Vega key rotation for validators
This is a safety related feature specifically for validators to manage their Vega keys. To run the Vega network, validators need three keys: Ethereum, Tendermint and Vega. This section is specifically about the Vega key.
In the case that the Vega key is compromised, or the validator decides to switch to a new key, there is a mechanism available in Vega to perform a key rotation.
Rotation to the new key is done in 4 steps:
- Generate new key from the original wallet (with Vega Wallet CLI)
- Isolate newly created key to a standalone wallet (with Vega Wallet CLI)
- Create and submit key rotation transaction to the network (with Vega Wallet CLI)
- Import and reload the isolated wallet to run Vega validator node (with Vega binary)
- Installed Vega Wallet CLI
- Running validator node with admin server enabled
- Access to wallet with current Vega and Master key (usually the original wallet that generated those keys)
WALLET_NAME- represents the wallet that holds the currently used key and its master key (usually the wallet that generated the key).
WALLET_PATH- represents the path to the wallet above (
CURRENT_PUB_KEY- represents the key listed by step
GENERATED_PUB_KEY- represents the key generated by step
ISOLATED_WALLET_PATH- represents path to the isolated wallet in step
Step 1. Generate new key from the original wallet
You must have access to the wallet that holds the original key that is to be rotated.
1.A First, validate that it's possible to see the public key to be rotated in the wallet. The printed public key will be referred to as
vegawallet --home "WALLET_PATH" key list --wallet "WALLET_NAME"
1.B After confirming that this wallet is holding the current key; generate a new key. The printed public will be referred to as
vegawallet --home "WALLET_PATH" key generate --wallet "WALLET_NAME"
Once a new key has been generated in the same wallet, move to step 2.
Step 2. Isolate newly created key to a standalone wallet
This step isolates the key into a standalone wallet so it can be imported to the validator's node wallet.
The following command will isolate the key to a separate wallet. Please make a note of the isolated wallet path - referred to as:
vegawallet --home "WALLET_PATH" key isolate --wallet "WALLET_NAME" -k "GENERATED_PUB_KEY"
Step 3. Create and submit key rotation transaction to the network
After generating a new key and isolating it to a wallet, create and submit a transaction for the network to request the key rotation.
TX_HEIGHT - current block height of the network. This can be approximately -50 blocks from the actual height but it should be as close as possible. Please make sure this is chosen correctly otherwise the transaction will be refused by replay protection.
TARGET_HEIGHT - a block height when the key rotation will take place. It has to be in the future. It is recommended to do it at least 30-50 blocks in future because there will be more time to do step 4 in the meantime.
BASE64_TRANSACTION - transaction output by step
VEGA_NETWORK - the Vega network that the validator node is running on
3.A This step will create a key rotation submission transaction and output it as a Base64 string. The output transaction is referred to as
vegawallet --home "WALLET_PATH" key rotate --current-pubkey "CURRENT_PUB_KEY" --new-pubkey "GENERATED_PUB_KEY" --tx-height "TX_HEIGHT" —target-height "TARGET_HEIGHT" --wallet "WALLET_NAME"
3.B After successfully creating the transaction, submit it to the network. If this step is successful, move to step 4.
vegawallet tx send --network "VEGA_NETWORK" "BASE64_TRANSACTION"
Step 4. Import and reload the isolated wallet to the running Vega validator node
Finally, be sure to import the isolated wallet from step
2.A to the validator node wallet and reload it in the running node.
HOME - home folder of the running validator node
4.A Import the isolated wallet to the running instance of the validator node
vega nodewallet import --home "HOME" --wallet-path "ISOLATED_WALLET_PATH" -c vega --force
4.B After successfully importing the wallet, wait until the network rotates to the new key (block height will get to
TARGET_HEIGHT or later) and then reload the validator node wallet to use the new key from the isolated wallet.
vega nodewallet reload --home "HOME" -c vega
The command above should output that it is using a new public key - the
GENERATED_PUB_KEY, instead of
Validate that the key has be rotated successfully in the network using the data node API endpoint as described in the data node documentation