Hi There,
Would a block producer generate blocks successfully if pool files are encrypted and protected using cntools command line interface?
When the pool shows as encrypted on cntools, all files are read-only (400) and cold.skey file is encrypted. Would this be Ok to produce blocks?
Thanks,
Mil
I am not using cntools, but you don’t need the cold key on the block producer, so I assume it is fine. But I still don’t understand why cold.skey is there, it should only be on the cold machine, it should never be on a server. I assume it is there for commodity when rotating the kes keys and the operational certificate.
The read-only files are ok (400) if they belong to the user running the cnode service. It is even better to be read-only and only readable by that user.
As far I understand you do need the cold key to rotate the kes keys, so it makes sense your explanation.
What about the counter file? Read-only wont allow cntools to change the counter. I assume that it should not be read-only.
Thanks for the response
Before to renew u will need to decrypt the files
Make a copy before to encrypt the files because if u will forget the password …
Thanks. Makes sense.
@Alexd1985 Does cntools software encrypt the cold keys and store them on the block producer? In a LUKS encrypted container?
It deletes the cold.skey pool file and generates cold.skey.gpg encrypted file in the block producer.
OK, I see the encryptFile function in the cntools.library that provides this “feature”:
# Command : encryptFile [file] [password]
# Description : Encrypt file with GPG
# Parameters : file > Path for file to encrypt, will get a new .gpg file extention added to filename
# : password > Password to encrypt file with
encryptFile() {
exec >&6 2>&7 # normal stdout/stderr
sleep 0.1
echo "${2}" | gpg --symmetric --yes --batch --cipher-algo AES256 --passphrase-fd 0 --output "${1}.gpg" "${1}" &>/dev/null && \
safeDel "${1}" >/dev/null || {
exec >&8 2>&9 # custom stdout/stderr
println ERROR "${FG_RED}ERROR${NC}: failed to encrypt ${1}"
return 1
}
exec >&8 2>&9 # custom stdout/stderr
println DEBUG "${1} successfully encrypted"
}
So cntools encourages cold keys to be actually hot and on the same machine!
Yes, the counter file needs to be read-write before the kes rotation, I assume cntools are making it read-write before generating the operational certificate, then read-only again.
However, since the Vasil Hard Fork, the counter needs to be exactly 1 more than the counter used when minting the last block (or 0 if the pool never minted a block), and I understand from people using cntools that the counter for the next operational certificate can be given by them when generating it. The counter file can be generated with carano-cli, there is a subcommand for that.
Can you provide the cardano-cli command to generate a new counter for reference and those not using cntools? Thanks!
cardano-cli node new-counter --cold-verification-key-file cold.vkey --counter-value 0 --operational-certificate-issue-counter-file cold.counter
–counter-value 0 means current counter?
No, it means next.
Just because cntools has a function to encrypt/decrypt does not mean the tools are encouraging cold keys to be on the block producer. For example, the cold keys could be encrypted on an air-gapped machine; unencrypted when KES rotation is required; KES, etc. sneakernet’d back to the block producer.
This is actually described along with a diagram in the guild operators documentation, review the offline workflow for clarification: Overview - Guild Operators