node aggregator
	--private-key 81da2278784f2d3011513661fe5d7bebf7c6514d64667c4bf33a5b81221c5b37

Using Environment Variables

# .env file
...
PRIVATE_KEY=81da2278784f2d3011513661fe5d7bebf7c6514d64667c4bf33a5b81221c5b37
...

PreviousOthentic CLI NextContracts Deployment

Last updated 12 days ago