# SEDA Keys Starting with `v1.0.0` of the SEDA Chain, validators will be expected to generate SEDA Keys and register their public keys to perform signing duties beyond consensus signing. SEDA Keys currently consist of a single secp256k1 key used to sign batches. If you are not a validator yet, follow the instructions in [validator-onboarding](https://docs.seda.xyz/home/for-chain-operators/seda-chain-guide-and-requirements/validator-onboarding "mention") instead. If you are an existing validator, you may be asked to generate SEDA Keys and upload the public keys when we roll out a new proving scheme. Failure to do so may result in jailing. If that happens, you can submit an unjail transaction after generating and registering the required SEDA keys. **Contents** [#generating-and-registering-seda-keys](#generating-and-registering-seda-keys "mention")\ [#key-rotation](#key-rotation "mention") ### Generating and Registering SEDA Keys First, check the relevant app configurations and modify them as necessary. You may also directly modify the `app.toml` file. ``` sedad config get app seda.enable-seda-signer sedad config get app seda.allow-unencrypted-seda-keys sedad config get app seda.seda-key-file # path to key file from node directory # You must enable SEDA signer. sedad config set app seda.enable-seda-signer true # We recommend that you encrypt your SEDA key file. sedad config set app seda.allow-unencrypted-seda-keys false ``` We recommend that you take the following steps to generate a key file, load it onto the node, and register the public keys on-chain. {% hint style="warning" %} Since the SEDA key file is used by the SEDA signer at the application layer of the chain, if you're using Horcrux, you must copy the SEDA key file to all your sentry nodes. It is crucial that you place and load the same key file across your sentry nodes. {% endhint %} 1. Execute `add-seda-keys` transaction with the `--generate-only` flag to generate a SEDA key file without actually sending the transaction for uploading its public keys. Take note of the encryption key. ``` sedad tx pubkey add-seda-keys \ --from --chain-id \ --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \ --generate-only ``` 2. The encryption key should be set as an environment variable `SEDA_KEYS_ENCRYPTION_KEY` in the node environment. Alternatively, you can put the key in a file and set its file path as the environment variable `FILE__SEDA_KEYS_ENCRYPTION_KEY` (notice the double underscore). Restart the node. * In a basic setup, this means executing something like the following sequence of commands: ``` sedad stop export SEDA_KEYS_ENCRYPTION_KEY=ajfUfrdnrFRkej9OXTDb1IMdrIWkDN3P7CWKz5It20I=+g9ZQ= sedad start ``` * If you are using systemctl to run the node, add the following line to the service file's `[service]` section, reload the daemon, and then restart the node service. ``` Environment="SEDA_KEYS_ENCRYPTION_KEY=aJr4EJeogSYZ+MBhNMQsSDQd9VxH3t3acXEFXkUIDPE=" ``` 3. The node will fail to start if the key file is not loaded successfully even though the SEDA signer is enabled in the app configuration. Run `sedad query seda-signer-status` to check the detailed status of the signer. If the signer is loaded, it will show the loaded keys without an error. ``` $ sedad query seda-signer-status signer_keys: - index: 0 index_name: SEDA_KEY_INDEX_SECP256K1 is_proving_scheme_active: false is_synced: false public_key: 0434273e901042258343d030b7dae5a487baefb0427530610632396b4439329a14561febe05edf1c1c8606c31f53a3193634e394667ecc290577cb1d34ac13c3ea validator_address: sedavaloper1p9y0y926udegpz3f404kf720t9t998xy27c58a ``` 4. Once your validation setup is ready, send the transaction transaction with the `--key-file-custom-encryption-key` flag and the `--key-file` flag pointing to the SEDA key file. You will be prompted to enter the encryption key twice. ``` sedad tx pubkey add-seda-keys \ --from --chain-id \ --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \ --key-file ~/.sedad/config/seda_keys.json \ --key-file-custom-encryption-key ```

Note that the auto gas option requires the connecting node to have gRPC enabled.

5. Once the transaction goes through, the signer status should show that the key used by your node is "in sync" with what is registered on chain. ``` $ sedad query seda-signer-status signer_keys: - index: 0 index_name: SEDA_KEY_INDEX_SECP256K1 is_proving_scheme_active: false is_synced: true public_key: 0434273e901042258343d030b7dae5a487baefb0427530610632396b4439329a14561febe05edf1c1c8606c31f53a3193634e394667ecc290577cb1d34ac13c3ea validator_address: sedavaloper1p9y0y926udegpz3f404kf720t9t998xy27c58a ``` ### Key Rotation SEDA Keys can be rotated at any time. If you still have access to the original key file, make sure to first back it up before following the instructions. If you use the same encryption key as before, you can rotate your keys without restarting the node because the node already has the encryption key. * [#using-the-same-encryption-key-single-node-setup](#using-the-same-encryption-key-single-node-setup "mention") * [#using-the-same-encryption-key-multiple-node-setup](#using-the-same-encryption-key-multiple-node-setup "mention") If you decide to use a different encryption key for the key file, you have to restart the node(s). We recommend that you turn off all your nodes, follow the same instructions without the `--key-file-custom-encryption-key` flag, and restart your nodes after you confirm that the transaction you sent to an external RPC porvider has been included in a block. {% hint style="warning" %} If you use Horcrux signing service with multiple sentry nodes, make sure to follow the instructions for Multiple Node Setup. It is crucial that you place and load the same key file across your sentry nodes. {% endhint %} #### Using the Same Encryption Key (Single Node Setup) The rotation process is simplified if you have a single node setup and do not change the encryption key. Directly executing the transaction in the setup will generate a key file in the configured SEDA key file path. The node will then automatically detect the key file change and load it using the original encryption key after signing one additional batch. Execute the transaction with the `--key-file-custom-encryption-key` flag and provide the original encryption key. ``` sedad tx pubkey add-seda-keys \ --from --chain-id \ --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \ --generate-only --key-file-custom-encryption-key ``` #### Using the Same Encryption Key (Multiple Node Setup) If you run multiple sentry nodes, we recommend that you first generate a key file without sending the transaction and copying the key file across all your nodes. As long as the identical key file is placed in the correct path, the nodes will automatically reload their signers to the updated key file. 1. Generate the key file using the existing encryption key by using the flags `--generate-only` and `--key-file-custom-encryption-key`. You will be prompted to provide the encryption key. ``` sedad tx pubkey add-seda-keys \ --from --chain-id \ --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \ --generate-only --key-file-custom-encryption-key ``` 2. Copy and place the key file in the correct path across all your nodes. 3. Now actually submit the transaction using the `--key-file` flag pointing to the key file created in Step 1. You must also add the `--key-file-custom-encryption-key` flag and provide the encryption key when prompted. ``` sedad tx pubkey add-seda-keys \ --from --chain-id \ --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \ --key-file ~/.sedad/config/seda_keys.json \ --key-file-custom-encryption-key ```