Add a private key and account

You will need to create at least one private key to hold your account that will be used to execute transactions from the node.

When you run the command below, you might be prompted to enter a password for your keyring.

archwayd keys add <account-name>

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 keys add <account-name>

For example:

archwayd keys add my-node

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 keys add my-node

You will observe a similar output as shown below:

- name: my-node
  type: local
  address: archway12ntzpk9fjt2x39pvll8ufma9tuhhnkh8g4zzc2
  pubkey: archwaypub1addwnpepqfgjegqxxv9srfe359t93tu9l86tpkwwjk7w63xtpwq05wmlq9emjmxfmmv
  mnemonic: ""
  threshold: 0
  pubkeys: []


**Important:** Write this mnemonic phrase in a safe place.
It is the only way to recover your account if you ever forget your password.

resource regret any wet stable body alcohol spring horse valve ritual top music salad gesture can earn casino example drive surface mix senior flag

The account comes with a human-readable 24-word mnemonic phrase (also called seed or simply mnemonic), which you can use to recover the account.

Restore existing account via mnemonic

To recover an existing account, add the --recover flag:

archwayd keys add <key_name> --recover

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 \  keys add <key_name> --recover

You will be prompted to enter your bip39 mnemonic in order to add the key.

List your keys

You can use the following command to list all your keys:

archwayd keys list

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 \  keys list

For example, executing the command above would produce output similar to the following:

$ archwayd keys list  - name: Default    type: local    address: ## Address of "Default" ##    pubkey: ## Pubkey of "Default" ##    mnemonic: ""    threshold: 0    pubkeys: []  - name: Default_restore    type: local    address: ## Address of "Default_restore" ##    pubkey: ## Pubkey of "Default_restore" ##    mnemonic: ""    threshold: 0    pubkeys: []

You can also retrieve information about a specific key:

archwayd keys show <key_name>

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 keys show <key_name>

and you will be shown something similar to the following:

$ archwayd keys show Default --bech acc- name: Default  type: local  address: arch1quw5r22pxy8znjtdkgqc65atrm3x5hg6vycm5n  pubkey: archpub1addwnpepqdct05khsxvtaaj0stuvayrpw0j8t6styr7vu05k3y63d5540ftuz8x6tsq  mnemonic: ""  threshold: 0  pubkeys: []

Delete a key

You can delete a key in your storage path with:

archwayd keys delete <key_name>

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 keys delete <key_name>

Export private keys

You can export and backup your key by launching:

archwayd keys export <key_name>

docker run --rm -it -v ~/.archway:/root/.archway ghcr.io/archway-network/archwayd:v4.0.3 keys export <key_name>

Keyring-backend flag

The Keyring is where the keys are stored, and there are a few options.

archwayd keys [subcommands] --keyring-backend [backend type]

Os backend

The default os backend stores the keys in the operating system's credential sub-system.

File backend

By choosing the file backend, a password entry is required every time you need to access it. This implies that you may be prompted for your password multiple times in one single command.

Test backend

The test backend is a password-less variation of the file backend. It stores unencrypted keys inside the app's configuration directory. It should only be used in testing environments and never be used in production.

Operator Address vs Validator Consensus Address

We have been talking about your node address, which is your account address and it's used for holding funds and signing transactions. This is also referred to as Operator Address, and you can obtain it by launching archwayd keys add <your-key-name>. This address starts with "archway..".

It is important to notice that there is also another type of address, derived from your validator's consensus public key. This is called Validator Consensus Address, and it is used in the staking and consensus process to identify your validator.This address starts with "archwayvaloper.."", and you can obtain it by launching archwayd tendermint show-address.

TKMS (Optional)

Tendermint Key Management System (TKMS), is a specialized service that manages validator keys for nodes operating on the Cosmos network, ensuring the secure storage, access, and usage of cryptographic keys. Using TKMS for Cosmos validators has the following advantages:

• Improved security: TKMS establishes robust security practices for the handling and storage of cryptographic keys, minimizing the risk of unauthorized access, manipulation, or theft of keys.
• Unified API and support for various HSMs: TKMS offers a unified API that allows for integration with various Hardware Security Modules (HSMs). HSMs are specialized devices that securely generate, store, and manage cryptographic keys. By supporting different HSMs, TKMS provides validators with the flexibility to choose the most appropriate and secure hardware solutions for their specific needs.
• Double signing protection: TKMS implements both software and hardware-based double signing protection measures, ensuring that validators do not inadvertently double sign blocks.

In order to safely manage your validator keys, you can look further on how to integrate TKMS with hardware devices:

• Tendermint KMS support for Ledger.
• TKMS support for YubiHSM.

Next steps

Now you are ready to join a network. Optionally, you can take your time to configure your node, so that the node can be customized according to your needs and preferences. Also, note that you can use Cosmovisor in order to perform automatic upgrades.