Cryptographic Key Management

Proper cryptographic key management is fundamental to the security and operational integrity of validators in the XOS Testnet ecosystem. This guide outlines the various key types utilized by validators and provides detailed procedures for their secure management through the xosd command-line interface.

Validator Cryptographic Framework

XOS Testnet validators employ two distinct categories of cryptographic keys, each with specific operational functions. Ensuring robust protection and redundant backups of these keys is paramount for maintaining validator reliability and security. Key compromise or loss may result in unauthorized control, service disruption, or consensus participation failure. Industry best practices include secure storage mechanisms, regular backup procedures, and utilization of hardware security modules or encrypted storage solutions.

Consensus Signature Key

• Functional Role: Facilitates participation in consensus operations and block signature generation.
• Storage Path: Located at config/priv_val_key.json.
• Security Significance: This key represents a critical validator component. Its compromise could enable adversaries to interfere with block validation and signing procedures, potentially undermining chain security.

Administrative Control Key

• Functional Role: Enables validator management operations, including governance participation and configuration adjustments.
• Storage Options: Offers flexibility with support for external custody or internal xosd keyring storage.
• Security Implications: Proper safeguarding of this key is essential, as it provides administrative privileges over validator operations.

Administrative Key Management Approaches

Two principal methodologies exist for Administrative Key management:

Third-party Wallet Integration

• Implementation Example: Wallet applications such as Keplr offer secure Administrative Key storage capabilities.
• Key Benefits:
  • Enhanced security through physical separation from the validator infrastructure.
  • Intuitive graphical interfaces for key operations and governance interaction.
• Usage Scenario: Particularly suitable for operators prioritizing security isolation and simplified management interfaces.

Integrated Key Storage

The xosd binary includes support for multiple secure storage mechanisms:

• Operating System Integration: Utilizes native OS security features such as macOS Keychain or Windows Credential Manager, providing robust protection against unauthorized access attempts.
• Encrypted File Storage: Maintains keys within an encrypted file structure, facilitating straightforward backup and migration procedures. Always maintain strict access controls for the storage location.
• Development Environment: Provides a simplified storage option for testing environments, with keys stored in unencrypted format.

Test keyring

The development environment keyring is strictly for testing environments and should never be deployed in production validator configurations.

Administrative Key Operations

The xosd command-line interface provides comprehensive key management capabilities. The following procedures outline essential operations:

Key Generation Procedure

Execute this command to create a new cryptographic key:

xosd keys add <key_identifier> --keyring-backend <os|file|test>

During key creation, the system generates a mnemonic recovery phrase that is displayed only once. Securely documenting this phrase is critical as it serves as the recovery mechanism for the key. Implement strong security measures for mnemonic storage, such as hardware security modules or encrypted digital vaults.

Key Inventory

To display all keys in the current keyring:

xosd keys list --keyring-backend <os|file|test>

This command outputs key identifiers and their corresponding addresses. Regular inventory verification helps detect unauthorized key additions.

Key Backup Protocol

Implement regular key backup procedures to prevent permanent loss. Export keys using:

xosd keys export <key_identifier> --keyring-backend <os|file|test>

• Critical Security Note: Store the resulting mnemonic phrase using robust security measures, preferably in hardware security modules or encrypted storage systems.

Key Recovery Implementation

To restore previously exported keys:

xosd keys import <key_identifier> <keyfile_path> --keyring-backend <os|file|test>