Open in app

Sign in

Write

Sign in

Creating Ethereum 2 withdrawal keys using ethdo

Dr Steve Berryman
8 min readDec 8, 2020

Introduction

This document walks you through the processes of creating, testing, backing up and restoring withdrawal keys for an Ethereum validator node using the ethdo wallet. The final section describes the process of transferring between the foundation's Launchpad wallet and ethdo. The Ethereum 2 ecosystem is still very new and as such there are only minimal tools available for working with it.

By the end of the tutorial you will have much greater confidence working with Ethereum 2 wallets and public keys.

Note: Each new command line starts with a $ and each line needs to be run separately with a return. The $ is command prompt and should not be copied.

Install ethdo

The ethdo application handles the creation of Ethereum 2 wallets and accounts. It is a command line application so you will need to be comfortable working with a terminal. The wallet can be installed on Windows, OS X and Linux but the examples in this document are based on an Linux install. The command will work on all platforms but you will need to change the path details as appropriate.

You can find the latest version of ethdo by getting the appropriate archive from GitHub. You should identify the tagged release (e.g. 1.7.2) and then copy the link for your platform (use AMD64 for OS X) before doing the following:

$ wget https://github.com/wealdtech/ethdo/releases/download/v1.7.2/ethdo-1.7.2-linux-amd64.tar.gz
$ tar xvf ethdo-1.7.2-linux-amd64.tar.gz
$ ./ethdo version

If you don’t have a suitable installation archive then you generate the binaries from source:

$ sudo apt install -y gcc g++ make
$ sudo snap install go --classic
$ GO111MODULE=on go get github.com/wealdtech/ethdo

Create an Ethereum 2 wallet from scratch

This section will give you all the information you need to create an Ethereum 2 wallet with a single account from scratch. In this context we define a wallet to be a collection of Ethereum 2 keys, grouped under a single name, and an account to be a single Ethereum 2 key.

Set up a passphrase and wallet name

It is good security practice to have a complex passphrase generated randomly. Use a password generator, for example pwgen, to create a 24+ mixed case alphanumeric passphrase (pwgen -B 24 -c 1). Store this passphrase somewhere safe and secure such as a password manager. To install, run and store the result in an environment variable PASSPHRASE.

$ sudo apt install pwgen
$ PASSPHRASE=$(pwgen -B 24 -c 1)

Next step is to create a environment variable for the wallet name:

$ WALLET=myTestWallet

Create an encrypted wallet

The next step is to create an encrypted wallet, backed up with a mnemonic phrase, and remember to put the mnemonic phrase somewhere safe:

$ ./ethdo wallet create --wallet="${WALLET}" --type=hd --wallet-passphrase=$PASSPHRASE

Note that — wallet has quotes around it. This is to ensure that wallets with spaces in their names are handled correctly.

The wallet creation process will show a collection of 24 random words called a seed mnemonic. These can be used to rebuild your wallet if you lose the digital copy. You must write these down and store them safe and secure such as a fire safe. You will need these words shortly to test whether your wallet can be restored. They will all be in lower case.

List the wallets on this machine and should see the new one created:

$ ./ethdo wallet list

Ethereum 2 uses accounts within wallets, so you need to create an account in MyTestWallet called 1, this can have a different passphrase to the main wallet if you wish.

$ ./ethdo account create --passphrase=$PASSPHRASE --wallet-passphrase=$PASSPHRASE --account “${WALLET}/1”

You can test that the account has been created correctly by asking for its public key and withdrawal credentials. The withdrawal credential’s address is the hash of the public key and is one of the parameters supplied to the Ethereum 1 deposit contract.

$ ./ethdo account info --account “${WALLET}/1” --verbose

Note that you don’t require the passphrase for this step as this information is public in nature.

Sign and verify some data using the account

The next step can be skipped but it's useful for testing the signing of a newly created key. All blockchains, including Ethereum 2, use digital signatures to protect transactions. These steps will demonstrate how this is done:

To digitally sign some random data using your private key:

$ ./ethdo signature sign --passphrase=$PASSPHRASE --account “${WALLET}/1” --data=0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f --domain=0xf000000000000000000000000000000000000000000000000000000000000000

The act of digitally signing some data is a secure activity and so requires your passphrase. The output is a long string of random characters representing a digital signature.

Now you need to verify that the signature was created from your private key. The output from the previous step is placed into “signature” below:

$ ./ethdo signature verify --passphrase=$PASSPHRASE --account “${WALLET}/1” --data=0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f --domain=0xf000000000000000000000000000000000000000000000000000000000000000 --verbose --signature=”signature”

If the output is “Verified” then the signature is correct.

Backup and restore your wallet (seed words and file)

In addition to the seed mnemonic you can create an encrypted backup of the wallet files for safe keeping:

$ ./ethdo wallet export --passphrase=$PASSPHRASE --wallet=”${WALLET}” > “${WALLET}”-backup.dat

You should see the backup file in your current directory. You can verify that it is a good copy of the original as follows:

./ethdo wallet import --verify --passphrase=$PASSPHRASE --data=”${WALLET}-backup.dat”

The backup will not be imported and the output will simply show a summary of the contents, assuming a good decryption has taken place.

Now it is time to practice restoring your wallet in case of disaster. You should always do a practice restore to completely make sure you have written down all the correct information to recreate the same keys. You are not going to use this withdrawal key for 1-2 years so it’s vital the seed information is legible before you send the key to the Ethereum 1 deposit contract.

The following lines will show the account public key, then delete the wallet and finally list the wallets:

$ ./ethdo account info --account “${WALLET}/1”
$ ./ethdo wallet delete --wallet=”${WALLET}”
$ ./ethdo wallet list

There should be no entry for myTestWallet in the output. Note that there was no need to use your passphrase to delete the wallet. This makes your backups all the more important.

First try restoring from the seed mnemonic (“seedwords”) you copied earlier:

$ ./ethdo wallet create --wallet=”${WALLET}” --wallet-passphrase=$PASSPHRASE --type=hd --mnemonic=”seedwords”
$ ./ethdo account info --account=”${WALLET}/1" --verbose

It didn’t work! That’s because restoring from the seed mnemonic on its own does not restore accounts. However, manually adding the account will restore it:

$ ./ethdo account create --passphrase=$PASSPHRASE --wallet-passphrase=$PASSPHRASE --account=”${WALLET}/1"
$ ./ethdo account info --account=”${WALLET}/1" --verbose

Now the same public key has been restored, but note that the UUID associated with the wallet is different as it is simply a local identifier and not used externally.

A more convenient method for restoring is clearly to use the backup file so let’s delete the wallet and restore from that:

$ ./ethdo account info --account=”${WALLET}/1" --verbose 
$ ./ethdo wallet delete --wallet=”${WALLET}”
$ ./ethdo wallet list
$ ./ethdo wallet import --passphrase=$PASSPHRASE --data=”${WALLET}-backup.dat”

Now you should examine the wallet list as before:

$ ./ethdo wallet list

And check to see if the account has been restored as well:

$ ./ethdo account info --account=”${WALLET}/1" --verbose

You should see the same public key as before. Congratulations you have successfully restored your wallet.

Clear out your PASSPHRASE and WALLET entries for security

It is good security practice to clear out any confidential information from your history before closing your session. If you want to use the wallet you have installed remember to make a note of the passphrase. If you don’t remember the passphrase then it’s no problem as you can re-create the wallet from your seed with a new passphrase. To create a file of the passphrase before you delete the environment variables, run the following:

$ echo $PASSPHRASE > password.txt

To clear out the PASSPHRASE and WALLET entries use this:

$ unset PASSPHRASE
$ unset WALLET

Final steps

If this is your first run through this process you should now be ready to make a real Ethereum 2 wallet. Now it is time to do the above for real. You should delete myTestWallet and then repeat the above steps using a suitable naming convention for your own records.

Use a seed phrase to create a withdrawal key

An alternative, and faster, method to create an Ethereum 2 withdrawal key using ethdo is to provide a seed phrase that you have used in another wallet — perhaps a Trezor or Ledger hardware wallet. This will then be used as the basis for the calculation of the withdrawal key and the same seed phrase will generate the same withdrawal key so you can be sure it is safely backed up.

Enter the following command to get the first withdrawal key:

$ ./ethdo account derive --mnemonic=”<seed words>” --path=m/12381/3600/0/0

The derive option is useful for quickly creating a withdrawal key from your seed, which is generated in memory and the wallet is not saved to disk.

The ethdo default uses the withdrawal key derivative path as defined by EIP-2334 but you can explicitly add the parameter rather than using the wallet/account name. For a given index i the keys will be at the following paths:

  • withdrawal key: m/12381/3600/i/0
  • validator key: m/12381/3600/i/0/0

If you are intending to use many withdrawal keys, it may be worth exploring the earlier section about creating an Ethereum 2 wallet and account.

Recreate Launchpad accounts and wallets in ethdo

If you created your withdrawal account using the Launchpad wallet you can recreate the account in ethdo. More detailed instructions can be found here.

$ WALLET=Launchpad
$ ./ethdo wallet create --wallet="${WALLET}" --type=hd --wallet-passphrase=$PASSPHRASE --mnemonic="<seed phrase>"

To create the first withdrawal account then use the path m/12381/3600/i/0 (ethdo default).

$ ./ethdo account create --account="${WALLET}/Withdrawal 1" --wallet-passphrase=$PASSPHRASE --passphrase=secret --path=m/12381/3600/1/0

To create the first validator account then use the path m/12381/3600/1/0. Note that is you are using a staking service, such as Attestant, you only need the withdrawal key as we provide the validation key.

$ ./ethdo account create --account="${WALLET}/Validator 1" --wallet-passphrase=$PASSPHRASE --passphrase=secret --path=m/12381/3600/1/0/0

Recreate ethdo accounts in Launchpad

Just for completeness the seed phrase from ethdo can be imported into the Launchpad by running the following:

./deposit existing-mnemonic

Useful References

Ethereum 2 Staking Attestant

ethdo is an Ethereum 2 wallet built by WealdTech

Exploring staking keys

BY Jim McDonald ON Dec 19, 2019 When creating a staking deposit for Ethereum 2 two keys are used to generate the…

www.attestant.io

Contact

If you wish to know more about Attestant, you can contact us by email info@attestant.io or Telegram https://t.me/attestant

Also, Read

Get Best Software Deals Directly In Your Inbox

Ethereum
Eth2 Staking
Attestant
Staking As A Service
Crytowallet

--

--

Dr Steve Berryman

Written by Dr Steve Berryman

26 Followers

Attestant.io — An Ethereum 2 Staking Company

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams