Keys Management

How Witness Chain's Operator CLI manages Secret Keys

In the world of blockchain and decentralized applications, securing secret keys is paramount. Witness Chainโ€™s Operator Command-Line Interface (CLI) supports several modes for handling secret keys, each catering to different security needs and use cases. This blog explores the available options and their current statuses, including plain text storage, gocryptfs encryption, web3signer utility, and Web3 Secret Storage Format.

We support only ECDSA Keys right now. BN254 keys are not supported yet.

1. No Encryption (Storing in Plain Text)

The simplest method of handling secret keys is storing them in plain text. While this approach is straightforward, it carries significant risks. Plain text storage means that anyone with access to the file can read the keys, posing a substantial security threat, especially in a production environment.


  • Simple and easy to implement.

  • No additional dependencies or setup required.


  • Highly insecure as keys are exposed to anyone with access.

2. Using gocryptfs

Available in the development branch. Details of How-to are available in the README of the development branch

gocryptfs is a user-space encrypted file system, which provides a secure layer for encrypting files. By using gocryptfs, secret keys are stored in an encrypted format, protecting them from unauthorized access. This method is currently being tested on the testnet.


  • Adds a layer of encryption, enhancing security.

  • Transparent encryption and decryption process for the user.


  • Requires additional setup and configuration.

  • Slight performance overhead due to encryption and decryption processes.

3. Using web3signer Utility (Remote Signer)

Undergoing active testing

The web3signer utility allows for the use of a remote signer, offloading the signing operations to a secure remote service. This approach keeps the secret keys off the local system, reducing the risk of local key compromise. It is currently being tested on the testnet.


  • Keeps secret keys off the local system, enhancing security.

  • Centralized management of keys, making it easier to enforce security policies.


  • Requires network connectivity to the remote signer.

  • Potential latency due to network communication.

4. Using Web3 Secret Storage Format (Keystore)

Planned for July 2024

The Web3 Secret Storage Format, is a standardized way to encrypt and store Ethereum private keys. This method ensures that keys are encrypted with a passphrase, providing a secure means of key storage. This feature is currently in development.


  • Standardized and widely adopted format for key storage.

  • Provides strong encryption for securing private keys.


  • Requires users to manage and remember their passphrase.


Witness Chainโ€™s Operator CLI offers multiple modes for handling secret keys, each with its own advantages and trade-offs. From the simplicity of plain text storage to the advanced security of gocryptfs, web3signer, and Keystore, users can choose the method that best suits their needs. While plain text storage may be adequate for non-critical applications, leveraging encryption and remote signing solutions can significantly enhance security for production environments.

As the development of the Web3 Secret Storage Format integration progresses, Witness Chain continues to prioritize the security and integrity of secret keys, ensuring robust protection for its usersโ€™ assets and operations.

Last updated