CNTools in production - secure?

I have been playing around with cntools (Guild Operators Documentation) and the offline/hybrid mode, however I am not that happy with the security. Even using offline mode you end up with far too many keys and certs on the block producing node.

Do people use cntools in production on their block node and just delete keys after registering the pool or do they just do everything manually where you can do as much as possible offline?

The only other option I thought about is to have:

  • block pool node
  • hot private node
  • cold offline node

Then you could run cntools on the hot private node and the cold offline node and just copy over the minimum keys/certs to the block node to run the stake pool.

Any thoughts?

I for myself try to do as much as possible manually (building from source, key generation on airgapped machine, …). Also store only the node certificate, kes and vrf signing keys on the BP

I think that is the direction I am going to aim for then at least I know what is going on.
What do you do when registering the stake address and stake pool, as I understand these activities have to be done online and require payment.addr, stake.cert, deleg.cert, pool.cert? Do you do all this on another machine or on your block node and then delete once finished?

As far as I understand it, to register means make it public to the Ledger, so you basically send a transaction including those certificates and a proof (witness) of you actually holding the corresponding keys (proof of ownership). Anybody correct me if I am wrong… :face_with_monocle:

I think most important is to keep keys as safe as possible (offline). I roughly followed this guide. Here, you build all transactions on your BP but copy them to your cold environemnt for signing and back to the hot environment for submitting.

Nope you only end up with vkeys (public keys, many of which anyone can query directly via chain) …If using Hybrid pool mode correctly as documented, you only end up with “hot” private keys online, and public keys.

Please start at what each key is and what it means first.

The wallet and pool cold keys are never required to be on online nodes. If you’re doing so, you’re mis understanding the usage

1 Like

Thanks for all the info. Useful to know. I agree I need to have a good look and understand what each key/cert does. It just gets a bit confusing when different guides/tools name the keys differently, but I think I am getting there. e.g. kes.skey = hot.skey. The more I look at it and play around on testnet the more it makes sense.

I was just a bit alarmed when following the hybrid cntools workflow (wallet restore) that I ended up with ~20 keys/certs/etc on my hot node. This was after reading many guides which say you should only have three keys/certs on your block producing node.

I have now checked through the files that I ended up with using cntools and they do all seem ok to be online as they are hot keys, public keys, certs.