Validator key generation

Important

  • It is highly recommended that you perform this step using an air-gapped machine - i.e. a device that has never connected to the public internet before. We will describe a few methods below.

  • If this is not available, turn off all internet and wireless connection (e.g. Ethernet, WiFi, Bluetooth) before proceeding with the key generation step

  • In both cases above, make sure you are in a safe environment (e.g. home or office) with a trusted WiFi network for building the validator key generation tool from source. Make sure to also physically block all camera devices - e.g. laptop cameras, Webcams, people standing behind you during this process

Creating an air-gapped machine

  1. The least technical way is to buy a cheap single board computer like the Raspberry Pi from official distributors for less than S$100 SGD

  2. "OS-on-a-stick": For more technical workarounds, we can flash a new USB drive with TailsOS and run a completely fresh OS from this USB drive itself. This system will be completely isolated from your host device (e.g. working laptop) and the described method below will not store any files after you remove the USB drive

We will cover Method 2 in this guide.

What you will need

  1. 2 new and empty USB drives

  2. A paper notebook and a pencil (Pens are not recommended)

  3. 100% FOCUS

Download the validator keystore generation file

This is the easiest GUI-based method of generating your validator keystores, deposit data, and recovery seed (mnemonic).

Download the Linux executable file onto your working laptop here: https://wagyu.gg/

Load the Linux executable file of Wagyu Keygen into a new and empty USB drive.

Flash and install OS

1) Download latest TailsOS here and follow the respective instructions to verify the checksums of the downloaded file.

2) Download an ISO flasher (e.g. BalenaEtcher) and flash another new and empty USB drive with your preferred OS. Refer to the section below under steps (1) and (2) if needed.

Install and prepare the OS

3) Once your USB drive is flashed with your preferred OS, plug it into your working device and reboot the device to go into the boot menu. Depending on your system, you might need to hold F2, F10, F12, or ESC during the rebooting process to bring up the boot menu.

For an extensive list of laptop models, refer to the links below:

1) Non-Apple/Mac models:

https://techofide.com/blogs/boot-menu-option-keys-for-all-computers-and-laptops-updated-list-2021-techofide/#:~:text=The%20keys%20that%20are%20generally,of%20the%20computers%20or%20motherboards.

2) Apple/Mac

https://support.apple.com/en-sg/102603

4) Once you see the boot menu, select the option to boot up from your USB drive instead of your usual storage volume and you should see the following screen.

5) Select *Try or Install Tails and then Try Tailswhen you get to the next screen

Generate your validator signing keys

*BEFORE PROCEEDING TO THE NEXT STEP

  1. TURN OFF YOUR ETHERNET, WIFI, AND BLUETOOTH ACCESS

  2. PHYSICALLY COVER ALL CAMERA DEVICES - e.g. PHONES, WEBCAMS, LAPTOP CAMERAS, PEOPLE STANDING BEHIND YOU

Load the USB drive containing the Linux executable file of Wagyu Keygen onto the newly booted "OS-on-a-USB".

Move the Wagyu Keygen file into the Desktop of your "OS-on-a-USB" and run it (double-click).

Follow the instructions on the Wagyu Keygen GUI to:

  1. Create a new secret recovery phrase

  2. Select the network (Mainnet, Hoodi, Sepolia)

  3. Write down your secret recovery phrase

  4. Type in your secret recovery phrase manually to confirm you have written it down correctly

  5. Choose how many validator keys you want to generate

  6. Encrypt your validator keystores with a strong password

  7. [IMPORTANT] Set your withdrawal address according to your setup (see below for options)

    1. Native Solo Staking Setup: Use a secure Ethereum wallet address that you own--e.g., cold wallet address, SAFE multi-sig address

    2. Diva Staking: Skip this section. The validator key shares will be assigned to you by the Diva client.

    3. Lido CSM: Set your withdrawal address to the following.

    4. RocketPool (WIP):

    5. Stader (WIP):

  8. Confirm password for validator keystores

  9. Choose the folder to store the validator keystores and deposit data file that will be generated (choose the Desktop folder here)

There will be 2 files generated.

  1. A keystore-m_<timestamp>.json file: This is your validator signing keystore that your validator node will use to sign attestations. Keep this file extremely secure.

  2. A deposit_data-<timestamp>.json: This is the file that links your ETH deposit to your validator. You will only use this once, during the deposit process.

Store both files on a new USB drive by copying the entire staking-deposit-cli folder into it.

Restart your host device (e.g. working laptop) and remove the OS-on-a-stick. There will not be any persistent memory stored on it.

Add validator key to the Node

Now that we have our validator signing keystore, we will need to place it in our validator node itself so that the node can sign attestations and propose blocks.

Plug in the USB drive with your validator signing keystores into your node device. Once the USB drive is plugged in, we will need to identify it. On the terminal of your node, run:

lsblk

Expected output:

Look for your USB drive in the output list. It will take a name similar to the screenshot above - i.e. sdx.

After you find it, you can proceed to mount your USB drive onto the /media folder.

sudo mount /dev/sda1 /media

Note: Replace sda1 with the actual name of your USB drive.

You will now be able to access your USB drive via the terminal by going into the /media folder.

Go into your USB drive and copy your validator signing keystore into the HOME directory of your node.

cd /media/ethstaker_deposit-cli-b13dcb9-linux-amd64
sudo cp -r validator_keys ~

Unmount and eject your USB drive.

cd
sudo umount /media

Now you need to create a plain text password file for your validator node to decrypt your validator signing keystores.

First let's print and copy the file name of your validator signing keystore.

cd ~/validator_keys
ls

With the validator_signing_keystore_file_name copied, create the password file.

sudo nano .txt

Type in the password you used when generating your validator keys in the earlier step. Then save and exit the file with CTRL + O, enter, CTRL + X.

PreviousPrysm BNNextSet up and configure MEV-boost

Last updated