Validator Keys
After installing the Operator Service, you need to generate validator keystores for your Vault. These keystores contain the cryptographic keys that your validators will use to sign attestations and propose blocks on the Ethereum network.
The Operator Service provides built-in functionality to generate validator keys and keystores. Alternatively, you may use external tools such as Wagyu Keygen ↗ to generate keystores.
This section walks you through the validator key generation process using the Operator Service built-in tools.
🔑 Validator Keys Setup📝 Initialize Mnemonic ↓ 🔐 Generate Validator Keys → 📁 Keystores + 🔑 Passwords ↓ ✅ Import Keys to Consensus Client
Step 1: Initialize Mnemonic
Initialize Configuration
Run the init command to set up your mnemonic used to derive your validator keys.
For example, if running Operator Service from binary:
./operator init
Follow the command prompts.
Example Output
Enter the network name (mainnet, hoodi, gnosis, chiado) [mainnet]:
Enter your vault address: 0xF82f6E46d0d0a9536b9CA4bc480372EeaFcd9E6c
Choose your mnemonic language (chinese_simplified, chinese_traditional, czech, english, italian, korean, portuguese, spanish) [english]:
This is your seed phrase. Write it down and store it safely, it is the ONLY way to recover your validator keys.
fish monster write banner tired laptop slender ...
Press any key when you have written down your mnemonic.
Please type your mnemonic (separated by spaces) to confirm you have written it down
: fish monster write banner tired laptop slender ...
done.
Successfully initialized configuration for StakeWise operator
Important Security Notice
Keep your mnemonic safe. It is the only way to recover your validator keys.
Step 2: Generate Validator Keys
Generate validator keystores from your mnemonic using:
./operator create-keys
Follow the command prompts.
Example Output
Enter the number of the validator keys to generate: 3
Enter the mnemonic for generating the validator keys: fish monster write banner tired laptop slender ...
Enter the vault address: 0xF82f6E46d0d0a9536b9CA4bc480372EeaFcd9E6
Creating validator keys: [####################################] 3/3
Exporting validator keystores [####################################] 3/3
Done. Generated 3 keys for StakeWise operator.
Keystores saved to ~/.stakewise/0xf82f6e46d0d0a9536b9ca4bc480372eeafcd9e6c/keystores file
Keystore Locations
- Keystores are saved to
~/.stakewise/[vault address]/keystores - Default: A single
password.txtfile contains the password for all generated keystores - Per-keystore option: Use the
--per-keystoreflag to generate individual password files for each keystore (e.g.,keystore-001.txt,keystore-002.txt, etc.)
Important
Protect your password files as carefully as your keystores — anyone with access to them can decrypt your keys. This applies to both the single password.txt file and individual per-keystore password files.
You can always add more validator keys to your Vault. For that, you need to generate new validator keys.
Step 3: Import Validator Keys
Upload your keystores into your validator client:
- Locate your keystores in
~/.stakewise/[vault address]/keystores - Follow your consensus client's guide for importing keys
- Use the password from
password.txtfile - Start the validator client with attached validator keys.
Fee Recipient Configuration Required
You must use the "Block reward recipient" address from the "Details" section on the Vault page as the suggested-fee-recipient in your validator client. An incorrect value will result in penalties for your Vault in the Smoothing Pool and will trigger a warning on the Vault page, alerting users to an invalid validator setup.
Alternative Key Management
Validator keystores don't need to be stored locally. You can instead use:
- Remote Signer → - Sign deposit/exit messages via a remote signer
- HashiCorp Vault → - Load keys from a remote Vault instance
- API Mode → - Run Operator as API service with external key management
Next Steps
With your validator keys generated and imported, continue to Validators Manager → to create your operator wallet and configure the necessary Vault permissions for validator management.