SEDA Keys

SEDA Chain validators may be asked to generate SEDA Keys and register their public keys to perform various signing duties in the SEDA Protocol.

Starting with v1.0.0 of the SEDA Chain, validators will be expected to generate SEDA Keys and register their public keys to perform signing duties beyond consensus signing. SEDA Keys currently consist of a single secp256k1 key used to sign batches.

If you are not a validator yet, follow the instructions in Validator Onboarding instead.

If you are an existing validator, you may be asked to generate SEDA Keys and upload the public keys when we roll out a new proving scheme. Failure to do so may result in jailing. If that happens, you can submit an unjail transaction after generating and registering the required SEDA keys.

Contents

Generating and Registering SEDA Keys Key Rotation

Generating and Registering SEDA Keys

First, check the relevant app configurations and modify them as necessary. You may also directly modify the app.toml file.

sedad config get app seda.enable-seda-signer 
sedad config get app seda.allow-unencrypted-seda-keys
sedad config get app seda.seda-key-file # path to key file from node directory

# You must enable SEDA signer.
sedad config set app seda.enable-seda-signer true
# We recommend that you encrypt your SEDA key file.
sedad config set app seda.allow-unencrypted-seda-keys false

We recommend that you take the following steps to generate a key file, load it onto the node, and register the public keys on-chain.

Since the SEDA key file is used by the SEDA signer at the application layer of the chain, if you're using Horcrux, you must copy the SEDA key file to all your sentry nodes. It is crucial that you place and load the same key file across your sentry nodes.

Execute add-seda-keys transaction with the --generate-only flag to generate a SEDA key file without actually sending the transaction for uploading its public keys. Take note of the encryption key.
```
sedad tx pubkey add-seda-keys \
    --from <wallet-name> --chain-id <chain-id> \
    --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \
    --generate-only
```
The encryption key should be set as an environment variable SEDA_KEYS_ENCRYPTION_KEY in the node environment. Alternatively, you can put the key in a file and set its file path as the environment variable FILE__SEDA_KEYS_ENCRYPTION_KEY (notice the double underscore). Restart the node.
- In a basic setup, this means executing something like the following sequence of commands:
  sedad stop export SEDA_KEYS_ENCRYPTION_KEY=ajfUfrdnrFRkej9OXTDb1IMdrIWkDN3P7CWKz5It20I=+g9ZQ= sedad start
- If you are using systemctl to run the node, add the following line to the service file's [service] section, reload the daemon, and then restart the node service.
  Environment="SEDA_KEYS_ENCRYPTION_KEY=aJr4EJeogSYZ+MBhNMQsSDQd9VxH3t3acXEFXkUIDPE="

The node will fail to start if the key file is not loaded successfully even though the SEDA signer is enabled in the app configuration. Run sedad query seda-signer-status to check the detailed status of the signer. If the signer is loaded, it will show the loaded keys without an error.

$ sedad query seda-signer-status
signer_keys:
- index: 0
  index_name: SEDA_KEY_INDEX_SECP256K1
  is_proving_scheme_active: false
  is_synced: false
  public_key: 0434273e901042258343d030b7dae5a487baefb0427530610632396b4439329a14561febe05edf1c1c8606c31f53a3193634e394667ecc290577cb1d34ac13c3ea
validator_address: sedavaloper1p9y0y926udegpz3f404kf720t9t998xy27c58a

Once your validation setup is ready, send the transaction transaction with the --key-file-custom-encryption-key flag and the --key-file flag pointing to the SEDA key file. You will be prompted to enter the encryption key twice.
```
sedad tx pubkey add-seda-keys \
    --from <wallet-name> --chain-id <chain-id> \
    --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \
    --key-file ~/.sedad/config/seda_keys.json \
    --key-file-custom-encryption-key
```
Note that the auto gas option requires the connecting node to have gRPC enabled.

Once the transaction goes through, the signer status should show that the key used by your node is "in sync" with what is registered on chain.

$ sedad query seda-signer-status
signer_keys:
- index: 0
  index_name: SEDA_KEY_INDEX_SECP256K1
  is_proving_scheme_active: false
  is_synced: true
  public_key: 0434273e901042258343d030b7dae5a487baefb0427530610632396b4439329a14561febe05edf1c1c8606c31f53a3193634e394667ecc290577cb1d34ac13c3ea
validator_address: sedavaloper1p9y0y926udegpz3f404kf720t9t998xy27c58a

Key Rotation

SEDA Keys can be rotated at any time. If you still have access to the original key file, make sure to first back it up before following the instructions.

If you use the same encryption key as before, you can rotate your keys without restarting the node because the node already has the encryption key.

If you decide to use a different encryption key for the key file, you have to restart the node(s). We recommend that you turn off all your nodes, follow the same instructions without the --key-file-custom-encryption-key flag, and restart your nodes after you confirm that the transaction you sent to an external RPC porvider has been included in a block.

If you use Horcrux signing service with multiple sentry nodes, make sure to follow the instructions for Multiple Node Setup. It is crucial that you place and load the same key file across your sentry nodes.

Using the Same Encryption Key (Single Node Setup)

The rotation process is simplified if you have a single node setup and do not change the encryption key. Directly executing the transaction in the setup will generate a key file in the configured SEDA key file path. The node will then automatically detect the key file change and load it using the original encryption key after signing one additional batch.

Execute the transaction with the --key-file-custom-encryption-key flag and provide the original encryption key.

sedad tx pubkey add-seda-keys \
    --from <wallet-name> --chain-id <chain-id> \
    --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \
    --generate-only --key-file-custom-encryption-key

Using the Same Encryption Key (Multiple Node Setup)

If you run multiple sentry nodes, we recommend that you first generate a key file without sending the transaction and copying the key file across all your nodes. As long as the identical key file is placed in the correct path, the nodes will automatically reload their signers to the updated key file.

Generate the key file using the existing encryption key by using the flags --generate-only and --key-file-custom-encryption-key. You will be prompted to provide the encryption key.

sedad tx pubkey add-seda-keys \
    --from <wallet-name> --chain-id <chain-id> \
    --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \
    --generate-only --key-file-custom-encryption-key

Copy and place the key file in the correct path across all your nodes.

Now actually submit the transaction using the --key-file flag pointing to the key file created in Step 1. You must also add the --key-file-custom-encryption-key flag and provide the encryption key when prompted.

sedad tx pubkey add-seda-keys \
    --from <wallet-name> --chain-id <chain-id> \
    --gas-prices 10000000000aseda --gas auto --gas-adjustment 2.0 \
    --key-file ~/.sedad/config/seda_keys.json \
    --key-file-custom-encryption-key

PreviousValidator Onboarding NextJoining Network Using State Sync

Last updated 7 months ago

Was this helpful?

hashtagGenerating and Registering SEDA Keys

hashtagKey Rotation

hashtagUsing the Same Encryption Key (Single Node Setup)

hashtagUsing the Same Encryption Key (Multiple Node Setup)

Generating and Registering SEDA Keys

Key Rotation

Using the Same Encryption Key (Single Node Setup)

Using the Same Encryption Key (Multiple Node Setup)