Open ltfschoen opened 4 years ago
We've some RPCs being developed that should improve this stuff, presumably including hiding session key management from the validator operator.
I only just noticed that subkey supports password-protecting the keys https://substrate.dev/docs/en/next/ecosystem/subkey#password-protected-keys. I don't think that feature was available a few months ago when I created my Edgware keys, so it may be worthwhile highlighting that to users.
Add link to https://github.com/w3f/polkadot-secure-validator
Add link to https://guide.kusama.network/en/latest/try/validate/, which includes a link to https://guide.kusama.network/en/latest/try/secure-validator-setup/ in the first paragraph.
Some security suggestions that come to mind that you may consider including in this repo include:
Storing the stash, controller, and session keys in a file instead of exposing them in the Bash history
Guides on how to use IP failover with a script to protect against double-signing (i.e. say you have two nodes, then IP failover should prevent node 1 and node 2 signing the same block). Credit: @fress
Securely adding or rotating session keys with Edgeware
Storing your Aura pubkey (session key) in a file instead of typing it into the command line
--node-key-file "/root/edgeware/keys/mysessionkeyfile"
(instead of--node-key
). Note that these are flags of thesubstrate
binaryStoring a keystore password in a password file and then loading it with
--password-filename /root/edgeware/keys/mypasswordfile
instead of using--password "mypassword"
. Note that these are flags of thesubstrate
binary.