SEDA Keys
SEDA Chain validators may be asked to generate SEDA Keys and register their public keys to perform various signing duties in the SEDA Protocol.
Starting with v1.0.0
of the SEDA Chain, validators will be expected to generate SEDA Keys and register their public keys to perform signing duties beyond consensus signing. SEDA Keys currently consist of a single secp256k1 key used to sign batches.
If you are not a validator yet, follow the instructions in Validator Onboarding instead.
If you are an existing validator, you may be asked to generate or regenerate SEDA Keys and upload the public keys when we roll out a new proving scheme. Failure to do so may result in getting jailed.
Contents
Generating and Registering SEDA Keys Key Rotation
Generating and Registering SEDA Keys
First, check the relevant app configurations and modify them as necessary. You may also directly modify the app.toml
file.
We recommend that you take the following steps to generate a key file, load it onto the node, and register the public keys on-chain.
Since the SEDA key file is used by the SEDA signer at the application layer of the chain, if you're using Horcrux, you must copy the SEDA key file to all your sentry nodes. It is crucial that you place and load the same key file across your sentry nodes.
Execute
add-seda-keys
transaction with the--generate-only
flag to generate a SEDA key file without actually sending the transaction for uploading its public keys. Take note of the encryption key.The encryption key should be set as an environment variable
SEDA_KEYS_ENCRYPTION_KEY
in the node environment.In a basic setup, this means executing something like the following sequence of commands:
If you are using systemctl to run the node, add the following line to the service file's
[service]
section, reload the daemon, and then restart the node service.
Make sure the node has successfully started with the signer. The node will fail to start if the key file is not loaded successfully even though the SEDA signer is enabled in the app configuration. If the signer has been set up correctly, the following message should appear in the log:
Once your validation setup is ready, send the transaction transaction with the
--key-file-custom-encryption-key
flag and the--key-file
flag pointing to the SEDA key file. You will be prompted to enter the encryption key twice.
Key Rotation
SEDA Keys can be rotated at any time. If you still have access to the original key file, make sure to first back it up before following the instructions.
If you use the same encryption key as before, you can rotate your keys without restarting the node because the node already has the encryption key.
If you decide to use a different encryption key for the key file, you have to restart the node(s). We recommend that you turn off all your nodes, follow the same instructions without the --key-file-custom-encryption-key
flag, and restart your nodes after you confirm that the transaction you sent to an external RPC porvider has been included in a block.
If you use Horcrux signing service with multiple sentry nodes, make sure to follow the instructions for Multiple Node Setup. It is crucial that you place and load the same key file across your sentry nodes.
Using the Same Encryption Key (Single Node Setup)
The rotation process is simplified if you have a single node setup and do not change the encryption key. Directly executing the transaction in the setup will generate a key file in the configured SEDA key file path. The node will then automatically detect the key file change and load it using the original encryption key after signing one additional batch.
Execute the transaction with the --key-file-custom-encryption-key
flag and provide the original encryption key.
Using the Same Encryption Key (Multiple Node Setup)
If you run multiple sentry nodes, we recommend that you first generate a key file without sending the transaction and copying the key file across all your nodes. As long as the identical key file is placed in the correct path, the nodes will automatically reload their signers to the updated key file.
Generate the key file using the existing encryption key by using the flags
--generate-only
and--key-file-custom-encryption-key
. You will be prompted to provide the encryption key.Copy and place the key file in the correct path across all your nodes.
Now actually submit the transaction using the
--key-file
flag pointing to the key file created in Step 1. You must also add the--key-file-custom-encryption-key
flag and provide the encryption key when prompted.
Last updated