KES Key Rotation via CNTools in Hybrid Mode

Hello Fellow SPOs,

Based on our experience rotating KES keys, we had put together this blog post explaining the process of rotating KES keys using CNTools in Hybrid mode (online/offline nodes). We did this twice so far and were successful both the times (we did not miss a block after key rotation). Just want to share the process.

## Airgapped/Offline Node

  1. Navigate to directory “$CNODE_HOME/scripts” and run “./ -o”

  2. Select the option, Pool

  3. Then select Pool Operation, Rotate. You see a message like this,
    [kes key rotation result]

  4. Navigate to your pool directory “$CNODE_HOME/priv/pool/”

  5. The above screenshot says, copy only 2 files, but we believe you must copy all these updated files “op.cert”,“cold.counter”,“hot.skey”,“hot.vkey”,“kes.start” to a secure USB device

## BP/Online Node

  1. Copy files from secure USB drive to BP node directory “$CNODE_HOME/priv/pool/”

  2. Change the permissions for copied files, if different, should be “chmod 700”

  3. Restart the cnode service for changes to take effect

  4. Verify the gLiveView to see the updated KES period (should match the terminal screenshot above). Pay close attention to KES start period and KES expiration.

  5. Check the cbor hex key using the command below. If you have successfully updated your server

Check KES key counter value: - Run command below from any directory path

cardano-cli text-view decode-cbor --in-file /opt/cardano/cnode/priv/pool//op.cert | grep int | head –1

Output:- Key Rotation - incremental int value # int(incremental int value)
Output:- 00 # int(0) (At pool creation)
Output:- 01 # int(1) (Post 1st KES key rotation)
Output:- 02 # int(2) (Post 2nd KES key rotation)

Above information is also available on our website Ada Moon KES key rotation

You should see how wonderfull is to sign transactions with cntools in offline mode :wink:

1 Like