Software Release: Advanced Security Improvements with gocryptfs for Operator-CLI & Watchtower client
Status: Beta release
We are excited to unveil our latest software release for the operator-cli and the watchtower client , designed to significantly enhance the security of your operations with the integration of gocryptfs.
This update brings robust encryption capabilities to the Operator-CLI and Diligence Watchtower Client, providing tighter protection for your keys.
gocryptfs Integration
At the core of this release is the integration of gocryptfs, a user-friendly, high-performance encrypted file system. gocryptfs ensures that your sensitive data is encrypted on-the-fly, offering seamless encryption and decryption without compromising on performance. This feature is now embedded within both the Operator-CLI and Watchtower Client, providing end-to-end encryption for your WitnessChain AVS operations.
Enhanced Key Management
Key management is simplified with our new release. The integration of gocryptfs allows for easy watchtower key generation, storage and usage. You can now manage your encryption keys directly from the Operator-CLI, ensuring that your keys are securely handled and updated as needed.
How to setup encrypted keys for the watchtower-operator cli ?
This is a reference setup guide for the watchtower-operator CLI. You can follow similar steps for the watchtower client also
1. Install gocryptfs
gocryptfs is a user-friendly, high-performance encrypted file system that provides transparent encryption for your files. This guide will walk you through the basic setup process to get gocryptfs up and running on your system.
Linux is gocryptfs’ native platform. If you are running it on any other platform, it is not production grade yet. You can read more about it here
2. Install watchtower-operator cli
watchtower-operator is a command-line interface (CLI) tool for interacting with the Witness Chain watchtower AVS (An EigenLayer AVS) smart contracts.
You can get the watchtower-operator cli prebuilt, or build it from source.
a. Prebuilt
You can run the following command in your terminal and follow instructions provided by the script to use the cli
curl -sSfL witnesschain.com/install-operator-cli | bashb. Building from source
git clone https://github.com/witnesschain-com/operator-cli.git
cd operator-cli/watchtower-operator-cli
./build
When you run ./watchtower-operator, you should be able to see something like this
3. Setting up the config file
The structure and details in the config file might differ based on the functionality you are using. Config files related to operator have been explained below.
Don’t change the key names in the config file. Changing the key names in the json file will lead to incorrect working
Before gocryptfs feature (without security)
{
"watchtower_private_keys": [
"<watchtower private key>"
],
"operator_private_key": "",
"operator_registry_address": "",
"witnesshub_address": "",
"avs_directory_address": "",
"eth_rpc_url": "",
"chain_id": <holesky or mainnet chain id>,
"gas_limit": 1000000,
"tx_receipt_timeout": 300 ,
"expiry" : 10000000
}After gocryptfs feature installed/setup in your client
{
"watchtower_private_keys": [
"my_watchtower"
],
"operator_private_key": "my_operator",
"operator_registry_address": "",
"witnesshub_address": "",
"avs_directory_address": "",
"eth_rpc_url": "",
"chain_id": <holesky or mainnet chain id>,
"gas_limit": 1000000,
"tx_receipt_timeout": 300,
"expiry" : 10000000,
"use_encrypted_keys" : true
}Two Changes between “before” to “after”
- Usage of gocryptfs Key Names pointing to the encrypted watchtower/operator keys
watchtower_private_keys: [] will now point to the gocryptfs keys, internally pointing to the encrypted watchtower private keys. Let’s say we call it my_watchtower
operator_private_key: “” will now point to the gocryptfs keys, internally pointing to the encrypted operator private key. Let’s say we call it my_operator
The steps to create the my_operator and my_watchtower keys are explained in the next sections…
2. Also, note the additional parameter to toggle the usage of the encrypted keys
use_encrypted_keys: true -> Should be set to true to use the encrypted keys.
If use_encrypted_keys: false, then the private keys would be entered in plain text
Now, the question is how to generate and use the gocryptfs keys ?
How to generate the gocryptfs keys?
Simple, use the keys command
The keys command has 4 sub-commands.
Using these commands are painful in Mac. You have to enable System Extensions
init- This command is used to initiate a new gocryptfs file system. This will ask you to input a password which will be required whenever we need to access these file. It also performs password validations for stronger passwords. To bypass this validation in the test environment, there is a flag--insecure(-i). Once the command is successfully run, all other actions will need this password.
Try setting a weaker password, and the CLI will reject.
Once you set a strong password, you should be able to proceed and you will see 2 directories : .encrypted_keys and .decrypted_keys. The names indicate their functions. Once this is done, we don’t need to do it again, unless the .encrypted_keys or .decrypted_keys are tampered with.
$ watchtower-operator keys init
Creating directory: .encrypted_keys
Creating directory: .decrypted_keys
Enter password to init: **********Don’t forget the password.
The CLI tool will use the keys stored in the encrypted format in the location, ~/.witnesschain/cli/encrypted_keys
2. create - This command will create a new key. This command will need a flag --key-name(-k). This will be the name of the key which will be referred in the future by the CLI (in the config). This name should be mentioned in the config file to extract the corresponding private key. When you run this command, it will ask for password to mount and then ask you to enter the private key.
$ watchtower-operator keys create -k my_operator
Enter password to mount: **********
Enter private key: ****************************************************************
Created key: my_operatorRepeat it for the my_watchtower private key also. This needs to be repeated for as many watchtower private keys you would want to encrypt
3.list - This command will list all the keys currently present (only by file name and created date)
$ watchtower-operator keys list
Enter password to mount: **********
-------------------------------------------------------
Name Created
-------------------------------------------------------
my_operator 28-06-2024 7:36:16
-------------------------------------------------------
my_watchtower 28-06-2024 7:40:16
-------------------------------------------------------4. delete - This command will delete a key. This command will need a flag --key-name(-k). The name given will be searched in the decrypted_keys and deleted
$ watchtower-operator keys delete -k my_operatorEnter password to mount: **********
Deleted key: my_operator$ watchtower-operator keys listEnter password to mount: **********
-------------------------------------------------------
Name Created
-------------------------------------------------------
-------------------------------------------------------
So now, what happens ?
Moving forward, the CLI will prompt for the mount password to decrypt and utilize these keys. Here is an example of how the watchtower-operator cli configuration will appear when using the encrypted keys.
{
"watchtower_private_keys": [
"my_watchtower"
],
"operator_private_key": "my_operator",
"operator_registry_address": "",
"witnesshub_address": "",
"avs_directory_address": "",
"eth_rpc_url": "",
"chain_id": <holesky or mainnet chain id>,
"gas_limit": 1000000,
"tx_receipt_timeout": 300,
"expiry" : 10000000,
"use_encrypted_keys" : true
}GitHub Repositories
You can take a look at our code base on
Operator CLI: https://github.com/witnesschain-com/operator-cli/releases/tag/v0.3.0-rc1
Watchtower Client: https://github.com/witnesschain-com/diligencewatchtower-client/releases/tag/1.1.0-rc1
Connect with us
Stay up-to-date with the latest news and updates by following us on Discord and X.
