Key Management

Overview

The Othentic Stack supports multiple key management strategies for Operator authentication and signing:

  • Raw Private Keys: 32-byte hex-encoded values

  • Keystore Files: Password-encrypted JSON (Web3 standard)

  • Hardware Wallets: Via browser extensions like Metamask or Rabby

  • Operator Smart Account

AVSs are networks that rely on continuous off-chain execution logic, with tasks ultimately settled on-chain. This requires automated signing, where operators submit transactions onchain while also signing messages while engaging in offchain peer-to-peer consensus.

Security Consideration:

Using the same key for both onchain and offchain operations introduces a security vulnerability, as the offchain key must be stored on the task-performing machine in a potentially insecure format—either as raw text or within an encrypted Keystore file.

To mitigate this, the Othentic Stack supports key separation:

  • Controller Key: For on-chain transactions

    • Has access to onchain assets.

  • Consensus Key: For off-chain messaging and peer coordination

    • Does not have access to onchain assets.

For test environments, using a single key is acceptable. In production, key separation is strongly recommended.

Key Roles

When registering as an Operator, users are required to provide both keys separately.

Although raw keys can be used for both the Controller and Consensus keys, it is strongly recommended to use encrypted Keystore files for enhanced security.

Controller Key

The Controller Key is used as an ECDSA key for the following purposes:

  • Register as Operator in EigenLayer contracts.

  • Interact with the AVS as Operator:

    • Register as Operator in AVSGovernance contract.

    • Submit proof-of-tasks to AttestationCenter contract.

    • Request rewards from AttestationCenter contract.

    • Submit task aggregation result to AttestationCenter contract.

Consensus Key

The Consensus Key is used exclusively as a BLS key for attesting task validity or invalidity in the P2P networking layer.

Recommended Approach

Testnet Environment

Generate a single keystore file and use it for all operator actions.

Production Environment

Generate two separate keystore files, one to serve as Controller and the other as Consensus key.

  • The Controller key should be kept on a highly-secure, preferably airgapped machine.

  • The Consensus key should be kept on the machine where the operator node is running. It is OK to keep backups of the key in secure locations.

PreviousAdvanced ConceptsNextFlows

Last updated