Skip to content

feat: add ECDSA keystore support for enhanced security #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat: add ECDSA keystore support for enhanced security #49

wants to merge 6 commits into from

Conversation

solethus
Copy link

Summary

This PR implements ECDSA keystore support to address the security concerns raised in issue #16. The current approach of using raw private keys in environment variables exposes sensitive cryptographic material, creating security risks for node operators.

Related Issue

Closes #16

Changes Made

Core Infrastructure

  • Added ECDSA keystore loader utility (src/utils/ecdsa_loader.go)
    • LoadECDSAKey() function with keystore file support and environment variable fallback
    • GetECDSAKeystoreFlags() for consistent flag definitions across commands
    • Backward compatibility with existing environment variables

Updated Commands

  • ARPA commands (bin/avs-cli/arpa/arpa.go)
    • register-node - supports both PRIVATE_KEY env var and keystore files
    • generate-registration-signature - supports both ADMIN_1271_SIGNING_KEY env var and keystore files
  • Update ECDSA signer (bin/avs-cli/update_ecdsa_signer.go)
    • Supports PRIVATE_KEY env var and keystore files
  • Witness chain (bin/avs-cli/witness-chain/prepareRegistration.go)
    • Supports WATCHTOWER_PRIVATE_KEY env var and keystore files

New Command Line Flags

All updated commands now support:

  • --ecdsa-keystore - Path to encrypted keystore file
  • --ecdsa-password - Password for keystore file

Testing

  • Comprehensive ECDSA keystore tests (src/keystore/keystore_test.go)
    • Valid/invalid password testing
    • Nonexistent file error handling
    • Address verification
  • LoadECDSAKey utility tests (src/utils/ecdsa_loader_test.go)
    • Keystore file loading
    • Environment variable fallback
    • Error condition coverage
    • Interface mocking for testability

Documentation

  • Updated README.md with comprehensive ECDSA key management guide
    • Keystore file usage examples
    • Environment variable legacy support
    • Step-by-step migration guide
    • Security benefits explanation
  • Updated sample.env with deprecation notices and new approach examples

Migration Path

For Node Operators (Recommended)

# 1. Create keystore from existing private key
eigenlayer operator keys import --key-type ecdsa [keyname] [private_key_hex]

# 2. Use keystore flags instead of environment variables
./avs-cli arpa register-node \
  --operator-id 1 \
  --dkg-public-key "0x..." \
  --registration-signature input.json \
  --ecdsa-keystore /path/to/keystore.json \
  --ecdsa-password "your_password"

Backward Compatibility (Legacy)

Existing workflows using environment variables continue to work unchanged:

export PRIVATE_KEY="your_private_key_hex"
./avs-cli arpa register-node --operator-id 1 --dkg-public-key "0x..." --registration-signature input.json

Testing

  • All existing tests pass
  • New ECDSA keystore tests pass
  • LoadECDSAKey utility tests pass
  • Build compilation successful
  • Backward compatibility verified
  • Keystore file loading verified
  • Error handling tested

Security Improvements

  • No raw private keys in environment variables - Keystore files are encrypted with password protection
  • Industry standard compatibility - Uses EigenLayer CLI keystore format that operators are already familiar with
  • Better operational security - Reduces risk of key exposure in process environments and logs
  • Gradual migration - Operators can migrate at their own pace while maintaining existing workflows

Breaking Changes

None. This PR maintains full backward compatibility with existing environment variable usage.

solethus added 6 commits June 19, 2025 21:14
@solethus
feat(keystore): add ECDSA keystore loading infrastructure
586474b 
Add utility functions for loading ECDSA keys from encrypted keystore files
with backward compatibility fallback to environment variables.

- Add LoadECDSAKey function with keystore file support
- Add GetECDSAKeystoreFlags for consistent flag definitions
- Maintain backward compatibility with existing environment variables
- Follow established BLS keystore pattern for consistency

Relates to etherfi-protocol#16
@solethus
feat(arpa): add ECDSA keystore support to ARPA commands
8c88b60 
Update ARPA register-node and generate-registration-signature commands
to support loading ECDSA keys from encrypted keystore files.

- Add --ecdsa-keystore and --ecdsa-password flags to both commands
- Replace direct environment variable access with LoadECDSAKey helper
- Maintain backward compatibility with PRIVATE_KEY and ADMIN_1271_SIGNING_KEY
- Improve security by supporting encrypted keystore files

Relates to etherfi-protocol#16
@solethus
feat(commands): add ECDSA keystore support to additional commands
3e6d8be 
Update update_ecdsa_signer and witness-chain commands to support
loading ECDSA keys from encrypted keystore files.

- Add --ecdsa-keystore and --ecdsa-password flags to commands
- Replace direct environment variable access with LoadECDSAKey helper
- Support PRIVATE_KEY and WATCHTOWER_PRIVATE_KEY environment variables
- Maintain backward compatibility with existing environment variables

Relates to etherfi-protocol#16
@solethus
test(keystore): add comprehensive ECDSA keystore tests
22597b0 
Add thorough test coverage for ECDSA keystore loading functionality
including both direct keystore loading and LoadECDSAKey utility function.

- Add ECDSA keystore loading tests with valid/invalid passwords and files
- Add comprehensive LoadECDSAKey tests for keystore and environment variable paths
- Add tests for error conditions and edge cases
- Create CommandStringGetter interface for better testability
- Ensure backward compatibility testing with environment variables

Relates to etherfi-protocol#16
@solethus
docs(keystore): add ECDSA keystore usage guide and migration document…
bb5c985 
…ation

Add comprehensive documentation for the new ECDSA keystore support including
usage examples, migration guide, and security recommendations.

- Add ECDSA Key Management section to README with examples
- Document both keystore files and environment variable approaches
- Provide step-by-step migration guide from env vars to keystore files
- Update sample.env with deprecation notices and recommendations
- Explain security benefits of encrypted keystore files

Relates to etherfi-protocol#16
@solethus
fix: remove unused imports to resolve build errors
494d327
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Loading encrypted key file rather than using private key

1 participant

@solethus