Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider allowing keystore export #75

Open
michaelsproul opened this issue Mar 17, 2024 · 4 comments
Open

Reconsider allowing keystore export #75

michaelsproul opened this issue Mar 17, 2024 · 4 comments

Comments

@michaelsproul
Copy link
Collaborator

Currently the key manager API intentionally provides no way to extract keystores. This decision was made for security, as exfiltrating keystores via an API is potentially dangerous.

However, this functionality is also very useful, and when guarded by appropriate safeguards (authentication, HTTPS, private networking), it can be safe. Further, the greatest risk from keystore theft is not theft of funds, but slashing. Given the difficulty of stealing 1/3+ of signing keys to make slashing impactful and worthwhile for the attacker, I believe this makes signing keys relatively less appealing to hackers than other keys like wallets & withdrawal keys. And this is the absolute worst worst worst case scenario if a VC API is compromised.

In Lighthouse we have extended the DELETE API with non-standard fields in order to support moving keys. The CLI frontend which uses this non-standard API to relocate validators atomically has proved popular with our devops engineers and with users. See: https://lighthouse-book.sigmaprime.io/validator-manager-move.html

The fields added to the DELETE response in Lighthouse are:

  • validating_keystore: a string of the JSON keystore in its entirety
  • validating_keystore_password: the password for decrypting validating_keystore

Presently these fields are only added if the user runs the VC with the flag --http-allow-keystore-export. If we standardise this, we could require all implementations to disable keystore export by default, and only turn it on when a flag is supplied. This should reduce the likelihood of an accident.
@dapplion
Copy link
Collaborator

I would be in support of adding exfiltration capabilities under some conditions (flag present / auth not disabled). Wondering what other teams think

@james-prysm
Copy link
Collaborator

we don't have any special flag right now to enable keystore export but apis in general for the validator are not turned on unless there is a --web or --rpc flag for us. i'm for improving the security or user experience on this.

@rolfyone
Copy link
Collaborator

I'm ok with having this as an opt-in... more accurately it's not the hill i'd die on i guess... I can see the value in it.

@nflaig
Copy link
Collaborator

nflaig commented Mar 19, 2024

Makes sense to standardize this as it could simplify switching clients, and reduce the downtime to a minimum.

@james-prysm james-prysm mentioned this issue Mar 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rolfyone @michaelsproul @dapplion @nflaig @james-prysm