Key Management
Create, encrypt and manage private keys using the Othentic CLI
Last updated
Create, encrypt and manage private keys using the Othentic CLI
Last updated
The Othentic Stack provides various methods for managing and using keys. Operators can interact with the CLI using either raw keys or files, which offer an additional layer of security.
AVSs are networks that rely on continuous off-chain execution logic, with tasks ultimately settled on-chain. This requires automated signing, where operators submit transactions to AVS contracts while also engaging in peer-to-peer consensus.
Using the same key for both AVS registration and consensus introduces a security vulnerability, as the key must be stored on the task-performing machine in a potentially insecure format—either as raw text or within an encrypted Keystore file.
Depending on security requirements, Operators can either use a single key for all AVS operations or separate them into a and a .
Always separate Controller and Consensus keys in production to minimize the risk of key compromise.
When registering as an Operator using the CLI, users are required to provide both keys separately.
Although the same key can be used for both the Controller and Consensus roles, it is strongly recommended to use encrypted Keystore files for enhanced security.
The Controller Key is used as an ECDSA key for the following purposes:
Register as Operator in Eigenlayer contracts.
Interact with the AVS as Operator:
Register as Operator in .
Submit proof-of-tasks to .
Request rewards from .
Submit task aggregation result to .
The othentic-cli simplifies key generation and encryption into Keystore files. If you already have raw keys generated using another tool, these can also be used directly in either raw format or as Keystore files.
To generate a new set of keystore-encrypted keys, use the command:
PRIVATE_KEY: A raw 32-byte private key to encrypt as keystore. If not supplied, CLI will auto-generate a new private key and proceed to encrypt it.
KEYSTORE_PATH: Path to the JSON-formatted Keystore file. If not supplied, a UUID-based filename will be auto-generated and saved under the .keystore directory.
To leverage key separation for increased security, follow these steps:
Optionally, name the Controller key controller.json and the Consensus key consensus.json
Store the Controller key securely.
Keys can be provided either at runtime or through environment variables.
KEYSTORE_PATH: Path to the JSON-formatted Keystore file.
DECRYPT_PASSWORD: Password to decrypt the Keystore file. If not supplied, you will be prompted to enter it at runtime.
In your .env file:
Example:
The Consensus Key is used exclusively as a for:
Attesting task validity or invalidity in the .
Generate keys twice using the othentic-cli wallet encrypt command (as detailed )
for the AVS.
Use Consensus key on the machine(s) software. Configure the env variables by setting the PRIVATE_KEY to the Consensus Key and the OPERATOR_ADDRESS to the public address of the Controller Key.