Node Security

Understanding Pocket Core's private key management

Currently, Pocket Core depends on 2 files for Private Key management, these files are both in the root of any given Pocket Core Data Directory (or datadir for short):

  • priv_val_key.json: This file contains the address, public key, and private key of your node.
  • node_key.json: This file contains the private key of your node.

Because of the nature of decentralized networks, where every P2P message has to be signed, and every node has to have a determined identity, these 2 files are required to be in plain text format.

Private key files samples

{
  "address": "3257F6D9D02D4D9704808AE2905E3297F8C548ED",
  "pub_key": {
    "type": "tendermint/PubKeyEd25519",
    "value": "dYF79MDMofuGQy8DwSEm2qqEXqV6pOpNl+aBvtCxVkw="
  },
  "priv_key": {
    "type": "tendermint/PrivKeyEd25519",
    "value": "nsXAgo3XObAk16y+0mnxa8Wv+RC5D3dYpKkWT5VxOnF1gXv0wMyh+4ZDLwPBISbaqoRepXqk6k2X5oG+0LFWTA=="
  }
}
{
  "priv_key": {
    "type": "tendermint/PrivKeyEd25519",
    "value": "nsXAgo3XObAk16y+0mnxa8Wv+RC5D3dYpKkWT5VxOnF1gXv0wMyh+4ZDLwPBISbaqoRepXqk6k2X5oG+0LFWTA=="
  }
}

Securing your Private Key files

Depending on your setup, you might have different security configurations, please find below a few generic recommendations to keep your Private Key files safe:

  • *Disable or restrict the root user: In most *nix systems deployed to production, root access is restricted or disabled, to avoid an attacker gaining root access and gaining control over the server.
  • Create an OS user only to run Pocket Core: By creating a particular user only to run Pocket Core, you can change your Private Key files permissions to be accessed only by that particular user, and as long as you can keep that user’s credentials safe, your Private Key files will be safe. Remember that if Pocket Core doesn't have permissions to read the Private Key files from disk, it can cause issues that won't let you operate your node successfully.
  • Disable or Restrict SSH access: Restricting access to your servers is always going to be one of the most effective ways of mitigating infiltrations, and one of the most common routes of attack will always be the SSH access, so restricting SSH access to your servers will go a long way of mitigating a wide range of attacks.
  • Maintain an access log of user actions in your server: Depending on your OS of choice, you can either enable or install a logger that can alert you of unauthorized/suspicious access to your server/files, this can help both prevent or mitigate an attack promptly.

Importing Private Keys Securely

When importing your Private Keys you have 3 main options:

  1. You can use pocket accounts import-raw <raw private key> to import a raw private key.
  2. You can use pocket accounts import-armored </path/to/ppk.json> to import an encrypted private key in the PPK format (which is the same format that pocket accounts export uses).
  3. You can bypass using the keybase altogether and use the flag pocket start --keybase false when launching your node, in this case your node will start by using a valid priv_val_key.json and node_key.json that's in the root of the data directory. If no priv_val_key.json and node_key.json exists, Pocket Core will create a new one for you.

Export Private Key File

To export your Private Key to a json file, enter: pocket accounts export <address> --path <path>

This exports the account with

, to a file, encrypted and ASCII armored in a location specified with --path, if you don't provide a path it will store it on the folder where it's running.

After you hit enter, it will prompt the user for the decrypt passphrase and an encryption passphrase for the exported account. Also, prompt for an optional hint for the password which you can use to help remember your passphrase.

pocket accounts export 59f08710afbad0e20352340780fdbf4e47622a7c --path /$HOME/super-secret-dir

Updated 11 days ago


Node Security


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.