Eth 2.0 Key Generation: Tails Live USB

This guide demonstrates how to generate Eth 2.0 validator keys using Tails to boot from USB.

The Eth 2.0 Beacon Chain launched on Dec 1, 2020 with around ~21k validators.

New users are encouraged to join the EthStaker Discord and practice running validators on the Pyrmont testnet before using mainnet. You can find additional Eth2 resources here.

Eth 2.0 Prymont Staking Guides:

Prymont is the current Eth2 testnet. See here for my Lighthouse guide, or follow one of Somer Esat's:

Somer Esat Pyrmont Guides: Lighthouse || Nimbus || Prysm || Teku

DISCLAIMER - FOR EDUCATIONAL PURPOSES ONLY

USE AT YOUR OWN RISK

There is no guarantee this guide will function for mainnet deposits.

Ethereum 2.0 is experimental software. Staking is inherently risky. Generating keys is risky. I am not an expert. This guide should not be relied upon for any mainnet transactions.

Practice on testnet before attempting any mainnet transactions.

Guide Summary:

1. Why Tails || Security Concerns
2. Download eth2.0-deposit-cli Key Generator
3. Download Tails for USB
4. Burn Tails ISO Image to USB
5. Disconnect Internet || Create Air-gap
6. Boot into Tails USB
7. Generate Eth 2.0 Keys
8. Safely store mnemonic seed (24 words)
9. Save deposit_date and validator_keystore
10. Pyrmont Guides || Eth2 Launchpad

You'll need a PC or server running Ubuntu and 2 USB memory sticks.

Why Tails?

Tails, or The Amnesic Incognito Live System, is a security focuses OS aimed at preserving privacy and anonymity. Tails has a few characteristics that make it ideal for Eth 2.0 key generation:

• Designed to be booted as a live USB (secure boot from any computer)

• Leaves no digital footprint on the machine unless explicitly told to do so.

• Ability to disable all networking capabilities on boot screen

• All its incoming and outgoing connections are forced to go through Tor

Security Concerns

Please ensure you understand basic security precautions. If you are unfamiliar with certain topics, you should learn, practice, and come back when you're ready.

This guide focuses creating a secure desktop environment for key generation. There are thousands of different aspects of security that this guide will not address.

Remember that a $5 wrench attack is probably be your biggest security threat.

This guide uses the following mnemonic seed to generate keys:

text patch phone badge special hurry apart teach control smoke frost cherry urban quote segment polar depend camera inherit this limit damp soccer cement

NEVER USE THIS SEED TO GENERATE MAINNET KEYS

Step 1 - Download eth2.0-deposit-cli Key Generator

Please be sure you are using the official Ethereum Foundation GitHub account.

Visit https://github.com/ethereum/eth2.0-deposit-cli/releases/

EF Github: Release page for eth2.0-deposit-cli as of Dec 2, 2020

Choose the file ending in linux-amd64.tar.gz and complete the download.

SHA256 Checksum - OPTIONAL

You can use SHA256 to ensure that your download is correct and intact. Follow these steps to run a checksum on the eth2.0-deposit-cli tarball:

cd ~
cd Downloads
ls

The ls command should show the name of the eth2.0-deposit-cli tarball. You can highlight and copy using CTRL + SHIFT + C within the terminal window.

Run sha256sum - OPTIONAL

sha256sum eth2deposit-cli-ed5a6d3-linux-amd64.tar.gz

Confirm that the checksum matches the one found on the EF GIthub release page

If the checksums match, you can be certain your file has not been altered.

Move the tarball to the 2nd USB:

Step 2 - Download Tails

Tails 4.13 USB image comes with everything needed for Eth 2.0 key generation.

Tails 4.13 USB Image Download

Step 3 - Burn Tails ISO image to USB

You can open "Show Applications" by clicking the bottom left icon:

Search startup disk creator and click the icon:

Choose ISO and Make Startup Disk:

The USB will be completely wiped, be sure to back up any important data!

Installation Complete:

Congratulations, You have successfully created a Tails secure boot USB!

Step 4 - Disconnect Internet

DISCONNECT INTERNET || aka AIR-GAP

Physically unplug all modems, routers, and Ethernet cables. Make sure you never turn on WIFI or any networking capabilities. It should be IMPOSSIBLE to connect to the internet.

Step 5 - Tails Live USB: Boot Process

F-10at computer startup is the standard method to enter the one-time boot menu. If that doesn't work, search online for your machine ( e.g. "Dell XPS 15 one time boot menu")

Ideally you would use a new computer that has never connected to the internet, but it is generally safe to use a personal computer that is virus free and air-gapped

Tails Live USB - Boot Process

1. Begin with the computer powered down

2. Plug the Tails live USB into the computer

3. Start the computer and continually press F-10 until you enter one-time boot menu

4. Choose the Tails USB in the boot menu

Step 6 - Tails Startup Screen

Tails should boot into the GRUB screen, with Tails OS being the first option.

This screen is GRUB for Ubuntu, but tails should look similar:

Tails OS will be the first option. Hit ENTER to continue on to startup settings.

Startup Options:

Click the + sign in the bottom left corner

Click Network Connection and change to DISABLE ALL NETWORKING

Step 7 - Extract eth2.0-deposit-cli

Move your mouse to the upper left corner to open the application viewer, and search "files".

Click on the icon or press ENTER to open the file viewer.

File Viewer

Plug in the second USB stick

The USB drive should automatically appear in the bottom left when you insert the USB.

Click on the USB drive

Double-click on the eth2deposit-cli tarball to extract the binaries

Click Home in the top left, then click Extract

Extraction Completed Successfully

Click Show the Files

Clicking on "show the files" won't actually bring you to the extracted files. It brings you to the following home screen. You can then click the "amnesia" folder.

Note: amnesia is the default username within Tails OS.

Enter the /home/amnesia folder

Note: In Linux systems $HOME/amnesia is the same as /home/amnesia

You should see a folder with the same name as the tarball file.

Rename the extracted Eth2 deposit folder eth2.0-deposit-cli

Updated Home Folder

Step 8 - Generate Eth 2.0 Keys

Open a new terminal window

Move your mouse to the upper left, then search "terminal"

Tails Terminal Window

Change directory to eth2.0-deposit-cli

cd eth2.0-deposit-cli

Run ls to check folder contents

ls

You should see a single green file called deposit

Run ./deposit new-mnemonic

./deposit new-mnemonic

Deposit script parameters

You will be asked to provide the following responses:

1. Mnemonic language: [default english]

2. How many validators you wish to run

3. Choose network: [default mainnet]

4. Type a password to secure your validator

5. Repeat password for confirmation

Step 9 - Mnemonic Seed

The 24 word mnemonic seed is necessary to withdraw your staked Eth. Without the seed, you will be unable to transfer/withdraw and your Eth will be lost forever.

You need enough copies in case of disaster (fire, flood, theft), but additional copies increases chances of falling into the wrong hands. If someone finds your mnemonic, they get your Eth.

After confirming the password, you'll be given a mnemonic seed phrase:

Write down the mnemonic, then reenter to ensure it's correct:

A few things to keep in mind regarding the 24-word mnemonic phrase:

• Make sure you use durable paper and permanent pen

• Store in a waterproof, fireproof bag inside a safe

• A bank security box is useful in preventing the $5 wrench attack
• Minimum of 2 copies in case of loss

After reentering the mnemonic, the validator_keys and deposit_data will be created.

Run clear to clear the terminal window:

clear

Navigate to the /home/eth2.0-deposit-cli directory:

You should see a new folder called validator_keys, enter the folder.

THESE FILES ARE VERY IMPORTANT

Files can be found at:/home/amnesia/eth2.0-deposit-cli/validator_keys

• deposit_data-[timestamp].json

  • contains data used to register your validator on the Eth2 launchpad

• keystore -[timestamp].json

  • validator keystore file protected by password (aka validator signing key)

The mnemonic seed (24 words) is used to create the keystore file and withdrawal signatures.

If you lose the mnemonic seed, your stake is lost forever.

Open the deposit_data json file

The above deposit_data is for the following mnemonic seed:

text patch phone badge special hurry apart teach control smoke frost cherry urban quote segment polar depend camera inherit this limit damp soccer cement

If you use that seed for ./deposit existing-mnemonic, you'll get the same deposit_data

Open keystore file

Unlike the deposit_data file, the keystores will vary slightly every time it's generated.

Although some info will change, you'll always generate the same PUBKEY address if you use the same mnemonic (Note: A single mnemonic can generate an unlimited # of keystores)

Practice below with ./deposit existing-mnemonic to fully understand the concept.

Step 10 - Save deposit_data and keystore

Open a new file viewer window

You can right click on the USB and choose "Open in New Window"

Copy validator keys to external USB

Confirm that the validator_keys folder is saved on the USB:

The keystore file is used to create validator signatures. You should keep an extra copy, but you can always use your mnemonic seed to generate a new keystore if necessary.

Shut down the Tails OS

Step 11 - Prymont Testnet

You can test your newly generated keys using the Launchpad and following one of these Eth2 guides:

AGSC Prymont Guide: Lighthouse

Somer Esat: Lighthouse || Nimbus || Prysm || Teku

Be sure to join the EthStaker Discord if you run in to any issues when trying to stake!