-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add explanation docs * add readme for keyinject * rm from header
- Loading branch information
1 parent
a7e18ac
commit 6e1e265
Showing
1 changed file
with
93 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,95 @@ | ||
# key_inject ansible role | ||
|
||
This Ansible role is designed to facilitate the injection of cryptographic keys | ||
into Polkadot nodes, a crucial step for setting up a node for active | ||
participation in network operations like consensus and block authoring. This is | ||
meant only for development and testing purposes and use is not recommended in | ||
production. | ||
|
||
## Key Role Functionality | ||
The `key_inject` role consists of several tasks organized into specific YAML | ||
files to streamline the process of key management on a Polkadot node: | ||
|
||
### Key Tasks and Files | ||
- **check_session_key.yml**: Checks whether session keys are present in the | ||
node’s keystore. | ||
- **inject.yml**: Manages the injection of keys that are not found in the | ||
keystore. | ||
- **main.yml**: Coordinates the flow between checking and injecting keys. | ||
|
||
### Detailed Process | ||
1. **Key Generation**: | ||
- Generates session keys from specified private keys using | ||
`paritytech.chain.subkey_inspect`, defaulting to the `sr25519` cryptographic | ||
scheme. | ||
|
||
2. **Key Verification**: | ||
- An RPC call checks for the presence of keys in the keystore. If absent, | ||
the process retries up to 12 times, with a 10-second pause between each try. | ||
|
||
3. **Key Injection**: | ||
- If keys are missing in the keystore, they are injected via an RPC call. | ||
This includes handling for errors and notifications for service restarts | ||
after successful injections. | ||
|
||
4. **Results Reporting**: | ||
- Outcomes of the injection process are logged, indicating the success or | ||
failure of the key injections. | ||
|
||
### Security and Risk Considerations | ||
Using Ansible for key management is feasible but must be approached with caution, | ||
particularly on networks with real economic value: | ||
- **Secure Storage**: Keys should be encrypted and securely stored within | ||
Ansible variables. Use `ansible-vault encrypt` for sensitive data. | ||
- **Unique Keys**: Ensure no key sharing across nodes to avoid risks like | ||
slashing. | ||
|
||
**Risk of Slashing**: There's a high risk of slashing in production if keys are | ||
mismanaged, particularly from issues like double-signing due to key reuse. | ||
|
||
**Best Practice**: In production environments, the use of `author_rotateKeys` | ||
RPC method is strongly recommended over manual methods to mitigate risks. | ||
This method ensures keys are managed securely, preventing equivocation. | ||
If `author_rotateKeys` is not utilized, consider implementing robust key | ||
management server software that provides safeguards against key misuse and | ||
equivocation. | ||
|
||
## Usage Instructions | ||
```bash | ||
# playbooks/inject_keys.yaml | ||
--- | ||
- name: Inject keys into Polkadot nodes | ||
hosts: polkadot | ||
gather_facts: false | ||
tasks: | ||
- name: Inject keys | ||
ansible.builtin.include_role: | ||
name: paritytech.chain.key_inject | ||
``` | ||
```bash | ||
# group_vars/polkadot.yaml | ||
subkey_path: "https://releases.parity.io/substrate/x86_64-debian:stretch/v3.0.0/subkey/subkey" | ||
key_inject_relay_chain_rpc_port: 9944 | ||
key_inject_relay_chain_key_list: | ||
- scheme: "sr25519" | ||
type: "gran" | ||
priv_key: "0xcc...9123//1//grandpa" | ||
- type: "babe" | ||
priv_key: "SECRET SEED" | ||
- type: "imon" | ||
priv_key: "SECRET SEED" | ||
- type: "para" | ||
priv_key: "SECRET SEED" | ||
- type: "asgn" | ||
priv_key: "SECRET SEED" | ||
- type: "audi" | ||
priv_key: "SECRET SEED" | ||
key_inject_check_session_key: true | ||
``` | ||
|
||
## Additional Resources | ||
This role supports a structured approach to key management but should only be | ||
used with a clear understanding of the security requirements and potential | ||
consequences like [slashing for equivocation](https://wiki.polkadot.network/docs/maintain-guides-avoid-slashing#equivocation). | ||
For further details on cryptographic practices in Polkadot, visit | ||
[Cryptography on Polkadot](https://wiki.polkadot.network/docs/learn-cryptography). |