Understanding Pocket Core's private key management

Currently Pocket Core depends on 2 files for Private Key management, these files are both in the root of any given Pocket Core Data Directory (or datadir for short):

• priv_val_key.json: This files contains the address, public key and private key of your node.
• node_key.json: This files contains the private key of your node.

Because of the nature of decentralized networks, where every P2P message has to be signed, and every node has to have a determined identity, these 2 files are required to be in plain text format.

Private key files samples

{
  "address": "3257F6D9D02D4D9704808AE2905E3297F8C548ED",
  "pub_key": {
    "type": "tendermint/PubKeyEd25519",
    "value": "dYF79MDMofuGQy8DwSEm2qqEXqV6pOpNl+aBvtCxVkw="
  },
  "priv_key": {
    "type": "tendermint/PrivKeyEd25519",
    "value": "nsXAgo3XObAk16y+0mnxa8Wv+RC5D3dYpKkWT5VxOnF1gXv0wMyh+4ZDLwPBISbaqoRepXqk6k2X5oG+0LFWTA=="
  }
}

{
  "priv_key": {
    "type": "tendermint/PrivKeyEd25519",
    "value": "nsXAgo3XObAk16y+0mnxa8Wv+RC5D3dYpKkWT5VxOnF1gXv0wMyh+4ZDLwPBISbaqoRepXqk6k2X5oG+0LFWTA=="
  }
}

Securing your Private Key files

Depending on your setup, you might have different security configurations, please find below a few generic recommendations to keep your Private Key files safe:

• *Disable or restrict the root user: In most *nix systems deployed to production, root access is restricted or disabled, to avoid an attacker gaining root access and gaining over the server.
• Create an OS user only to run Pocket Core: By creating a particular user only to run Pocket Core, you can change your Private Key files permissions to be accessed only by that particular user, and as long as you can keep that user credentials safe, your Private Key files will be safe. Remember that if Pocket Core doesn't have permissions to read the Private Key files from disk, it can cause issues that won't let you operate your node successfully.
• Disable or Restrict SSH access: Restricting access to your servers is always going to be one of the most effective ways of mitigating infiltrations, and one of the most common routes of attack will always be the SSH access, so restricting SSH access to your servers will go a long way of mitigating a wide range of attacks.
• Maintain an access log of user actions in your server: Depending on your OS of choice, you can either enable or install a logger that can alert you for unauthorized/suspicious access to your server/files, this can help both prevent or mitigate an attack on time.

Importing Private Keys securely

When importing your Private Keys you have 3 main options:

1. You can use pocket accounts import-raw <raw private key> to import a raw private key.
2. You can use pocket accounts import-armored </path/to/ppk.json> to import an encrypted private key in the PPK format (which is the same format that pocket accounts export uses).
3. You can bypass using the keybase altogether and use the flag pocket start --keybase false when launching your node, in this case your node will start by using a valid priv_val_key.json and node_key.json that's in the root of the data directory. If no priv_val_key.json and node_key.json exists, Pocket Core will create a new one for you.