Bulk load ETH1 signing keys (#207)

* Bulk load ETH1 signing keys. Signed-off-by: bgravenorst <[email protected]> * Fix typo. Signed-off-by: bgravenorst <[email protected]> * Fix typo. Signed-off-by: bgravenorst <[email protected]> * Update sentence. Signed-off-by: bgravenorst <[email protected]> --------- Signed-off-by: bgravenorst <[email protected]>
Consensys · Oct 10, 2023 · 5aaa80e · 5aaa80e · vercel · Oct 10, 2023
1 parent c15ff9b
commit 5aaa80e
Show file tree

Hide file tree

Showing 2 changed files with 135 additions and 4 deletions.
diff --git a/docs/how-to/use-signing-keys.md b/docs/how-to/use-signing-keys.md
@@ -25,7 +25,7 @@ You can configure access to the signing key by:
   layer signing keys stored in [Azure Key Vault](#azure-key-vault), [AWS Secrets Manager](#aws-secrets-manager),
   or [keystore files](#keystore-files).
 - Using the [`eth1` subcommand options](../reference/cli/subcommands.md#eth1) to bulk load execution
-    layer signing keys stored in [Azure Key Vault](#azure-key-vault).
+    layer signing keys stored in [Azure Key Vault](#azure-key-vault) or [keystore files](#keystore-files).
 
 :::note
 Bulk loading is only available when using keys stored in Azure Key Vault, AWS Secrets Manager,
@@ -96,16 +96,29 @@ web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIA...EX
 
 ### Keystore files
 
-You can bulk load consensus layer keys that are stored as keystore files using the Web3Signer
+You can bulk load consensus layer or execution layer keys that are stored as keystore files using the Web3Signer
+[`eth1` subcommand options](../reference/cli/subcommands.md#eth1) or
 [`eth2` subcommand options](../reference/cli/subcommands.md#eth2).
 
+<!--tabs-->
+
+# Consensus layer client
+
 ```bash
 web3signer eth2 --keystores-path=/Users/me/keystores \
 --keystores-passwords-path=/Users/me/passwds
 ```
 
-Use [`--keystores-password-file`](../reference/cli/subcommands.md#keystores-password-file) or
-[`--keystores-passwords-path`](../reference/cli/subcommands.md#keystores-passwords-path) to specify
+# Execution layer client
+
+```bash
+web3signer eth1 --keystores-path=/Users/me/keystores \
+--keystores-passwords-path=/Users/me/passwds
+```
+
+<!--/tabs-->
+
+Use the `eth1` or `eth2` `--keystores-password-file` or `--keystores-passwords-path` command line option to specify
 keystore passwords.
 
 ## Reload new keys

diff --git a/docs/reference/cli/subcommands.md b/docs/reference/cli/subcommands.md
@@ -662,6 +662,124 @@ eth1.downstream-http-tls-ca-auth-enabled: false
 Enables or disables connections to servers with trusted CAs.
 The default is `true`.
 
+#### `keystores-password-file`
+
+<!--tabs-->
+
+# Syntax
+
+```bash
+--keystores-password-file=<FILE>
+```
+
+# Example
+
+```bash
+--keystores-password-file=/Users/me/passwds/keystore_passwords.txt
+```
+
+# Environment variable
+
+```bash
+WEB3SIGNER_ETH1_KEYSTORES_PASSWORD_FILE=/Users/me/passwds/keystore_passwords.txt
+```
+
+# Configuration file
+
+```bash
+eth1.keystores-password-file: "/Users/me/passwds/keystore_passwords.txt"
+```
+
+<!--/tabs-->
+
+File that contains the password used by all keystores.
+Cannot be set if [`--keystores-passwords-path`](#keystores-passwords-path) is also specified.
+
+:::note
+Alternatively, use [`--keystores-passwords-path`](#keystores-passwords-path) to specify a directory
+containing a separate password file for each keystore.
+:::
+
+#### `keystores-passwords-path`
+
+<!--tabs-->
+
+# Syntax
+
+```bash
+--keystores-passwords-path=<PATH>
+```
+
+# Example
+
+```bash
+--keystores-passwords-path=/Users/me/passwds
+```
+
+# Environment variable
+
+```bash
+WEB3SIGNER_ETH1_KEYSTORES_PASSWORDS_PATH=/Users/me/passwds
+```
+
+# Configuration file
+
+```bash
+eth1.keystores-passwords-path: "/Users/me/passwds"
+```
+
+<!--/tabs-->
+
+Directory containing password files for corresponding keystores.
+Each password file name must match the corresponding keystore filename, but with a `.txt` extension.
+
+Cannot be set if [`--keystores-password-file`](#keystores-password-file) is also specified.
+
+:::note
+Alternatively, use [`--keystores-password-file`](#keystores-password-file) to specify a single
+password file that contains the password used by all keystores.
+:::
+
+#### `keystores-path`
+
+<!--tabs-->
+
+# Syntax
+
+```bash
+--keystores-path=<PATH>
+```
+
+# Example
+
+```bash
+--keystores-path=/Users/me/keystores
+```
+
+# Environment variable
+
+```bash
+WEB3SIGNER_ETH1_KEYSTORES_PATH=/Users/me/keystores
+```
+
+# Configuration file
+
+```bash
+eth1.keystores-path: "/Users/me/keystores"
+```
+
+<!--/tabs-->
+
+Directory that stores the keystore files.
+Keystore files must use a `.json` file extension.
+
+Use [`--keystores-password-file`](#keystores-password-file) or
+[`--keystores-passwords-path`](#keystores-passwords-path) to specify keystore passwords.
+
+:::caution Important
+Restart Web3Signer if you want to pick up new keystores added to the directory since Web3Signer started.
+:::
+
 ### `eth2`
 
 #### `aws-connection-cache-size`